Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 558420 - <dev-php/twig-1.20.0: remote code execution
Summary: <dev-php/twig-1.20.0: remote code execution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-22 12:15 UTC by Agostino Sarubbo
Modified: 2015-08-25 09:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-08-22 12:15:13 UTC 
From ${URL} :

the symphony project released a security advisory for the Twig PHP library:
http://symfony.com/blog/security-release-twig-1-20-0

The linked GitHub pull requests provides the fixes:
https://github.com/twigphp/Twig/pull/1759

AFAICT there are least two issues: a remote code execution fixed by the "fixed
sandbox security issue" patch, and at least another issue regarding access to
"reserved macro names".


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2015-08-22 13:58:30 UTC 
dev-php/twig-1.20.0 added and old versions dropped