Version in base suite: 3.5.1-1 Base version: php-twig_3.5.1-1 Target version: php-twig_3.5.1-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-twig/php-twig_3.5.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-twig/php-twig_3.5.1-1+deb12u1.dsc changelog | 8 gbp.conf | 2 patches/0002-Fix-a-security-issue-when-an-included-sandboxed-temp.patch | 100 ++++++++++ patches/series | 1 4 files changed, 110 insertions(+), 1 deletion(-) diff -Nru php-twig-3.5.1/debian/changelog php-twig-3.5.1/debian/changelog --- php-twig-3.5.1/debian/changelog 2023-02-11 06:38:40.000000000 +0000 +++ php-twig-3.5.1/debian/changelog 2024-09-14 15:27:44.000000000 +0000 @@ -1,3 +1,11 @@ +php-twig (3.5.1-1+deb12u1) bookworm-security; urgency=medium + + * Fix a security issue when an included sandboxed template has been loaded + before without the sandbox context [CVE-2024-45411] (Closes: #1081561) + * Track bookworm + + -- David Prévot Sat, 14 Sep 2024 17:27:44 +0200 + php-twig (3.5.1-1) unstable; urgency=medium [ Fabien Potencier ] diff -Nru php-twig-3.5.1/debian/gbp.conf php-twig-3.5.1/debian/gbp.conf --- php-twig-3.5.1/debian/gbp.conf 2022-12-21 06:26:26.000000000 +0000 +++ php-twig-3.5.1/debian/gbp.conf 2024-09-14 15:27:44.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm pristine-tar = True filter = [ '.gitattributes' ] upstream-vcs-tag = v%(version%~%-)s diff -Nru php-twig-3.5.1/debian/patches/0002-Fix-a-security-issue-when-an-included-sandboxed-temp.patch php-twig-3.5.1/debian/patches/0002-Fix-a-security-issue-when-an-included-sandboxed-temp.patch --- php-twig-3.5.1/debian/patches/0002-Fix-a-security-issue-when-an-included-sandboxed-temp.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-twig-3.5.1/debian/patches/0002-Fix-a-security-issue-when-an-included-sandboxed-temp.patch 2024-09-14 15:27:44.000000000 +0000 @@ -0,0 +1,100 @@ +From: Fabien Potencier +Date: Mon, 9 Sep 2024 18:53:26 +0200 +Subject: Fix a security issue when an included sandboxed template has been + loaded before without the sandbox context + +Origin: backport, https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de +Bug: https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66 +Bug-Debian: https://bugs.debian.org/1081561 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-45411 +--- + src/Extension/CoreExtension.php | 11 ++++------- + tests/Extension/CoreTest.php | 38 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 42 insertions(+), 7 deletions(-) + +diff --git a/src/Extension/CoreExtension.php b/src/Extension/CoreExtension.php +index f99adda..50c4109 100644 +--- a/src/Extension/CoreExtension.php ++++ b/src/Extension/CoreExtension.php +@@ -1325,13 +1325,6 @@ function twig_include(Environment $env, $context, $template, $variables = [], $w + if (!$alreadySandboxed = $sandbox->isSandboxed()) { + $sandbox->enableSandbox(); + } +- +- foreach ((\is_array($template) ? $template : [$template]) as $name) { +- // if a Template instance is passed, it might have been instantiated outside of a sandbox, check security +- if ($name instanceof TemplateWrapper || $name instanceof Template) { +- $name->unwrap()->checkSecurity(); +- } +- } + } + + try { +@@ -1344,6 +1337,10 @@ function twig_include(Environment $env, $context, $template, $variables = [], $w + } + } + ++ if ($isSandboxed && $loaded) { ++ $loaded->unwrap()->checkSecurity(); ++ } ++ + return $loaded ? $loaded->render($variables) : ''; + } finally { + if ($isSandboxed && !$alreadySandboxed) { +diff --git a/tests/Extension/CoreTest.php b/tests/Extension/CoreTest.php +index 29a799b..82c1ade 100644 +--- a/tests/Extension/CoreTest.php ++++ b/tests/Extension/CoreTest.php +@@ -14,7 +14,11 @@ namespace Twig\Tests\Extension; + use PHPUnit\Framework\TestCase; + use Twig\Environment; + use Twig\Error\RuntimeError; ++use Twig\Extension\SandboxExtension; ++use Twig\Loader\ArrayLoader; + use Twig\Loader\LoaderInterface; ++use Twig\Sandbox\SecurityError; ++use Twig\Sandbox\SecurityPolicy; + + class CoreTest extends TestCase + { +@@ -326,6 +330,40 @@ class CoreTest extends TestCase + [1, 42, "\x00\x34\x32"], + ]; + } ++ ++ public function testSandboxedInclude() ++ { ++ $twig = new Environment(new ArrayLoader([ ++ 'index' => '{{ include("included", sandboxed=true) }}', ++ 'included' => '{{ "included"|e }}', ++ ])); ++ $policy = new SecurityPolicy([], [], [], [], ['include']); ++ $sandbox = new SandboxExtension($policy, false); ++ $twig->addExtension($sandbox); ++ ++ // We expect a compile error ++ $this->expectException(SecurityError::class); ++ $twig->render('index'); ++ } ++ ++ public function testSandboxedIncludeWithPreloadedTemplate() ++ { ++ $twig = new Environment(new ArrayLoader([ ++ 'index' => '{{ include("included", sandboxed=true) }}', ++ 'included' => '{{ "included"|e }}', ++ ])); ++ $policy = new SecurityPolicy([], [], [], [], ['include']); ++ $sandbox = new SandboxExtension($policy, false); ++ $twig->addExtension($sandbox); ++ ++ // The template is loaded without the sandbox enabled ++ // so, no compile error ++ $twig->load('included'); ++ ++ // We expect a runtime error ++ $this->expectException(SecurityError::class); ++ $twig->render('index'); ++ } + } + + final class CoreTestIteratorAggregate implements \IteratorAggregate diff -Nru php-twig-3.5.1/debian/patches/series php-twig-3.5.1/debian/patches/series --- php-twig-3.5.1/debian/patches/series 2023-02-11 06:37:21.000000000 +0000 +++ php-twig-3.5.1/debian/patches/series 2024-09-14 15:27:44.000000000 +0000 @@ -1 +1,2 @@ 0001-Match-current-ICU-output.patch +0002-Fix-a-security-issue-when-an-included-sandboxed-temp.patch