Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-5947-1

Ubuntu Security Notice 5947-1 - Fabien Potencier discovered that Twig was not properly enforcing sandbox policies when dealing with objects automatically cast to strings by PHP. An attacker could possibly use this issue to expose sensitive information. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. Marlon Starkloff discovered that Twig was not properly enforcing closure constraints in some of its array filtering functions. An attacker could possibly use this issue to execute arbitrary code. This issue was only fixed in Ubuntu 20.04 ESM.

Packet Storm
#vulnerability#ubuntu#php#perl#auth

==========================================================================
Ubuntu Security Notice USN-5947-1
March 13, 2023

php-twig, twig vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Twig.

Software Description:

  • php-twig: Flexible, fast, and secure template engine for PHP
  • twig: Flexible, fast, and secure template engine for PHP

Details:

Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2019-9942)

Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)

Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2022-39261)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
php-twig 3.3.8-2ubuntu4+esm1

Ubuntu 20.04 LTS:
php-twig 2.12.5-1ubuntu0.1~esm1

Ubuntu 18.04 LTS:
php-twig 2.4.6-1ubuntu0.1~esm1

Ubuntu 16.04 ESM:
php-twig 1.23.1-1ubuntu4+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5947-1
CVE-2019-9942, CVE-2022-23614, CVE-2022-39261

Package Information:

Related news

GHSA-52m2-vc4m-jj33: Twig may load a template outside a configured directory when using the filesystem loader

# Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed). # Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. # Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

CVE-2022-39261: security #cve- Fix a security issue on filesystem loader (possibility… · twigphp/Twig@35f3035

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

CVE-2022-23614: Disallow non closures in `sort` filter when the sanbox mode is enabled · twigphp/Twig@2eb3308

Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.

Packet Storm: Latest News

Ubuntu Security Notice USN-7121-3