Version in base suite: 3.1.33+20180830.1.3a78a21f+selfpack1-1 Base version: smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1 Target version: smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/smarty3/smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/smarty3/smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1.dsc changelog | 15 ++++ patches/CVE-2021-21408.patch | 40 +++++++++++ patches/CVE-2021-26119.patch | 24 ++++++ patches/CVE-2021-26120.patch | 25 ++++++ patches/CVE-2021-29454.patch | 76 +++++++++++++++++++++ patches/CVE-2022-29221.patch | 155 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 5 + 7 files changed, 340 insertions(+) diff -Nru smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/changelog smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/changelog --- smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/changelog 2018-09-17 11:04:18.000000000 +0000 +++ smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/changelog 2022-05-29 11:13:32.000000000 +0000 @@ -1,3 +1,18 @@ +smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1) buster-security; urgency=high + + * Non-maintainer upload. + * Fix the following CVE: + - CVE-2021-21408: template authors could run restricted static php methods + - CVE-2021-29454: template authors could run arbitrary PHP code by crafting + a malicious math string + - CVE-2022-29221: template authors could inject php code by choosing a + malicious {block} name or {include} file name + - CVE-2021-26119: Sandbox Escape because $smarty.template_object can be + accessed in sandbox mode + - CVE-2021-26120: code injection via an unexpected function name + + -- Markus Koschany Sun, 29 May 2022 13:13:32 +0200 + smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium * New upstream release. diff -Nru smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-21408.patch smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-21408.patch --- smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-21408.patch 1970-01-01 00:00:00.000000000 +0000 +++ smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-21408.patch 2022-05-29 11:13:32.000000000 +0000 @@ -0,0 +1,40 @@ +From: Markus Koschany +Date: Sat, 28 May 2022 18:06:03 +0200 +Subject: CVE-2021-21408 + +Bug-Debian: https://bugs.debian.org/1010375 +Origin: https://github.com/smarty-php/smarty/commit/28519ca00fe6890ef2d464f8400a16188c4b6f36 +--- + lexer/smarty_internal_templateparser.y | 3 +++ + libs/sysplugins/smarty_internal_templateparser.php | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/lexer/smarty_internal_templateparser.y b/lexer/smarty_internal_templateparser.y +index 8fcd5f3..0eff194 100644 +--- a/lexer/smarty_internal_templateparser.y ++++ b/lexer/smarty_internal_templateparser.y +@@ -762,6 +762,9 @@ value(res) ::= doublequoted_with_quotes(s). { + + + value(res) ::= varindexed(vi) DOUBLECOLON static_class_access(r). { ++ if ($this->security && $this->security->static_classes !== array()) { ++ $this->compiler->trigger_template_error('dynamic static class not allowed by security setting'); ++ } + $prefixVar = $this->compiler->getNewPrefixVariable(); + if (vi['var'] === '\'smarty\'') { + $this->compiler->appendPrefixCode("compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>'); +diff --git a/libs/sysplugins/smarty_internal_templateparser.php b/libs/sysplugins/smarty_internal_templateparser.php +index a32c5dd..8e84dc0 100644 +--- a/libs/sysplugins/smarty_internal_templateparser.php ++++ b/libs/sysplugins/smarty_internal_templateparser.php +@@ -2736,6 +2736,10 @@ class Smarty_Internal_Templateparser + // line 775 "../smarty/lexer/smarty_internal_templateparser.y" + function yy_r97() + { ++ if ($this->security && $this->security->static_classes !