Bug#1020991: marked as done (php-twig: CVE-2022-39261)
Your message dated Tue, 11 Oct 2022 18:32:40 + with message-id and subject line Bug#1020991: fixed in php-twig 2.14.3-1+deb11u2 has caused the Debian Bug report #1020991, regarding php-twig: CVE-2022-39261 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1020991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020991 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: php-twig Version: 3.4.2-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for php-twig. CVE-2022-39261[0]: | Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x | prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the | filesystem loader loads templates for which the name is a user input. | It is possible to use the `source` or `include` statement to read | arbitrary files from outside the templates' directory when using a | namespace like `@somewhere/../some.file`. In such a case, validation | is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for | validation of such template names. There are no known workarounds | aside from upgrading. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39261 https://www.cve.org/CVERecord?id=CVE-2022-39261 [1] https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33 [2] https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: php-twig Source-Version: 2.14.3-1+deb11u2 Done: David Prévot We believe that the bug you reported is fixed in the latest version of php-twig, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1020...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. David Prévot (supplier of updated php-twig package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 30 Sep 2022 11:22:27 +0200 Source: php-twig Architecture: source Version: 2.14.3-1+deb11u2 Distribution: bullseye-security Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: David Prévot Closes: 1020991 Changes: php-twig (2.14.3-1+deb11u2) bullseye-security; urgency=medium . [ David Prevot ] * Backport security fix from 3.4.3 [CVE-2022-39261] Fix possibility to load a template outside a configured directory when using the filesystem loader. (Closes: #1020991) Checksums-Sha1: 57b6e1cf9fcfa53524b812a43b85deaed32d951a 2669 php-twig_2.14.3-1+deb11u2.dsc 974e2c1198dd096a2a48cc6e15c63bda763dc1af 18040 php-twig_2.14.3-1+deb11u2.debian.tar.xz da6e71ff934980faadbfd75c92233da6ee119c40 13280 php-twig_2.14.3-1+deb11u2_amd64.buildinfo Checksums-Sha256: 4d42ed4112ef8a90bb7cb9d300948298f509bac458aa19c310d7627df91c7fe5 2669 php-twig_2.14.3-1+deb11u2.dsc 258951a256253e2abfcd955ab8c116e106914a5e657eb4042b9e64e6b60f902f 18040 php-twig_2.14.3-1+deb11u2.debian.tar.xz e1a727b337c0f50d233ef3d1c5b1ab24b4ef52d5ddb03bcb05667150c440461e 13280 php-twig_2.14.3-1+deb11u2_amd64.buildinfo Files: 70bdcfb43ea3f412aafe62bc17222164 2669 php optional php-twig_2.14.3-1+deb11u2.dsc 533e9bc26c32765d152b01fe3765c7a8 18040 php optional php-twig_2.14.3-1+deb11u2.debian.tar.xz 94f77be53255669089d40e70c2429ab5 13280 php optional php-twig_2.14.3-1+deb11u2_amd64.buildinfo -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmM7OB8ACgkQBYwc+UT2 vTw6fgf+OgjT2OxUxV2QFDWLn+3I4mZ7+Whs5Khs4Vhcy/esNOsF+J16zkDenUOF IHsxBbslDdCFRCPwLLAedadg67L3Xe05Pqoh/dxtJwGE3FR2DwIuBNolRjf/TbWq gpek7GB0lKhJD39/FYjglqbwkik+haCK06ejocXC/r3gPWDjPBAHgQE4/bGSxBhH ToSvZFrEpFApbRb8vKdTKSWURQflUizR7MscBH9OljsdfLoe5fSWQbLQC//VK0Hv pnSE7wGFlgXlFIn5JzQoyTDNPsTE+2NQtpiOdiyvZiD1ZPzYX1w6Pqp+y2xyVVXJ tAac023Umntr0/0glGo8KFkMqdgp1A== =ckah -END PGP SIGNATURE End Message ---
Bug#1020991: marked as done (php-twig: CVE-2022-39261)
Your message dated Fri, 30 Sep 2022 10:20:48 + with message-id and subject line Bug#1020991: fixed in php-twig 3.4.3-1 has caused the Debian Bug report #1020991, regarding php-twig: CVE-2022-39261 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1020991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020991 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: php-twig Version: 3.4.2-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for php-twig. CVE-2022-39261[0]: | Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x | prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the | filesystem loader loads templates for which the name is a user input. | It is possible to use the `source` or `include` statement to read | arbitrary files from outside the templates' directory when using a | namespace like `@somewhere/../some.file`. In such a case, validation | is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for | validation of such template names. There are no known workarounds | aside from upgrading. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39261 https://www.cve.org/CVERecord?id=CVE-2022-39261 [1] https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33 [2] https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: php-twig Source-Version: 3.4.3-1 Done: David Prévot We believe that the bug you reported is fixed in the latest version of php-twig, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1020...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. David Prévot (supplier of updated php-twig package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 30 Sep 2022 10:59:34 +0200 Source: php-twig Architecture: source Version: 3.4.3-1 Distribution: unstable Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: David Prévot Closes: 1020991 Changes: php-twig (3.4.3-1) unstable; urgency=medium . [ Fabien Potencier ] * Fix a security issue on filesystem loader (possibility to load a template outside a configured directory) [CVE-2022-39261] (Closes: #1020991) * Prepare the 3.4.3 release . [ David Prevot ] * Update Standards-Version to 4.6.1 Checksums-Sha1: 59308c88c56efa96703a5c9e3008a3d0b90ce08a 2854 php-twig_3.4.3-1.dsc 6a4d5ae906fc12b8cf6cfe4cc8b6c0158578568a 201928 php-twig_3.4.3.orig.tar.xz a4e5923acc3b461a9b03d64e97ab0e2c1af53e63 18424 php-twig_3.4.3-1.debian.tar.xz 776ece42f3e933e9fa4ddf78342c9272daee2b71 8929 php-twig_3.4.3-1_source.buildinfo Checksums-Sha256: 3ced43ffca09d5bb84795af05c060d14d758b48e4e76713bd7e1a54a6fdd1595 2854 php-twig_3.4.3-1.dsc fed79cc640e6bd8511d62c56c65226d0e6999e3f34492bf986ec925a2147947b 201928 php-twig_3.4.3.orig.tar.xz 1831bb4887155aaace6fbc39af4543ef5af99e1fb0537dfcc89e54d536e9728f 18424 php-twig_3.4.3-1.debian.tar.xz 433f343d66058b10e23a42c3bb99ab22bc689f491ca9cda6314653cfee9d9851 8929 php-twig_3.4.3-1_source.buildinfo Files: e66286228be8d710b0ffb220abfca581 2854 php optional php-twig_3.4.3-1.dsc fd37a06822a6b28c718e8a0d8889f9cc 201928 php optional php-twig_3.4.3.orig.tar.xz 3042b2e518127f70b7aafcfbeddc1e19 18424 php optional php-twig_3.4.3-1.debian.tar.xz d4b7d75650adbfb28a6d6dedb1b39698 8929 php optional php-twig_3.4.3-1_source.buildinfo -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmM2v7gACgkQBYwc+UT2 vTyF8wf/RUMLYZBRQjBXQipzj0Dtx0VrBJbq7fUh7I3vl5IygOJUzJGuO/t5WhBV zGTosVy02T7nQna3lpZ6Mx3ufH4suseiykP4RJjhDbLMlaA0kSGHesQG1k+W2qNz 7EBlP1bqZt2bE4gzYhvKNbNXt3TkOYYZAqkTcz9H8GEnmeemQOOw8aIw/tMMpuHU RkhQ/K3H88DpZSqHdsZz1usCe+NWO6q9GtnUkEsyhyoEIJYJoLEtzwQzjzyFPY4j