Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 11 Oct 2015 12:29:25 -0400 (EDT)
From: cve-assign@...re.org
To: alessandro@...dini.me
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: twig remote code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> the symphony project released a security advisory for the Twig PHP library:
> http://symfony.com/blog/security-release-twig-1-20-0
> 
> The linked GitHub pull requests provides the fixes:
> https://github.com/twigphp/Twig/pull/1759
> 
> AFAICT there are least two issues: a remote code execution fixed by the "fixed
> sandbox security issue" patch, and at least another issue regarding access to
> "reserved macro names".
> 
> The RCE deserves a CVE IMO, but I'm not sure about the other one (or if it is
> indeed only one issue).

The MITRE CVE team doesn't have any straightforward way to satisfy CVE
requests about an uncertain set of vulnerabilities (e.g., "least two
issues" and "if it is indeed only one").

If the information had been broken down into specific independent
vulnerabilities with distinct discoverers, we would typically be able
to provide a separate CVE ID per discoverer; however, "I want to thank
James Kettle who was the first to report a RCE security issue, Alain
Tiemblo, Christophe Coevoet, and Fabien Potencier for finding more
possible and dangerous RCEs." doesn't really do that.

It's true that "Prevent importing or calling reserved macro names"
seems to correspond to a bug, but the listed references don't have any
statements about whether it's independently exploitable.

Similarly, the new code for "Accessing the environment from templates
is forbidden to prevent untrusted changes to the environment" in
a8a125ba9b31d20e8ad50e0d1078983ed7fa41a7 and
22500609b69a9f17a64102d9376cb114f706ee2f, which weren't mentioned in
the CVE request, seems like it is probably for a security-related bug
fix; however, again we don't know that it's independently exploitable.

So, what we'll do here is focus only on
30be07759a3de2558da5224f127d052ecf492e8f, which is described as "fixed
sandbox security issue" and suggests that the problem was that,
previously, a critical constraint of "A block must be a method on a
Twig_Template instance" wasn't being enforced. Use CVE-2015-7809 for
this 30be07759a3de2558da5224f127d052ecf492e8f issue.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWGo36AAoJEL54rhJi8gl5JT4P/3dZ+5epCCVOVR2ZXqPIMkuT
jlsjIjPqXX8cAFkhUnyQEGx5/SjjTxl4Ui8sNmFvJDkPfKs5RGPg9wW/LHu/3a6m
p+1m+Mn/vw2IjuRLgbBt/4dz4lHUfolhlcAS3PaCYpagB9cQbkRouEjBy0DuRYOj
yzREbGQhLnlS47zWf749/FN+xb65qppO9xP0MuXwv32Az9cdh73PewTs3XNu0+uh
EqQeG5QbJob52DXdapfUU+PQNQp+kLQrvJ49zb/89X2GJtom1Sm5zkifbG6GauOQ
o4zJrE92B5ux1BATKZu+K+ZHA1miSL5vq5sLP80cSF3mza0bxwbo+GK8i8opA/Vk
PkOGhdeDuoVSn3zxDHQmdg7Wza7jzI6azqGdX8bi+Faj3r4GoHN7sb7xia1bezN8
a99JRWv2HlLFT1cahNqOVK0ry8JPtb+PJyMleHXMVELsf754AQJeAO0J1diYCdq4
tktjOf20+jiJMbB3Ie/4343T6C2X1xk5CQrRbLnhN8Yq4pQojnBiiVhpvXKvxow3
XtYYHptOcoLR3lU88+w3Mxbwma4lNNjALu0uAOMpupJOOnXR8jNfMvA3HV6lfrwC
zTt9QWeVu1/M1iMibbMyr//n3YnKtkfvVyu4TO7DpM0gB3c7bMFseuHMZ0QNijXR
X9kopzfIDNWsVlrNsJpx
=y/pK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.