Your message dated Sun, 03 Mar 2024 13:17:47 +0000
with message-id <e1rglit-00a6m4...@fasolo.debian.org>
and subject line Bug#1063603: fixed in composer 2.0.9-2+deb11u2
has caused the Debian Bug report #1063603,
regarding composer: CVE-2024-24821
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1063603: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063603
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: composer
Version: 2.6.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for composer.
CVE-2024-24821[0]:
| Composer is a dependency Manager for the PHP language. In affected
| versions several files within the local working directory are
| included during the invocation of Composer and in the context of the
| executing user. As such, under certain conditions arbitrary code
| execution may lead to local privilege escalation, provide lateral
| user movement or malicious code execution when Composer is invoked
| within a directory with tampered files. All Composer CLI commands
| are affected, including composer.phar's self-update. The following
| scenarios are of high risk: Composer being run with sudo, Pipelines
| which may execute Composer on untrusted projects, Shared
| environments with developers who run Composer individually on the
| same project. This vulnerability has been addressed in versions
| 2.7.0 and 2.2.23. It is advised that the patched versions are
| applied at the earliest convenience. Where not possible, the
| following should be addressed: Remove all sudo composer privileges
| for all users to mitigate root privilege escalation, and avoid
| running Composer within an untrusted directory, or if needed, verify
| that the contents of `vendor/composer/InstalledVersions.php` and
| `vendor/composer/installed.php` do not include untrusted code. A
| reset can also be done on these files by the following:```sh rm
| vendor/composer/installed.php vendor/composer/InstalledVersions.php
| composer install --no-scripts --no-plugins ```
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-24821
https://www.cve.org/CVERecord?id=CVE-2024-24821
[1] https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
[2]
https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: composer
Source-Version: 2.0.9-2+deb11u2
Done: David Prévot <taf...@debian.org>
We believe that the bug you reported is fixed in the latest version of
composer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1063...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated composer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 18 Feb 2024 09:05:37 +0100
Source: composer
Architecture: source
Version: 2.0.9-2+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1063603
Changes:
composer (2.0.9-2+deb11u2) bullseye; urgency=medium
.
[ David Prévot ]
* Force system dependencies loading
* Import Pcre
.
[ Bastien Roucariès ]
* Merge pull request from GHSA-7c6p-848j-wh5h [CVE-2024-24821]
(Closes: #1063603)
Checksums-Sha1:
2979fca50d1d9799d7ae6548c6836210cd686e71 2103 composer_2.0.9-2+deb11u2.dsc
e8512695578a43d0a718b0ee14fd63cf6cccbcdc 803188 composer_2.0.9.orig.tar.xz
21d2219c080a851d84c14a3de3aefbbea787931b 29776
composer_2.0.9-2+deb11u2.debian.tar.xz
9213d670b570e5a5c5c964e3e710cf0599e435d5 9846
composer_2.0.9-2+deb11u2_amd64.buildinfo
Checksums-Sha256:
7252dcba4f933cbc83814686711b1791ba685eb0c2b4c0b22474f3b85dcfbb20 2103
composer_2.0.9-2+deb11u2.dsc
8868baee01986b93e2fc88dcd3989af16e228fcc4028561aacfbf5b778eb2216 803188
composer_2.0.9.orig.tar.xz
4e5b288820015c37f61aaebd7f54abcf14188104b37c10c5e825cb7eced6d7da 29776
composer_2.0.9-2+deb11u2.debian.tar.xz
0741e6d8f18ca3bb1f02f87b9d7adc1360594447fc66d39da73f4cba8248774e 9846
composer_2.0.9-2+deb11u2_amd64.buildinfo
Files:
94b6d2b749469d140e35ce93c2bce921 2103 php optional composer_2.0.9-2+deb11u2.dsc
828a4c4322fb8e384d35743ddc52be6b 803188 php optional composer_2.0.9.orig.tar.xz
ef21ec97a6de5b51e2450d51cbc0801a 29776 php optional
composer_2.0.9-2+deb11u2.debian.tar.xz
86fb71921ff07c5994db947c04ca120e 9846 php optional
composer_2.0.9-2+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmXYmpkSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08r5kH+wdPPwlU73mUPXTfHv0sGIrD+Y61aAwF
uy1nt1nRWa/4og9vWbb6Yi82iHJKRgA6eoWKdouhynTuvVbXBAOTTFhgSNKUuws/
vAfunxh8Laobo0wSNzWCFJ6lIqoEN4pf4QFiGiA9olYgNk8JV2LNDcs/0NJF3Jpv
TJpWyOdIkpsCl2TDpDuSSDgjyZOoIKC1HbrjMcKbCsCXVmUY9TCGbg9pizTds6hp
DEfjVTfZDKciOOr991VTX5bZBO1K5hYjKgSlqcc6cNlZ4QITH/bChAyf68dokuoU
xYC8DuU8aCdxf1dk62mIFjugGYOOXgxD3OTZNp8iil4t+s6OOch0sqM=
=l4fg
-----END PGP SIGNATURE-----
pgpwS41KveYdm.pgp
Description: PGP signature
--- End Message ---
