[pkg-php-pear] Bug#1020991: php-twig: CVE-2022-39261
Salvatore Bonaccorso
carnil at debian.org
Fri Sep 30 08:42:39 BST 2022
Source: php-twig
Version: 3.4.2-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for php-twig.
CVE-2022-39261[0]:
| Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x
| prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the
| filesystem loader loads templates for which the name is a user input.
| It is possible to use the `source` or `include` statement to read
| arbitrary files from outside the templates' directory when using a
| namespace like `@somewhere/../some.file`. In such a case, validation
| is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for
| validation of such template names. There are no known workarounds
| aside from upgrading.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-39261
https://www.cve.org/CVERecord?id=CVE-2022-39261
[1] https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
[2] https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-php-pear
mailing list