Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 838268 (CVE-2022-24828, CVE-2023-43655)

Summary: dev-php/composer: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: bertrand, guillaumeseren, hydrapolic, neb.semqen.ramesses, php-bugs, proxy-maint
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
See Also: https://bugs.gentoo.org/show_bug.cgi?id=877639
Whiteboard: B2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 934666    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 23:42:17 UTC 
CVE-2022-24828 (https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709):

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

Please bump.
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-15 08:51:34 UTC 
Ping. Please mask this package for removal or bump to at least version 2.2.12.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 19:27:25 UTC 
CVE-2023-43655 (https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf):

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
Comment 3 Larry the Git Cow gentoo-dev 2024-07-26 17:26:08 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e5b2ad39d17d1463b1fd60206be42254ea146f0

commit 9e5b2ad39d17d1463b1fd60206be42254ea146f0
Author:     Arthur Zamarin <arthurzam@gentoo.org>
AuthorDate: 2024-07-26 17:13:30 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2024-07-26 17:25:13 +0000

    dev-php/composer: treeclean
    
    Closes: https://bugs.gentoo.org/934666 (pkgremoved)
    Closes: https://bugs.gentoo.org/877639 (pkgremoved)
    Closes: https://bugs.gentoo.org/900100 (pkgremoved)
    Bug: https://bugs.gentoo.org/838268
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-php/composer/Manifest               |  1 -
 dev-php/composer/composer-2.1.12.ebuild | 80 ---------------------------------
 dev-php/composer/files/autoload.php.tpl | 12 -----
 dev-php/composer/metadata.xml           | 23 ----------
 profiles/package.mask                   |  1 -
 5 files changed, 117 deletions(-)