USN-5947-1: Twig vulnerabilities

Releases

• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM

Packages

• php-twig - Flexible, fast, and secure template engine for PHP
• twig - Flexible, fast, and secure template engine for PHP

Details

Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2019-9942)

Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)

Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2022-39261)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.04

• php-twig - 3.3.8-2ubuntu4+esm1
  Available with Ubuntu Pro

Ubuntu 20.04

• php-twig - 2.12.5-1ubuntu0.1~esm1
  Available with Ubuntu Pro

Ubuntu 18.04

• php-twig - 2.4.6-1ubuntu0.1~esm1
  Available with Ubuntu Pro

Ubuntu 16.04

• php-twig - 1.23.1-1ubuntu4+esm1
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-9942
• CVE-2022-23614
• CVE-2022-39261