Ubuntu 6586 Published by

A Twig security update has been released for Ubuntu Linux 16.04 ESM, 18.04 LTS, 20.04 LTS, and 22.04 LTS.



USN-5947-1: Twig vulnerabilities


==========================================================================
Ubuntu Security Notice USN-5947-1
March 13, 2023

php-twig, twig vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Twig.

Software Description:
- php-twig: Flexible, fast, and secure template engine for PHP
- twig: Flexible, fast, and secure template engine for PHP

Details:

Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2019-9942)

Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)

Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2022-39261)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
php-twig 3.3.8-2ubuntu4+esm1

Ubuntu 20.04 LTS:
php-twig 2.12.5-1ubuntu0.1~esm1

Ubuntu 18.04 LTS:
php-twig 2.4.6-1ubuntu0.1~esm1

Ubuntu 16.04 ESM:
php-twig 1.23.1-1ubuntu4+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5947-1
CVE-2019-9942, CVE-2022-23614, CVE-2022-39261

Package Information: