Version in base suite: 2.14.3-1 Base version: php-twig_2.14.3-1 Target version: php-twig_2.14.3-1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-twig/php-twig_2.14.3-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-twig/php-twig_2.14.3-1+deb11u1.dsc changelog | 8 patches/0002-Disallow-non-closures-in-sort-filter-when-the-sanbox.patch | 101 ++++++++++ patches/series | 1 3 files changed, 110 insertions(+) diff -Nru php-twig-2.14.3/debian/changelog php-twig-2.14.3/debian/changelog --- php-twig-2.14.3/debian/changelog 2021-01-07 22:41:35.000000000 +0000 +++ php-twig-2.14.3/debian/changelog 2022-03-17 12:41:33.000000000 +0000 @@ -1,3 +1,11 @@ +php-twig (2.14.3-1+deb11u1) bullseye-security; urgency=high + + * Backport fix from 3.3.8 [CVE-2022-23614] + Disallow calling non Closure in the `sort` filter as is the case for + some other filters. + + -- David Prévot Thu, 17 Mar 2022 13:41:33 +0100 + php-twig (2.14.3-1) unstable; urgency=medium [ Fabien Potencier ] diff -Nru php-twig-2.14.3/debian/patches/0002-Disallow-non-closures-in-sort-filter-when-the-sanbox.patch php-twig-2.14.3/debian/patches/0002-Disallow-non-closures-in-sort-filter-when-the-sanbox.patch --- php-twig-2.14.3/debian/patches/0002-Disallow-non-closures-in-sort-filter-when-the-sanbox.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-twig-2.14.3/debian/patches/0002-Disallow-non-closures-in-sort-filter-when-the-sanbox.patch 2022-03-17 12:41:33.000000000 +0000 @@ -0,0 +1,101 @@ +From: Fabien Potencier +Date: Fri, 4 Feb 2022 07:07:46 +0100 +Subject: Disallow non closures in `sort` filter when the sanbox mode is + enabled + +Origin: upstream, https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2022-23614 +--- + src/Extension/CoreExtension.php | 25 ++++++++++++++----------- + tests/Extension/SandboxTest.php | 2 +- + 2 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/Extension/CoreExtension.php b/src/Extension/CoreExtension.php +index 0ebef7f..59bc854 100644 +--- a/src/Extension/CoreExtension.php ++++ b/src/Extension/CoreExtension.php +@@ -237,7 +237,7 @@ final class CoreExtension extends AbstractExtension + // array helpers + new TwigFilter('join', 'twig_join_filter'), + new TwigFilter('split', 'twig_split_filter', ['needs_environment' => true]), +- new TwigFilter('sort', 'twig_sort_filter'), ++ new TwigFilter('sort', 'twig_sort_filter', ['needs_environment' => true]), + new TwigFilter('merge', 'twig_array_merge'), + new TwigFilter('batch', 'twig_array_batch'), + new TwigFilter('column', 'twig_array_column'), +@@ -907,7 +907,7 @@ function twig_reverse_filter(Environment $env, $item, $preserveKeys = false) + * + * @return array + */ +-function twig_sort_filter($array, $arrow = null) ++function twig_sort_filter(Environment $env, $array, $arrow = null) + { + if ($array instanceof \Traversable) { + $array = iterator_to_array($array); +@@ -916,6 +916,8 @@ function twig_sort_filter($array, $arrow = null) + } + + if (null !== $arrow) { ++ twig_check_arrow_in_sandbox($env, $arrow, 'sort', 'filter'); ++ + uasort($array, $arrow); + } else { + asort($array); +@@ -1549,9 +1551,7 @@ function twig_array_filter(Environment $env, $array, $arrow) + throw new RuntimeError(sprintf('The "filter" filter expects an array or "Traversable", got "%s".', \is_object($array) ? \get_class($array) : \gettype($array))); + } + +- if (!$arrow instanceof Closure && $env->hasExtension('\Twig\Extension\SandboxExtension') && $env->getExtension('\Twig\Extension\SandboxExtension')->isSandboxed()) { +- throw new RuntimeError('The callable passed to "filter" filter must be a Closure in sandbox mode.'); +- } ++ twig_check_arrow_in_sandbox($env, $arrow, 'filter', 'filter'); + + if (\is_array($array)) { + return array_filter($array, $arrow, \ARRAY_FILTER_USE_BOTH); +@@ -1563,9 +1563,7 @@ function twig_array_filter(Environment $env, $array, $arrow) + + function twig_array_map(Environment $env, $array, $arrow) + { +- if (!$arrow instanceof Closure && $env->hasExtension('\Twig\Extension\SandboxExtension') && $env->getExtension('\Twig\Extension\SandboxExtension')->isSandboxed()) { +- throw new RuntimeError('The callable passed to the "map" filter must be a Closure in sandbox mode.'); +- } ++ twig_check_arrow_in_sandbox($env, $arrow, 'map', 'filter'); + + $r = []; + foreach ($array as $k => $v) { +@@ -1577,9 +1575,7 @@ function twig_array_map(Environment $env, $array, $arrow) + + function twig_array_reduce(Environment $env, $array, $arrow, $initial = null) + { +- if (!$arrow instanceof Closure && $env->hasExtension('\Twig\Extension\SandboxExtension') && $env->getExtension('\Twig\Extension\SandboxExtension')->isSandboxed()) { +- throw new RuntimeError('The callable passed to the "reduce" filter must be a Closure in sandbox mode.'); +- } ++ twig_check_arrow_in_sandbox($env, $arrow, 'reduce', 'filter'); + + if (!\is_array($array)) { + if (!$array instanceof \Traversable) { +@@ -1591,4 +1587,11 @@ function twig_array_reduce(Environment $env, $array, $arrow, $initial = null) + + return array_reduce($array, $arrow, $initial); + } ++ ++function twig_check_arrow_in_sandbox(Environment $env, $arrow, $thing, $type) ++{ ++ if (!$arrow instanceof Closure && $env->hasExtension('\Twig\Extension\SandboxExtension') && $env->getExtension('\Twig\Extension\SandboxExtension')->isSandboxed()) { ++ throw new RuntimeError(sprintf('The callable passed to the "%s" %s must be a Closure in sandbox mode.', $thing, $type)); ++ } ++} + } +diff --git a/tests/Extension/SandboxTest.php b/tests/Extension/SandboxTest.php +index 0d9bc0a..e365da632 100644 +--- a/tests/Extension/SandboxTest.php ++++ b/tests/Extension/SandboxTest.php +@@ -390,7 +390,7 @@ EOF + public function testSandboxWithNoClosureFilter() + { + $this->expectException('\Twig\Error\RuntimeError'); +- $this->expectExceptionMessage('The callable passed to "filter" filter must be a Closure in sandbox mode in "index" at line 1.'); ++ $this->expectExceptionMessage('The callable passed to the "filter" filter must be a Closure in sandbox mode in "index" at line 1.'); + + $twig = $this->getEnvironment(true, ['autoescape' => 'html'], ['index' => <<