Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 873358

Summary: <dev-php/twig-1.44.7: arbitrary file include
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 873364    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-28 22:20:45 UTC 
CVE-2022-39261:

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Fix: https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b

Please bump to 1.44.7.
Comment 1 Larry the Git Cow gentoo-dev 2023-04-19 04:12:42 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5663f7e15244378caa1c3c94c1b657a0057268bb

commit 5663f7e15244378caa1c3c94c1b657a0057268bb
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-04-19 04:09:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-04-19 04:12:28 +0000

    dev-php/twig: add 1.44.7
    
    Closes: https://bugs.gentoo.org/873358
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-php/twig/Manifest           |  1 +
 dev-php/twig/twig-1.44.7.ebuild | 49 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 04:13:17 UTC 
Sorry, didn't mean to close.
Comment 3 Larry the Git Cow gentoo-dev 2023-04-30 23:38:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=881bdd2431f6e53381892ae810861e72eea85993

commit 881bdd2431f6e53381892ae810861e72eea85993
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-04-30 23:37:55 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-04-30 23:37:55 +0000

    dev-php/twig: drop 1.44.6
    
    Bug: https://bugs.gentoo.org/873358
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-php/twig/Manifest           |  1 -
 dev-php/twig/twig-1.44.6.ebuild | 49 -----------------------------------------
 2 files changed, 50 deletions(-)