Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 873361

Summary: <www-apps/drupal-9.4.7: arbitrary file include via bundled twig
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: web-apps
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.drupal.org/sa-core-2022-016
See Also: https://github.com/gentoo/gentoo/pull/30050
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 873364    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-28 22:27:19 UTC 
CVE-2022-39261:

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33

According to URL, fixes in 9.3.22 and 9.4.7. Looks like all of our
Drupal versions in tree EOL except 7.x, so please bump and cleanup EOL
branches.
Comment 1 Larry the Git Cow gentoo-dev 2023-03-11 11:05:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17af39078f3deb881d566f11ca7b5191eee045f1

commit 17af39078f3deb881d566f11ca7b5191eee045f1
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-03-11 07:45:03 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-03-11 11:03:41 +0000

    www-apps/drupal: drop 9.2.18
    
    Bug: https://bugs.gentoo.org/851942
    Bug: https://bugs.gentoo.org/873361
    Closes: https://github.com/gentoo/gentoo/pull/30050
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/drupal/Manifest             |  1 -
 www-apps/drupal/drupal-9.2.18.ebuild | 68 ------------------------------------
 2 files changed, 69 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48b5eb917955c7dbad99bdba04f4d988d66e1813

commit 48b5eb917955c7dbad99bdba04f4d988d66e1813
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-03-11 07:16:35 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-03-11 11:03:41 +0000

    www-apps/drupal: drop 9.1.15
    
    drupal 9.1 reached end of life and no longer receives security updates.
    
    Bug: https://bugs.gentoo.org/831818
    Bug: https://bugs.gentoo.org/835524
    Bug: https://bugs.gentoo.org/873361
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/drupal/Manifest             |  1 -
 www-apps/drupal/drupal-9.1.15.ebuild | 68 ------------------------------------
 2 files changed, 69 deletions(-)