USN-5947-1: Twig vulnerabilities
13 March 2023
Several security issues were fixed in Twig.
- php-twig - Flexible, fast, and secure template engine for PHP
- twig - Flexible, fast, and secure template engine for PHP
Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)
Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2022-39261)
The problem can be corrected by updating your system to the following package versions:
- php-twig - 3.3.8-2ubuntu4+esm1
- php-twig - 2.12.5-1ubuntu0.1~esm1
- php-twig - 2.4.6-1ubuntu0.1~esm1
- php-twig - 1.23.1-1ubuntu4+esm1
In general, a standard system update will make all the necessary changes.