== array()) { ++ $this->compiler->trigger_template_error('dynamic static class not allowed by security setting'); ++ } ++ + $prefixVar = $this->compiler->getNewPrefixVariable(); + if ($this->yystack[ $this->yyidx + -2 ]->minor[ 'var' ] === '\'smarty\'') { + $this->compiler->appendPrefixCode(" +Date: Sat, 28 May 2022 18:06:23 +0200 +Subject: CVE-2021-26119 + +Origin: https://github.com/smarty-php/smarty/commit/c9272058d972045dda9c99c64a82acb21c93c6ad +--- + libs/sysplugins/smarty_internal_compile_private_special_variable.php | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libs/sysplugins/smarty_internal_compile_private_special_variable.php b/libs/sysplugins/smarty_internal_compile_private_special_variable.php +index b5254be..9164abc 100644 +--- a/libs/sysplugins/smarty_internal_compile_private_special_variable.php ++++ b/libs/sysplugins/smarty_internal_compile_private_special_variable.php +@@ -79,6 +79,10 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C + case 'template': + return 'basename($_smarty_tpl->source->filepath)'; + case 'template_object': ++ if (isset($compiler->smarty->security_policy)) { ++ $compiler->trigger_template_error("(secure mode) template_object not permitted"); ++ break; ++ } + return '$_smarty_tpl'; + case 'current_dir': + return 'dirname($_smarty_tpl->source->filepath)'; diff -Nru smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-26120.patch smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-26120.patch --- smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-26120.patch 1970-01-01 00:00:00.000000000 +0000 +++ smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-26120.patch 2022-05-29 11:13:32.000000000 +0000 @@ -0,0 +1,25 @@ +From: Markus Koschany +Date: Sat, 28 May 2022 13:32:56 +0200 +Subject: CVE-2021-26120 + +Origin: https://github.com/smarty-php/smarty/commit/4f634c0097ab4a8b2adc2a97caacd1676e88f9c8 +--- + libs/sysplugins/smarty_internal_compile_function.php | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libs/sysplugins/smarty_internal_compile_function.php b/libs/sysplugins/smarty_internal_compile_function.php +index 7002678..264e7d3 100644 +--- a/libs/sysplugins/smarty_internal_compile_function.php ++++ b/libs/sysplugins/smarty_internal_compile_function.php +@@ -60,6 +60,11 @@ class Smarty_Internal_Compile_Function extends Smarty_Internal_CompileBase + } + unset($_attr[ 'nocache' ]); + $_name = trim($_attr[ 'name' ], '\'"'); ++ ++ if (!preg_match('/^[a-zA-Z0-9_\x80-\xff]+$/', $_name)) { ++ $compiler->trigger_template_error("Function name contains invalid characters: {$_name}", null, true); ++ } ++ + $compiler->parent_compiler->tpl_function[ $_name ] = array(); + $save = array($_attr, $compiler->parser->current_buffer, $compiler->template->compiled->has_nocache_code, + $compiler->template->caching); diff -Nru smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-29454.patch smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-29454.patch --- smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-29454.patch 1970-01-01 00:00:00.000000000 +0000 +++ smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2021-29454.patch 2022-05-29 11:13:32.000000000 +0000 @@ -0,0 +1,76 @@ +From: Markus Koschany +Date: Sat, 28 May 2022 18:08:55 +0200 +Subject: CVE-2021-29454 + +Bug-Debian: https://bugs.debian.org/1010375 +Origin: https://github.com/smarty-php/smarty/commit/7ad97ad030b4289711e30819c928b8bc33c62b23 +--- + libs/plugins/function.math.php | 48 +++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 45 insertions(+), 3 deletions(-) + +diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php +index 111d513..c7e92a0 100644 +--- a/libs/plugins/function.math.php ++++ b/libs/plugins/function.math.php +@@ -25,9 +25,37 @@ + function smarty_function_math($params, $template) + { + static $_allowed_funcs = +- array('int' => true, 'abs' => true, 'ceil' => true, 'cos' => true, 'exp' => true, 'floor' => true, +- 'log' => true, 'log10' => true, 'max' => true, 'min' => true, 'pi' => true, 'pow' => true, 'rand' => true, +- 'round' => true, 'sin' => true, 'sqrt' => true, 'srand' => true, 'tan' => true); ++ array( ++ 'int' => true, ++ 'abs' => true, ++ 'ceil' => true, ++ 'acos' => true, ++ 'acosh' => true, ++ 'cos' => true, ++ 'cosh' => true, ++ 'deg2rad' => true, ++ 'rad2deg' => true, ++ 'exp' => true, ++ 'floor' => true, ++ 'log' => true, ++ 'log10' => true, ++ 'max' => true, ++ 'min' => true, ++ 'pi' => true, ++ 'pow' => true, ++ 'rand' => true, ++ 'round' => true, ++ 'asin' => true, ++ 'asinh' => true, ++ 'sin' => true, ++ 'sinh' => true, ++ 'sqrt' => true, ++ 'srand' => true, ++ 'atan' => true, ++ 'atanh' => true, ++ 'tan' => true, ++ 'tanh' => true ++ ); + // be sure equation parameter is present + if (empty($params[ 'equation' ])) { + trigger_error("math: missing equation parameter", E_USER_WARNING); +@@ -37,6 +65,20 @@ function smarty_function_math($params, $template) + + $equation = $params[ 'equation' ]; + ++ // Remove whitespaces ++ $equation = preg_replace('/\s+/', '', $equation); ++ ++ // Adapted from https://www.php.net/manual/en/function.eval.php#107377 ++ $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number ++ $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; ++ $operators = '[+\/*\^%-]'; // Allowed math operators ++ $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?2))?)