CVE-2022-24828 (https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709): Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report. Please bump.
Ping. Please mask this package for removal or bump to at least version 2.2.12.
CVE-2023-43655 (https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf): Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e5b2ad39d17d1463b1fd60206be42254ea146f0 commit 9e5b2ad39d17d1463b1fd60206be42254ea146f0 Author: Arthur Zamarin <arthurzam@gentoo.org> AuthorDate: 2024-07-26 17:13:30 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-07-26 17:25:13 +0000 dev-php/composer: treeclean Closes: https://bugs.gentoo.org/934666 (pkgremoved) Closes: https://bugs.gentoo.org/877639 (pkgremoved) Closes: https://bugs.gentoo.org/900100 (pkgremoved) Bug: https://bugs.gentoo.org/838268 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> dev-php/composer/Manifest | 1 - dev-php/composer/composer-2.1.12.ebuild | 80 --------------------------------- dev-php/composer/files/autoload.php.tpl | 12 ----- dev-php/composer/metadata.xml | 23 ---------- profiles/package.mask | 1 - 5 files changed, 117 deletions(-)