| Summary: | <dev-php/twig-1.40.1: sandbox information disclosure | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | djc, php-bugs |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1692778 | ||
| Whiteboard: | ~4 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b71d712064b76fd4b04d184948528528479b242 commit 1b71d712064b76fd4b04d184948528528479b242 Author: Dirkjan Ochtman <djc@gentoo.org> AuthorDate: 2019-05-06 19:46:15 +0000 Commit: Dirkjan Ochtman <djc@gentoo.org> CommitDate: 2019-05-06 19:46:15 +0000 dev-php/twig: version bump to 1.40.1 (fixes CVE-2019-9942) Closes: https://bugs.gentoo.org/681862 Signed-off-by: Dirkjan Ochtman <djc@gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 dev-php/twig/Manifest | 1 + dev-php/twig/files/1.40.1-autoloader-path.patch | 16 +++++ dev-php/twig/twig-1.40.1.ebuild | 87 +++++++++++++++++++++++++ 3 files changed, 104 insertions(+) Sorry that took a bit long -- it's been very busy. Please drop vulnerable. Done. (In reply to Dirkjan Ochtman from comment #4) > Done. Thanks! |
From ${URL} : A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place. Reference: https://symfony.com/blog/twig-sandbox-information-disclosure Upstream commit: https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.