php-twig: CVE-2022-39261

Debian Bug report logs - #1020991
php-twig: CVE-2022-39261

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php-twig: CVE-2022-39261

Date: Fri, 30 Sep 2022 09:42:39 +0200

Source: php-twig
Version: 3.4.2-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for php-twig.

CVE-2022-39261[0]:
| Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x
| prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the
| filesystem loader loads templates for which the name is a user input.
| It is possible to use the `source` or `include` statement to read
| arbitrary files from outside the templates' directory when using a
| namespace like `@somewhere/../some.file`. In such a case, validation
| is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for
| validation of such template names. There are no known workarounds
| aside from upgrading.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-39261
    https://www.cve.org/CVERecord?id=CVE-2022-39261
[1] https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
[2] https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 1020991-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1020991-close@bugs.debian.org

Subject: Bug#1020991: fixed in php-twig 3.4.3-1

Date: Fri, 30 Sep 2022 10:20:48 +0000

Source: php-twig
Source-Version: 3.4.3-1
Done: David Prévot <dprevot@evolix.fr>

We believe that the bug you reported is fixed in the latest version of
php-twig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1020991@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <dprevot@evolix.fr> (supplier of updated php-twig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 30 Sep 2022 10:59:34 +0200
Source: php-twig
Architecture: source
Version: 3.4.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <dprevot@evolix.fr>
Closes: 1020991
Changes:
 php-twig (3.4.3-1) unstable; urgency=medium
 .
   [ Fabien Potencier ]
   * Fix a security issue on filesystem loader (possibility to load a
     template outside a configured directory)
     [CVE-2022-39261] (Closes: #1020991)
   * Prepare the 3.4.3 release
 .
   [ David Prevot ]
   * Update Standards-Version to 4.6.1
Checksums-Sha1:
 59308c88c56efa96703a5c9e3008a3d0b90ce08a 2854 php-twig_3.4.3-1.dsc
 6a4d5ae906fc12b8cf6cfe4cc8b6c0158578568a 201928 php-twig_3.4.3.orig.tar.xz
 a4e5923acc3b461a9b03d64e97ab0e2c1af53e63 18424 php-twig_3.4.3-1.debian.tar.xz
 776ece42f3e933e9fa4ddf78342c9272daee2b71 8929 php-twig_3.4.3-1_source.buildinfo
Checksums-Sha256:
 3ced43ffca09d5bb84795af05c060d14d758b48e4e76713bd7e1a54a6fdd1595 2854 php-twig_3.4.3-1.dsc
 fed79cc640e6bd8511d62c56c65226d0e6999e3f34492bf986ec925a2147947b 201928 php-twig_3.4.3.orig.tar.xz
 1831bb4887155aaace6fbc39af4543ef5af99e1fb0537dfcc89e54d536e9728f 18424 php-twig_3.4.3-1.debian.tar.xz
 433f343d66058b10e23a42c3bb99ab22bc689f491ca9cda6314653cfee9d9851 8929 php-twig_3.4.3-1_source.buildinfo
Files:
 e66286228be8d710b0ffb220abfca581 2854 php optional php-twig_3.4.3-1.dsc
 fd37a06822a6b28c718e8a0d8889f9cc 201928 php optional php-twig_3.4.3.orig.tar.xz
 3042b2e518127f70b7aafcfbeddc1e19 18424 php optional php-twig_3.4.3-1.debian.tar.xz
 d4b7d75650adbfb28a6d6dedb1b39698 8929 php optional php-twig_3.4.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmM2v7gACgkQBYwc+UT2
vTyF8wf/RUMLYZBRQjBXQipzj0Dtx0VrBJbq7fUh7I3vl5IygOJUzJGuO/t5WhBV
zGTosVy02T7nQna3lpZ6Mx3ufH4suseiykP4RJjhDbLMlaA0kSGHesQG1k+W2qNz
7EBlP1bqZt2bE4gzYhvKNbNXt3TkOYYZAqkTcz9H8GEnmeemQOOw8aIw/tMMpuHU
RkhQ/K3H88DpZSqHdsZz1usCe+NWO6q9GtnUkEsyhyoEIJYJoLEtzwQzjzyFPY4j
ZAbqAabBUtQKE1a/8SND/xGsIjo13lbf5F8Fo3veG9StjK9FkCzB+6BHRJMO9Yh5
Uj8wSKWLtltJuzpbaR9G5I+9Pxp/QA==
=UVct
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.