|
Message-Id: <20151011162925.4E1E3332310@smtpvbsrv1.mitre.org> Date: Sun, 11 Oct 2015 12:29:25 -0400 (EDT) From: cve-assign@...re.org To: alessandro@...dini.me Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: twig remote code execution -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > the symphony project released a security advisory for the Twig PHP library: > http://symfony.com/blog/security-release-twig-1-20-0 > > The linked GitHub pull requests provides the fixes: > https://github.com/twigphp/Twig/pull/1759 > > AFAICT there are least two issues: a remote code execution fixed by the "fixed > sandbox security issue" patch, and at least another issue regarding access to > "reserved macro names". > > The RCE deserves a CVE IMO, but I'm not sure about the other one (or if it is > indeed only one issue). The MITRE CVE team doesn't have any straightforward way to satisfy CVE requests about an uncertain set of vulnerabilities (e.g., "least two issues" and "if it is indeed only one"). If the information had been broken down into specific independent vulnerabilities with distinct discoverers, we would typically be able to provide a separate CVE ID per discoverer; however, "I want to thank James Kettle who was the first to report a RCE security issue, Alain Tiemblo, Christophe Coevoet, and Fabien Potencier for finding more possible and dangerous RCEs." doesn't really do that. It's true that "Prevent importing or calling reserved macro names" seems to correspond to a bug, but the listed references don't have any statements about whether it's independently exploitable. Similarly, the new code for "Accessing the environment from templates is forbidden to prevent untrusted changes to the environment" in a8a125ba9b31d20e8ad50e0d1078983ed7fa41a7 and 22500609b69a9f17a64102d9376cb114f706ee2f, which weren't mentioned in the CVE request, seems like it is probably for a security-related bug fix; however, again we don't know that it's independently exploitable. So, what we'll do here is focus only on 30be07759a3de2558da5224f127d052ecf492e8f, which is described as "fixed sandbox security issue" and suggests that the problem was that, previously, a critical constraint of "A block must be a method on a Twig_Template instance" wasn't being enforced. Use CVE-2015-7809 for this 30be07759a3de2558da5224f127d052ecf492e8f issue. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWGo36AAoJEL54rhJi8gl5JT4P/3dZ+5epCCVOVR2ZXqPIMkuT jlsjIjPqXX8cAFkhUnyQEGx5/SjjTxl4Ui8sNmFvJDkPfKs5RGPg9wW/LHu/3a6m p+1m+Mn/vw2IjuRLgbBt/4dz4lHUfolhlcAS3PaCYpagB9cQbkRouEjBy0DuRYOj yzREbGQhLnlS47zWf749/FN+xb65qppO9xP0MuXwv32Az9cdh73PewTs3XNu0+uh EqQeG5QbJob52DXdapfUU+PQNQp+kLQrvJ49zb/89X2GJtom1Sm5zkifbG6GauOQ o4zJrE92B5ux1BATKZu+K+ZHA1miSL5vq5sLP80cSF3mza0bxwbo+GK8i8opA/Vk PkOGhdeDuoVSn3zxDHQmdg7Wza7jzI6azqGdX8bi+Faj3r4GoHN7sb7xia1bezN8 a99JRWv2HlLFT1cahNqOVK0ry8JPtb+PJyMleHXMVELsf754AQJeAO0J1diYCdq4 tktjOf20+jiJMbB3Ie/4343T6C2X1xk5CQrRbLnhN8Yq4pQojnBiiVhpvXKvxow3 XtYYHptOcoLR3lU88+w3Mxbwma4lNNjALu0uAOMpupJOOnXR8jNfMvA3HV6lfrwC zTt9QWeVu1/M1iMibbMyr//n3YnKtkfvVyu4TO7DpM0gB3c7bMFseuHMZ0QNijXR X9kopzfIDNWsVlrNsJpx =y/pK -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.