873361 – <www-apps/drupal-9.4.7: arbitrary file include via bundled twig

Bug 873361 - <www-apps/drupal-9.4.7: arbitrary file include via bundled twig

Summary: <www-apps/drupal-9.4.7: arbitrary file include via bundled twig

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://www.drupal.org/sa-core-2022-016
Whiteboard:	~4 [noglsa]
Keywords:	PullRequest

Depends on:
Blocks:	CVE-2022-39261
	Show dependency tree

Reported:	2022-09-28 22:27 UTC by John Helmert III
Modified:	2023-04-19 03:35 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/30050
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-09-28 22:27:19 UTC

CVE-2022-39261:

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33

According to URL, fixes in 9.3.22 and 9.4.7. Looks like all of our
Drupal versions in tree EOL except 7.x, so please bump and cleanup EOL
branches.

Comment 1 Larry the Git Cow gentoo-dev

2023-03-11 11:05:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17af39078f3deb881d566f11ca7b5191eee045f1

commit 17af39078f3deb881d566f11ca7b5191eee045f1
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-03-11 07:45:03 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-03-11 11:03:41 +0000

    www-apps/drupal: drop 9.2.18
    
    Bug: https://bugs.gentoo.org/851942
    Bug: https://bugs.gentoo.org/873361
    Closes: https://github.com/gentoo/gentoo/pull/30050
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/drupal/Manifest             |  1 -
 www-apps/drupal/drupal-9.2.18.ebuild | 68 ------------------------------------
 2 files changed, 69 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48b5eb917955c7dbad99bdba04f4d988d66e1813

commit 48b5eb917955c7dbad99bdba04f4d988d66e1813
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-03-11 07:16:35 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-03-11 11:03:41 +0000

    www-apps/drupal: drop 9.1.15
    
    drupal 9.1 reached end of life and no longer receives security updates.
    
    Bug: https://bugs.gentoo.org/831818
    Bug: https://bugs.gentoo.org/835524
    Bug: https://bugs.gentoo.org/873361
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/drupal/Manifest             |  1 -
 www-apps/drupal/drupal-9.1.15.ebuild | 68 ------------------------------------
 2 files changed, 69 deletions(-)