+$/'; ++ ++ if (!preg_match($regexp, $equation)) { ++ trigger_error("math: illegal characters", E_USER_WARNING); ++ return; ++ } ++ + // make sure parenthesis are balanced + if (substr_count($equation, '(') !== substr_count($equation, ')')) { + trigger_error("math: unbalanced parenthesis", E_USER_WARNING); diff -Nru smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2022-29221.patch smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2022-29221.patch --- smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2022-29221.patch 1970-01-01 00:00:00.000000000 +0000 +++ smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/CVE-2022-29221.patch 2022-05-29 11:13:32.000000000 +0000 @@ -0,0 +1,155 @@ +From: Markus Koschany +Date: Sat, 28 May 2022 18:14:36 +0200 +Subject: CVE-2022-29221 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011758 +Origin: https://github.com/smarty-php/smarty/commit/3606c4717ed6348e114a610ff1e446048dcd0345 +--- + libs/sysplugins/smarty_internal_compile_block.php | 4 ++-- + libs/sysplugins/smarty_internal_compile_function.php | 8 ++++---- + libs/sysplugins/smarty_internal_compile_include.php | 4 ++-- + libs/sysplugins/smarty_internal_config_file_compiler.php | 11 +++++++---- + libs/sysplugins/smarty_internal_runtime_codeframe.php | 9 ++++++--- + libs/sysplugins/smarty_internal_templatecompilerbase.php | 4 ++++ + 6 files changed, 25 insertions(+), 15 deletions(-) + +diff --git a/libs/sysplugins/smarty_internal_compile_block.php b/libs/sysplugins/smarty_internal_compile_block.php +index f8b84a5..034d42d 100644 +--- a/libs/sysplugins/smarty_internal_compile_block.php ++++ b/libs/sysplugins/smarty_internal_compile_block.php +@@ -120,7 +120,7 @@ class Smarty_Internal_Compile_Blockclose extends Smarty_Internal_Compile_Shared_ + $compiler->parser->current_buffer = new Smarty_Internal_ParseTree_Template(); + + $output = "cStyleComment(" {block {$_name}} ") . "\n"; + $output .= "class {$_className} extends Smarty_Internal_Block\n"; + $output .= "{\n"; + foreach ($_block as $property => $value) { +@@ -150,7 +150,7 @@ class Smarty_Internal_Compile_Blockclose extends Smarty_Internal_Compile_Shared_ + } + $output .= "}\n"; + $output .= "}\n"; +- $output .= "/* {/block {$_name}} */\n\n"; ++ $output .= $compiler->cStyleComment(" {/block {$_name}} ") . "\n\n"; + $output .= "?>\n"; + $compiler->parser->current_buffer->append_subtree( + $compiler->parser, +diff --git a/libs/sysplugins/smarty_internal_compile_function.php b/libs/sysplugins/smarty_internal_compile_function.php +index 1042fd7..7002678 100644 +--- a/libs/sysplugins/smarty_internal_compile_function.php ++++ b/libs/sysplugins/smarty_internal_compile_function.php +@@ -131,7 +131,7 @@ class Smarty_Internal_Compile_Functionclose extends Smarty_Internal_CompileBase + if ($compiler->template->compiled->has_nocache_code) { + $compiler->parent_compiler->tpl_function[ $_name ][ 'call_name_caching' ] = $_funcNameCaching; + $output = "cStyleComment(" {$_funcNameCaching} ") . "\n"; + $output .= "if (!function_exists('{$_funcNameCaching}')) {\n"; + $output .= "function {$_funcNameCaching} (Smarty_Internal_Template \$_smarty_tpl,\$params) {\n"; + $output .= "ob_start();\n"; +@@ -156,7 +156,7 @@ class Smarty_Internal_Compile_Functionclose extends Smarty_Internal_CompileBase + $output .= "/*/%%SmartyNocache:{$compiler->template->compiled->nocache_hash}%%*/\";\n?>"; + $output .= "template->compiled->nocache_hash}', \$_smarty_tpl->compiled->nocache_hash, ob_get_clean());\n"; + $output .= "}\n}\n"; +- $output .= "/*/ {$_funcName}_nocache */\n\n"; ++ $output .= $compiler->cStyleComment("/ {$_funcName}_nocache ") . "\n\n"; + $output .= "?>\n"; + $compiler->parser->current_buffer->append_subtree( + $compiler->parser, +@@ -176,7 +176,7 @@ class Smarty_Internal_Compile_Functionclose extends Smarty_Internal_CompileBase + } + $compiler->parent_compiler->tpl_function[ $_name ][ 'call_name' ] = $_funcName; + $output = "cStyleComment(" {$_funcName} ") . "\n"; + $output .= "if (!function_exists('{$_funcName}')) {\n"; + $output .= "function {$_funcName}(Smarty_Internal_Template \$_smarty_tpl,\$params) {\n"; + $output .= $_paramsCode; +@@ -192,7 +192,7 @@ class Smarty_Internal_Compile_Functionclose extends Smarty_Internal_CompileBase + ); + $compiler->parser->current_buffer->append_subtree($compiler->parser, $_functionCode); + $output = "cStyleComment("/ {$_funcName} ") . "\n\n"; + $output .= "?>\n"; + $compiler->parser->current_buffer->append_subtree( + $compiler->parser, +diff --git a/libs/sysplugins/smarty_internal_compile_include.php b/libs/sysplugins/smarty_internal_compile_include.php +index 8bf9cb6..788d3ea 100644 +--- a/libs/sysplugins/smarty_internal_compile_include.php ++++ b/libs/sysplugins/smarty_internal_compile_include.php +@@ -305,14 +305,14 @@ class Smarty_Internal_Compile_Include extends Smarty_Internal_CompileBase + } + // get compiled code + $compiled_code = "cStyleComment(" Start inline template \"{$sourceInfo}\" =============================") . "\n"; + $compiled_code .= "function {$tpl->compiled->unifunc} (Smarty_Internal_Template \$_smarty_tpl) {\n"; + $compiled_code .= "?>\n" . $tpl->compiler->compileTemplateSource($tpl, null, $compiler->parent_compiler); + $compiled_code .= "\n"; + $compiled_code .= $tpl->compiler->postFilter($tpl->compiler->blockOrFunctionCode); + $compiled_code .= "cStyleComment(" End inline template \"{$sourceInfo}\" =============================") . "\n"; + $compiled_code .= '?>'; + unset($tpl->compiler); + if ($tpl->compiled->has_nocache_code) { +diff --git a/libs/sysplugins/smarty_internal_config_file_compiler.php b/libs/sysplugins/smarty_internal_config_file_compiler.php +index 8395633..35e523c 100644 +--- a/libs/sysplugins/smarty_internal_config_file_compiler.php ++++ b/libs/sysplugins/smarty_internal_config_file_compiler.php +@@ -153,10 +153,13 @@ class Smarty_Internal_Config_File_Compiler + $this->smarty->_debug->end_compile($this->template); + } + // template header code +- $template_header = +- "template->source->filepath}' */ ?>\n"; ++ $template_header = sprintf( ++ "\n", ++ Smarty::SMARTY_VERSION, ++ date("Y-m-d H:i:s"), ++ str_replace('*/', '* /' , $this->template->source->filepath) ++ ); ++ + + $code = 'smarty->ext->configLoad->_loadConfigVars($_smarty_tpl, ' . + var_export($this->config_data, true) . '); ?>'; +diff --git a/libs/sysplugins/smarty_internal_runtime_codeframe.php b/libs/sysplugins/smarty_internal_runtime_codeframe.php +index 9fd557c..7036b96 100644 +--- a/libs/sysplugins/smarty_internal_runtime_codeframe.php ++++ b/libs/sysplugins/smarty_internal_runtime_codeframe.php +@@ -40,9 +40,12 @@ class Smarty_Internal_Runtime_CodeFrame + $properties[ 'file_dependency' ] = $_template->cached->file_dependency; + $properties[ 'cache_lifetime' ] = $_template->cache_lifetime; + } +- $output = "source->filepath) . "' */\n\n"; ++ $output = sprintf( ++ "source->filepath) ++ ); + $output .= "/* @var Smarty_Internal_Template \$_smarty_tpl */\n"; + $dec = "\$_smarty_tpl->_decodeProperties(\$_smarty_tpl, " . var_export($properties, true) . ',' . + ($cache ? 'true' : 'false') . ')'; +diff --git a/libs/sysplugins/smarty_internal_templatecompilerbase.php b/libs/sysplugins/smarty_internal_templatecompilerbase.php +index 0ebc05b..31692ad 100644 +--- a/libs/sysplugins/smarty_internal_templatecompilerbase.php ++++ b/libs/sysplugins/smarty_internal_templatecompilerbase.php +@@ -1386,6 +1386,10 @@ abstract class Smarty_Internal_TemplateCompilerBase + */ + abstract protected function doCompile($_content, $isTemplateSource = false); + ++ public function cStyleComment($string) { ++ return '/*' . str_replace('*/', '* /' , $string) . '*/'; ++ } ++ + /** + * Compile Tag + * diff -Nru smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/series smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/series --- smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ smarty3-3.1.33+20180830.1.3a78a21f+selfpack1/debian/patches/series 2022-05-29 11:13:32.000000000 +0000 @@ -0,0 +1,5 @@ +CVE-2021-21408.patch +CVE-2021-26119.patch +CVE-2021-29454.patch +CVE-2022-29221.patch +CVE-2021-26120.patch