Bug#1040449: bookworm-pu: package smarty4/4.3.0-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: smarty4@packages.debian.org
Control: affects -1 + src:smarty4
[ Reason ]
Resolve CVE-2023-28447 for smarty4 in bookworm.
[ Impact ]
Closure of vulnerability to execute arbitrary JavaScript code in the
context of the user's browser session.
[ Tests ]
Smoketest on system running GOsa² (smarty4 consumer).
[ Risks ]
Breakage of web packages in Debian that use smarty4.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+ * debian/patches:
+ + Add CVE-2023-28447.patch. Prohibit execution of arbitrary JavaScript code
+ in the context of the user's browser session. (Closes: #1033965,
+ CVE-2023-28447).
[ Other info ]
None.
diff -Nru smarty4-4.3.0/debian/changelog smarty4-4.3.0/debian/changelog
--- smarty4-4.3.0/debian/changelog 2023-01-14 23:22:18.000000000 +0100
+++ smarty4-4.3.0/debian/changelog 2023-07-06 06:04:52.000000000 +0200
@@ -1,3 +1,12 @@
+smarty4 (4.3.0-1+deb12u1) bookworm; urgency=medium
+
+ * debian/patches:
+ + Add CVE-2023-28447.patch. Prohibit execution of arbitrary JavaScript code
+ in the context of the user's browser session. (Closes: #1033965,
+ CVE-2023-28447).
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 06 Jul 2023 06:04:52 +0200
+
smarty4 (4.3.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru smarty4-4.3.0/debian/patches/CVE-2023-28447.patch smarty4-4.3.0/debian/patches/CVE-2023-28447.patch
--- smarty4-4.3.0/debian/patches/CVE-2023-28447.patch 1970-01-01 01:00:00.000000000 +0100
+++ smarty4-4.3.0/debian/patches/CVE-2023-28447.patch 2023-07-06 06:01:34.000000000 +0200
@@ -0,0 +1,81 @@
+From e75165565e9e5956a73365c24d650ba40570ae72 Mon Sep 17 00:00:00 2001
+From: Simon Wisselink <s.wisselink@iwink.nl>
+Date: Fri, 24 Mar 2023 12:19:34 +0100
+Subject: [PATCH] Implement fix and tests
+
+---
+ libs/plugins/modifier.escape.php | 4 +++-
+ libs/plugins/modifiercompiler.escape.php | 4 +++-
+# .../PluginModifierEscapeTest.php | 21 +++++++++++++++++++
+ .../Operators/templates_c/.gitignore | 2 ++
+ 4 files changed, 29 insertions(+), 2 deletions(-)
+ create mode 100644 tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore
+
+diff --git a/libs/plugins/modifier.escape.php b/libs/plugins/modifier.escape.php
+index 11e44682e..e168679c3 100644
+--- a/libs/plugins/modifier.escape.php
++++ b/libs/plugins/modifier.escape.php
+@@ -115,7 +115,9 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
+ // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+ '<!--' => '<\!--',
+ '<s' => '<\s',
+- '<S' => '<\S'
++ '<S' => '<\S',
++ "`" => "\\\\`",
++ "\${" => "\\\\\\$\\{"
+ )
+ );
+ case 'mail':
+diff --git a/libs/plugins/modifiercompiler.escape.php b/libs/plugins/modifiercompiler.escape.php
+index 602c3dbfc..21b1b4c2a 100644
+--- a/libs/plugins/modifiercompiler.escape.php
++++ b/libs/plugins/modifiercompiler.escape.php
+@@ -64,7 +64,9 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
+ // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+ return 'strtr((string)' .
+ $params[ 0 ] .
+- ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
++ ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r",
++ "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S",
++ "`" => "\\\\`", "\${" => "\\\\\\$\\{"))';
+ }
+ } catch (SmartyException $e) {
+ // pass through to regular plugin fallback
+#diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+#index 309a71ab8..073f9fcfa 100644
+#--- a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+#+++ b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+#@@ -237,4 +237,25 @@ public function testNonstdWithoutMbstring()
+# $this->assertEquals("sma'rty@»example«.com", $this->smarty->fetch($tpl));
+# Smarty::$_MBSTRING = true;
+# }
+#+
+#+ public function testTemplateLiteralBackticks()
+#+ {
+#+ $tpl = $this->smarty->createTemplate('string:{"`Hello, World!`"|escape:"javascript"}');
+#+ $this->assertEquals("\\`Hello, World!\\`", $this->smarty->fetch($tpl));
+#+ }
+#+
+#+ public function testTemplateLiteralInterpolation()
+#+ {
+#+ $tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
+#+ $this->smarty->assign('vector', "`Hello, \${name}!`");
+#+ $this->assertEquals("\\`Hello, \\\$\\{name}!\\`", $this->smarty->fetch($tpl));
+#+ }
+#+
+#+ public function testTemplateLiteralBackticksAndInterpolation()
+#+ {
+#+ $this->smarty->assign('vector', '`${alert(`Hello, ${name}!`)}${`\n`}`');
+#+ $tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
+#+ $this->assertEquals("\\`\\\$\\{alert(\\`Hello, \\\$\\{name}!\\`)}\\\$\\{\\`\\\\n\\`}\\`", $this->smarty->fetch($tpl));
+#+ }
+#+
+# }
+#diff --git a/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore b/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore
+#new file mode 100644
+#index 000000000..d88cc1446
+#--- /dev/null
+#+++ b/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore
+#@@ -0,0 +1,2 @@
+#+# Ignore anything in here, but keep this directory
+#+*
diff -Nru smarty4-4.3.0/debian/patches/series smarty4-4.3.0/debian/patches/series
--- smarty4-4.3.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ smarty4-4.3.0/debian/patches/series 2023-07-06 06:00:13.000000000 +0200
@@ -0,0 +1 @@
+CVE-2023-28447.patch
Reply to: