smarty3: CVE-2018-16831

Debian Bug report logs - #908698
smarty3: CVE-2018-16831

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: smarty3: CVE-2018-16831

Date: Wed, 12 Sep 2018 21:37:18 +0200

Source: smarty3
Version: 3.1.32+20180424.1.ac9d4b58+selfpack1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/smarty-php/smarty/issues/486

Hi,

The following vulnerability was published for smarty3.

CVE-2018-16831[0]:
| Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir
| protection mechanism via a file:./../ substring in an include
| statement.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16831
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831
[1] https://github.com/smarty-php/smarty/issues/486

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 908698-close@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: 908698-close@bugs.debian.org

Subject: Bug#908698: fixed in smarty3 3.1.33+20180830.1.3a78a21f+selfpack1-1

Date: Mon, 17 Sep 2018 11:35:00 +0000

Source: smarty3
Source-Version: 3.1.33+20180830.1.3a78a21f+selfpack1-1

We believe that the bug you reported is fixed in the latest version of
smarty3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 908698@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated smarty3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 17 Sep 2018 13:04:18 +0200
Source: smarty3
Binary: smarty3
Architecture: source
Version: 3.1.33+20180830.1.3a78a21f+selfpack1-1
Distribution: unstable
Urgency: medium
Maintainer: Mike Gabriel <sunweaver@debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description:
 smarty3    - ${phpcomposer:description}
Closes: 908698
Changes:
 smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium
 .
   * New upstream release.
     - CVE-2018-16831: Don't bypass trusted directories with "../". (Closes:
       #908698).
   * debian/control:
     + Bump Standards-Version: to 4.2.1. No changes needed.
Checksums-Sha1:
 dd0a4b36ba1a01c61faf01c5f5f3f1b8b9033c7d 2187 smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1.dsc
 c4c8ebab667a96f6903eed401eecde17bb79ceac 197196 smarty3_3.1.33+20180830.1.3a78a21f+selfpack1.orig.tar.xz
 395041c987e0656b5cab96b0bfbe60de20b944a3 5664 smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1.debian.tar.xz
 ddd7a4e034008060edab2d17f0f7febb46d98d88 6829 smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1_source.buildinfo
Checksums-Sha256:
 9c909c11df607d4ee8b29f0f2fdeeeb3e24e7ce08794630367c5309e9bcb7bca 2187 smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1.dsc
 ae3076bdcac90e7306f1a6c9edc121e46d68465a096e6df3e3d50c8913f337c9 197196 smarty3_3.1.33+20180830.1.3a78a21f+selfpack1.orig.tar.xz
 f35ecd28506b3a9502b73ca7c9c46641ea9b757b00ce510b70291cb451a91a58 5664 smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1.debian.tar.xz
 307a677cd54432c2adc06d8ad89edbdbb80509dc4c88e8f28e3d3685e013cccd 6829 smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1_source.buildinfo
Files:
 b3209df648e4671934fde2d64f21829e 2187 web optional smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1.dsc
 c8652d27cae90a80cf8d495ccf4a2ffd 197196 web optional smarty3_3.1.33+20180830.1.3a78a21f+selfpack1.orig.tar.xz
 7e105397c14e7432985642646812062c 5664 web optional smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1.debian.tar.xz
 6073de81346b96e3192db734999703f3 6829 web optional smarty3_3.1.33+20180830.1.3a78a21f+selfpack1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlufijsVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxJhMP/2Aq69hQCPezb//T+hDXAiTcvtgN
Igvzz+t/gJkJe+9/YcHUFjL8pqeVLKa9+keQc2YoZryySuShF6x0UQRgq8duRheT
mogod4bU8EY/MXjVjpMkc+dx6QEKRL8PVCYylmcOjLhahNJDP07u+FYk49yEnw5Q
a52E87aXuAA3XtszSqZw5yudsN7yUy6EM3urxusBIqS3BIZQwgqwNqd23a8AhTWL
WeBU9JqRealf35CEZdMkaf7+fvxaMoLmq2ZTjpuwgQsbMV9er/hg9QAHrBozDwrE
CPWFqkU9nkQh9mva/dgl045sf2IAGUZfrQ0DiW5je0tSJKPRRqTosC4OaLTyUScZ
nt3z7RaTQ7ZOpSq3cLvKTTYyaP3eazNGW6BPa26qsBFKpnTgv/qXhX/JBfuE4P7i
+ZmxxxMRlfo7UxbLsmUm2NBz0sHQd1wRUGTSy2XPXqGWs8FDYUddql21VOk9WEIG
6TFhbhkML1omehTu5r+xa3cTWR/6Rf6xTaEoqy6XZ4Mfl4qVyiZ00esvW5MtVhqS
cDRB1gnjVubBoIKjleiJdfmyLrrUbPIVsj1eyHiSTt6zw8fA1R85eAUlL57h4cdM
1fGdZ5KCBrn4YXcipWSwTuHxqi03Qhe79QMKCyuaDsFy2UWWsDYmNb2r5xtd3gyV
0ZV/9L2COoo6GTn2
=fAkH
-----END PGP SIGNATURE-----

Message #15 received at 908698@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 908698@bugs.debian.org

Subject: Re: Bug#908698: smarty3: CVE-2018-16831

Date: Mon, 17 Sep 2018 14:00:51 +0000

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On  Mi 12 Sep 2018 21:37:18 CEST, Salvatore Bonaccorso wrote:

> Source: smarty3
> Version: 3.1.32+20180424.1.ac9d4b58+selfpack1-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/smarty-php/smarty/issues/486
>
> Hi,
>
> The following vulnerability was published for smarty3.
>
> CVE-2018-16831[0]:
> | Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir
> | protection mechanism via a file:./../ substring in an include
> | statement.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-16831
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831
> [1] https://github.com/smarty-php/smarty/issues/486
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore

I have looked at the changes between 3.1.33 (just uploaded to  
unstable) and 3.1.32 (in stable). They are awful. Read the below...

15:42 < sunweaver> Hi all, I have just looked into  
https://security-tracker.debian.org/tracker/CVE-2018-16831
15:43 < sunweaver> even for stretch, it is pretty much impossible to  
backport the patch series (at least for patches, all containing tons  
of regexp with
                   multitudes of slashes and backslashes).
15:43 < sunweaver> totall insane...
15:44 < sunweaver> in fact, my recommendation for jessie and stretch  
would be (with my maintainer hat _and_ LTS team hats on at once):  
bring the latest
                   upstream release to jessie/stretch.
15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well  
for that.
15:46 < sunweaver> the 4 patches we needed at least are these...
15:47 < sunweaver>  
https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe
15:47 < sunweaver>  
https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
15:47 < sunweaver>  
https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50
15:47 < sunweaver>  
https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
15:48 < sunweaver> and these four sit on top of this...
15:48 < sunweaver>  
https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf
15:48 < sunweaver> and 10+ other commits.
15:48 < sunweaver> all tackling the same code passage.
15:49 < sunweaver> @all: can we reach consensus that latest upstream  
release would be best for jessie LTS and stretch (OT here).

The pile of patches is so awful, I strongly advise getting latest  
smarty-lexer and latest smarty3 from unstable into stable with  
thorough testing of dependent application (gosa, FusionDirectory,  
slbackup-php, ...). Most of them are maintained by me and I have  
running setups for testing this (except 1 package in Debian IIRC).

Comments? Feedbacks?

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 908698@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 908698@bugs.debian.org

Subject: Re: Bug#908698: smarty3: CVE-2018-16831

Date: Mon, 17 Sep 2018 14:01:36 +0000

[Message part 1 (text/plain, inline)]

Hi again,

On  Mi 12 Sep 2018 21:37:18 CEST, Salvatore Bonaccorso wrote:

> Source: smarty3
> Version: 3.1.32+20180424.1.ac9d4b58+selfpack1-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/smarty-php/smarty/issues/486

... I just noticed, 3.1.31 is in stable... But alas, it doesn't change  
a thing...

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 908698@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 908698@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#908698: smarty3: CVE-2018-16831

Date: Mon, 17 Sep 2018 21:07:38 +0000

[Message part 1 (text/plain, inline)]

(Re-sending, with security@d.o in Cc: now).

Hi Salvatore,

On  Mi 12 Sep 2018 21:37:18 CEST, Salvatore Bonaccorso wrote:

> Source: smarty3
> Version: 3.1.32+20180424.1.ac9d4b58+selfpack1-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/smarty-php/smarty/issues/486
>
> Hi,
>
> The following vulnerability was published for smarty3.
>
> CVE-2018-16831[0]:
> | Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir
> | protection mechanism via a file:./../ substring in an include
> | statement.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-16831
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831
> [1] https://github.com/smarty-php/smarty/issues/486
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore

I have looked at the changes between 3.1.33 (just uploaded to  
unstable) and 3.1.31 (in stable). They are awful. Read the below...

15:42 < sunweaver> Hi all, I have just looked into  
https://security-tracker.debian.org/tracker/CVE-2018-16831
15:43 < sunweaver> even for stretch, it is pretty much impossible to  
backport the patch series (at least for patches, all containing tons  
of regexp with
                    multitudes of slashes and backslashes).
15:43 < sunweaver> totall insane...
15:44 < sunweaver> in fact, my recommendation for jessie and stretch  
would be (with my maintainer hat _and_ LTS team hats on at once):  
bring the latest
                    upstream release to jessie/stretch.
15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well  
for that.
15:46 < sunweaver> the 4 patches we needed at least are these...
15:47 < sunweaver>  
https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe
15:47 < sunweaver>  
https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
15:47 < sunweaver>  
https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50
15:47 < sunweaver>  
https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
15:48 < sunweaver> and these four sit on top of this...
15:48 < sunweaver>  
https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf
15:48 < sunweaver> and 10+ other commits.
15:48 < sunweaver> all tackling the same code passage.
15:49 < sunweaver> @all: can we reach consensus that latest upstream  
release would be best for jessie LTS and stretch (OT here).

The pile of patches is so awful, I strongly advise getting latest  
smarty-lexer and latest smarty3 from unstable into stable with  
thorough testing of dependent application (gosa, FusionDirectory,  
slbackup-php, ...). Most of them are maintained by me and I have  
running setups for testing this (except 1 package in Debian IIRC).

Comments? Feedbacks?

Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 908698@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Cc: 908698@bugs.debian.org, security@debian.org

Subject: Re: Bug#908698: smarty3: CVE-2018-16831

Date: Mon, 17 Sep 2018 23:20:33 +0200

On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote:
> I have looked at the changes between 3.1.33 (just uploaded to unstable) and
> 3.1.31 (in stable). They are awful. Read the below...
> 
> 15:42 < sunweaver> Hi all, I have just looked into
> https://security-tracker.debian.org/tracker/CVE-2018-16831
> 15:43 < sunweaver> even for stretch, it is pretty much impossible to
> backport the patch series (at least for patches, all containing tons of
> regexp with
>                     multitudes of slashes and backslashes).
> 15:43 < sunweaver> totall insane...
> 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would
> be (with my maintainer hat _and_ LTS team hats on at once): bring the latest
>                     upstream release to jessie/stretch.
> 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for
> that.
> 15:46 < sunweaver> the 4 patches we needed at least are these...
> 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe
> 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
> 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50
> 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
> 15:48 < sunweaver> and these four sit on top of this...
> 15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf
> 15:48 < sunweaver> and 10+ other commits.
> 15:48 < sunweaver> all tackling the same code passage.
> 15:49 < sunweaver> @all: can we reach consensus that latest upstream release
> would be best for jessie LTS and stretch (OT here).
> 
> The pile of patches is so awful, I strongly advise getting latest
> smarty-lexer and latest smarty3 from unstable into stable with thorough
> testing of dependent application (gosa, FusionDirectory, slbackup-php, ...).
> Most of them are maintained by me and I have running setups for testing this
> (except 1 package in Debian IIRC).

If you have reasonable test coverage of the reverse deps, we can do that.

But let's wait for a few more days to spot eventual regressions reported
in unstable first. Also, make sure to coordinate the release of the DLA with
the DSA, otherwise we end up with a situation where oldstable has a higher
version number than stable.

Cheers,
        Moritz

Message #35 received at 908698@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 908698@bugs.debian.org, security@debian.org

Subject: Re: Bug#908698: smarty3: CVE-2018-16831

Date: Tue, 18 Sep 2018 17:06:14 +0000

[Message part 1 (text/plain, inline)]

Hi,

On  Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote:

> On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote:
>> I have looked at the changes between 3.1.33 (just uploaded to unstable) and
>> 3.1.31 (in stable). They are awful. Read the below...
>>
>> 15:42 < sunweaver> Hi all, I have just looked into
>> https://security-tracker.debian.org/tracker/CVE-2018-16831
>> 15:43 < sunweaver> even for stretch, it is pretty much impossible to
>> backport the patch series (at least for patches, all containing tons of
>> regexp with
>>                     multitudes of slashes and backslashes).
>> 15:43 < sunweaver> totall insane...
>> 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would
>> be (with my maintainer hat _and_ LTS team hats on at once): bring the latest
>>                     upstream release to jessie/stretch.
>> 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for
>> that.
>> 15:46 < sunweaver> the 4 patches we needed at least are these...
>> 15:47 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe
>> 15:47 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
>> 15:47 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50
>> 15:47 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
>> 15:48 < sunweaver> and these four sit on top of this...
>> 15:48 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf
>> 15:48 < sunweaver> and 10+ other commits.
>> 15:48 < sunweaver> all tackling the same code passage.
>> 15:49 < sunweaver> @all: can we reach consensus that latest upstream release
>> would be best for jessie LTS and stretch (OT here).
>>
>> The pile of patches is so awful, I strongly advise getting latest
>> smarty-lexer and latest smarty3 from unstable into stable with thorough
>> testing of dependent application (gosa, FusionDirectory, slbackup-php, ...).
>> Most of them are maintained by me and I have running setups for testing this
>> (except 1 package in Debian IIRC).
>
> If you have reasonable test coverage of the reverse deps, we can do that.
>
> But let's wait for a few more days to spot eventual regressions reported
> in unstable first. Also, make sure to coordinate the release of the DLA with
> the DSA, otherwise we end up with a situation where oldstable has a higher
> version number than stable.
>
> Cheers,
>         Moritz

I will wait another week with this. I'd like to get this solved before  
my VAC (6th Oct - 21st Oct).

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Message #40 received at 908698@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Cc: 908698@bugs.debian.org, security@debian.org

Subject: Re: Bug#908698: smarty3: CVE-2018-16831

Date: Tue, 18 Sep 2018 20:58:25 +0200

On Tue, Sep 18, 2018 at 05:06:14PM +0000, Mike Gabriel wrote:
> > But let's wait for a few more days to spot eventual regressions reported
> > in unstable first. Also, make sure to coordinate the release of the DLA with
> > the DSA, otherwise we end up with a situation where oldstable has a higher
> > version number than stable.
> 
> I will wait another week with this. I'd like to get this solved before my
> VAC (6th Oct - 21st Oct).

Sounds good.

Cheers,
         Moritz

Message #59 received at 908698@bugs.debian.org (full text, mbox, reply):

From: "Moritz Mühlenhoff" <salvatore.bonaccorso@gmail.com>

To: mike.gabriel@das-netzwerkteam.de

Cc: security@debian.org, 908698@bugs.debian.org

Subject: Re: Bug#908698: smarty3: CVE-2018-16831

Date: Tue, 29 Jan 2019 01:24:23 +0100

On Thu, Dec 27, 2018 at 09:44:33PM +0100, Salvatore Bonaccorso wrote:
> Hi Mike,
> 
> On Thu, Nov 22, 2018 at 08:00:07PM +0100, Moritz Mühlenhoff wrote:
> > On Fri, Oct 26, 2018 at 04:46:39PM +0000, mike.gabriel@das-netzwerkteam.de wrote:
> > > Hi,
> > > 
> > > On Friday, 26 October 2018, Moritz Mühlenhoff wrote:
> > > > On Tue, Sep 18, 2018 at 05:06:14PM +0000, Mike Gabriel wrote:
> > > > > Hi,
> > > > > 
> > > > > On  Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote:
> > > > > 
> > > > > > On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote:
> > > > > > > I have looked at the changes between 3.1.33 (just uploaded to unstable) and
> > > > > > > 3.1.31 (in stable). They are awful. Read the below...
> > > > > > > 
> > > > > > > 15:42 < sunweaver> Hi all, I have just looked into
> > > > > > > https://security-tracker.debian.org/tracker/CVE-2018-16831
> > > > > > > 15:43 < sunweaver> even for stretch, it is pretty much impossible to
> > > > > > > backport the patch series (at least for patches, all containing tons of
> > > > > > > regexp with
> > > > > > >                     multitudes of slashes and backslashes).
> > > > > > > 15:43 < sunweaver> totall insane...
> > > > > > > 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would
> > > > > > > be (with my maintainer hat _and_ LTS team hats on at once): bring the latest
> > > > > > >                     upstream release to jessie/stretch.
> > > > > > > 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for
> > > > > > > that.
> > > > > > > 15:46 < sunweaver> the 4 patches we needed at least are these...
> > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe
> > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
> > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50
> > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
> > > > > > > 15:48 < sunweaver> and these four sit on top of this...
> > > > > > > 15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf
> > > > > > > 15:48 < sunweaver> and 10+ other commits.
> > > > > > > 15:48 < sunweaver> all tackling the same code passage.
> > > > > > > 15:49 < sunweaver> @all: can we reach consensus that latest upstream release
> > > > > > > would be best for jessie LTS and stretch (OT here).
> > > > > > > 
> > > > > > > The pile of patches is so awful, I strongly advise getting latest
> > > > > > > smarty-lexer and latest smarty3 from unstable into stable with thorough
> > > > > > > testing of dependent application (gosa, FusionDirectory, slbackup-php, ...).
> > > > > > > Most of them are maintained by me and I have running setups for testing this
> > > > > > > (except 1 package in Debian IIRC).
> > > > > > 
> > > > > > If you have reasonable test coverage of the reverse deps, we can do that.
> > > > > > 
> > > > > > But let's wait for a few more days to spot eventual regressions reported
> > > > > > in unstable first. Also, make sure to coordinate the release of the DLA with
> > > > > > the DSA, otherwise we end up with a situation where oldstable has a higher
> > > > > > version number than stable.
> > > > > > 
> > > > > > Cheers,
> > > > > >         Moritz
> > > > > 
> > > > > I will wait another week with this. I'd like to get this solved before my
> > > > > VAC (6th Oct - 21st Oct).
> > > > 
> > > > What's the status?
> > > > 
> > > > Cheers,
> > > >         Moritz
> > > >
> > > 
> > > I am still waiting for upstream to verify / confirm my patch. Ping dropped Monday this week.
> > 
> > Any feedback?
> 
> Did you got any feedback on it?

*ping*

Cheers,
        Moritz

Message #64 received at 908698@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: security@debian.org, 908698@bugs.debian.org

Subject: Re: Bug#908698: smarty3: CVE-2018-16831

Date: Fri, 15 Feb 2019 22:50:32 +0000

[Message part 1 (text/plain, inline)]

Hi Moritz, Salvatore,

On  Do 27 Dez 2018 21:44:33 CET, Salvatore Bonaccorso wrote:

> Hi Mike,
>
> On Thu, Nov 22, 2018 at 08:00:07PM +0100, Moritz Mühlenhoff wrote:
>> On Fri, Oct 26, 2018 at 04:46:39PM +0000,  
>> mike.gabriel@das-netzwerkteam.de wrote:
>> > Hi,
>> >
>> > On Friday, 26 October 2018, Moritz Mühlenhoff wrote:
>> > > On Tue, Sep 18, 2018 at 05:06:14PM +0000, Mike Gabriel wrote:
>> > > > Hi,
>> > > >
>> > > > On  Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote:
>> > > >
>> > > > > On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote:
>> > > > > > I have looked at the changes between 3.1.33 (just  
>> uploaded to unstable) and
>> > > > > > 3.1.31 (in stable). They are awful. Read the below...
>> > > > > >
>> > > > > > 15:42 < sunweaver> Hi all, I have just looked into
>> > > > > > https://security-tracker.debian.org/tracker/CVE-2018-16831
>> > > > > > 15:43 < sunweaver> even for stretch, it is pretty much  
>> impossible to
>> > > > > > backport the patch series (at least for patches, all  
>> containing tons of
>> > > > > > regexp with
>> > > > > >                     multitudes of slashes and backslashes).
>> > > > > > 15:43 < sunweaver> totall insane...
>> > > > > > 15:44 < sunweaver> in fact, my recommendation for jessie  
>> and stretch would
>> > > > > > be (with my maintainer hat _and_ LTS team hats on at  
>> once): bring the latest
>> > > > > >                     upstream release to jessie/stretch.
>> > > > > > 15:44 < sunweaver> In jessie, we need to upgrade  
>> smarty-lexer as well for
>> > > > > > that.
>> > > > > > 15:46 < sunweaver> the 4 patches we needed at least are these...
>> > > > > > 15:47 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe
>> > > > > > 15:47 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
>> > > > > > 15:47 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50
>> > > > > > 15:47 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
>> > > > > > 15:48 < sunweaver> and these four sit on top of this...
>> > > > > > 15:48 < sunweaver>  
>> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf
>> > > > > > 15:48 < sunweaver> and 10+ other commits.
>> > > > > > 15:48 < sunweaver> all tackling the same code passage.
>> > > > > > 15:49 < sunweaver> @all: can we reach consensus that  
>> latest upstream release
>> > > > > > would be best for jessie LTS and stretch (OT here).
>> > > > > >
>> > > > > > The pile of patches is so awful, I strongly advise getting latest
>> > > > > > smarty-lexer and latest smarty3 from unstable into stable  
>> with thorough
>> > > > > > testing of dependent application (gosa, FusionDirectory,  
>> slbackup-php, ...).
>> > > > > > Most of them are maintained by me and I have running  
>> setups for testing this
>> > > > > > (except 1 package in Debian IIRC).
>> > > > >
>> > > > > If you have reasonable test coverage of the reverse deps,  
>> we can do that.
>> > > > >
>> > > > > But let's wait for a few more days to spot eventual  
>> regressions reported
>> > > > > in unstable first. Also, make sure to coordinate the  
>> release of the DLA with
>> > > > > the DSA, otherwise we end up with a situation where  
>> oldstable has a higher
>> > > > > version number than stable.
>> > > > >
>> > > > > Cheers,
>> > > > >         Moritz
>> > > >
>> > > > I will wait another week with this. I'd like to get this  
>> solved before my
>> > > > VAC (6th Oct - 21st Oct).
>> > >
>> > > What's the status?
>> > >
>> > > Cheers,
>> > >         Moritz
>> > >
>> >
>> > I am still waiting for upstream to verify / confirm my patch.  
>> Ping dropped Monday this week.
>>
>> Any feedback?
>
> Did you got any feedback on it?
>

No. However, this week I took some time and tested my patch more  
intensively. It throws PHP exceptions on certain code paths.

Need to reinvestigate and update my patch... It's on my list, so stay  
tuned. Sorry for the long delay on my side.

Mike
-- 

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.