Bug#1073931: marked as done (composer: security update broke feature branches)

Mon, 24 Jun 2024 15:51:25 -0700 

Your message dated Mon, 24 Jun 2024 22:47:25 +0000
with message-id <e1slst7-000uqy...@fasolo.debian.org>
and subject line Bug#1073931: fixed in composer 2.0.9-2+deb11u4
has caused the Debian Bug report #1073931,
regarding composer: security update broke feature branches
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1073931: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073931
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: composer
Version: 2.0.9-2+deb11u3
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: h...@users.noreply.github.com, t...@security.debian.org

Dear Maintainer,

yesterday unattended-upgrades installed version 2.0.9-2+deb11u3 composer
including security fixes for bugs #1073125 and #1073126. Unfortunately, patch
backporting introduces a major issue, so that any feature branch (branch not in
master|main|latest|next|current|support|tip|trunk|default|develop) of a git
repository checkout is unable to run composer install with the following error:
```
PHP Fatal error:  Uncaught TypeError: Argument 1 passed to 
Symfony\Component\Process\Process::fromShellCommandline() must be of the type 
string, array given, called in /usr/share/php/Composer/Util/ProcessExecutor.php 
on line 112 and defined in 
/usr/share/php/Symfony/Component/Process/Process.php:193
Stack trace:
#0 /usr/share/php/Composer/Util/ProcessExecutor.php(112): 
Symfony\Component\Process\Process::fromShellCommandline()
#1 /usr/share/php/Composer/Util/ProcessExecutor.php(65): 
Composer\Util\ProcessExecutor->doExecute()
#2 /usr/share/php/Composer/Package/Version/VersionGuesser.php(279): 
Composer\Util\ProcessExecutor->execute()
#3 /usr/share/php/Composer/Package/Version/VersionGuesser.php(161): 
Composer\Package\Version\VersionGuesser->guessFeatureVersion()
#4 /usr/share/php/Composer/Package/Version/VersionGuesser.php(71): 
Composer\Package\Version\VersionGuesser->guessGitVersion()
#5 /usr/share/php/Composer/Package/Loader/RootPackageLoader.php(81): 
Composer\Package\Version\VersionGuesser->guessVersion()
#6 /usr/share/php/Com in /usr/share/php/Symfony/Component/Process/Process.php 
on line 193
```

It seems the backporting didn't properly test or notice that applying upstreams
security fixes did turn some string values into arrays [1, 2] which aren't
compatible with the string signature of the symfony/process version you ship.

Simple reproducer: Run composer install on the checkout of the feature-branch 
of 
https://github.com/htto/debian-oldstable-composer

This basically broke all our feature branches' composer installation, locally
and in any CI/CD pipeline.

I hope this gets adressed quickly.

Kind regards
Heiko


[1] 
https://sources.debian.org/patches/composer/2.0.9-2%2Bdeb11u3/0016-Merge-pull-request-from-GHSA-47f6-5gq3-vx9c.patch/#L22
[2] 
https://sources.debian.org/patches/composer/2.0.9-2%2Bdeb11u3/0015-Merge-pull-request-from-GHSA-v9qv-c7wm-wgmf.patch/#L43


-- System Information:
Debian Release: 11.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages composer depends on:
ii  jsonlint                     1.8.3-2
ii  php-cli                      2:7.4+76
ii  php-common                   2:76
ii  php-composer-ca-bundle       1.2.9-1
ii  php-composer-semver          3.2.4-2
ii  php-composer-spdx-licenses   1.5.5-2
ii  php-composer-xdebug-handler  1.4.5-1
ii  php-json-schema              5.2.10-2
ii  php-psr-log                  1.1.3-2
ii  php-react-promise            2.7.0-2
ii  php-symfony-console          4.4.19+dfsg-2+deb11u4
ii  php-symfony-filesystem       4.4.19+dfsg-2+deb11u4
ii  php-symfony-finder           4.4.19+dfsg-2+deb11u4
ii  php-symfony-process          4.4.19+dfsg-2+deb11u4
ii  php7.4-cli [php-cli]         7.4.33-1+deb11u5

Versions of packages composer recommends:
ii  git    1:2.30.2-1+deb11u2
ii  unzip  6.0-26+deb11u1

Versions of packages composer suggests:
pn  fossil                <none>
pn  mercurial             <none>
ii  php-zip               2:7.4+76
ii  php7.4-zip [php-zip]  7.4.33-1+deb11u5
pn  subversion            <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: composer
Source-Version: 2.0.9-2+deb11u4
Done: David Prévot <taf...@debian.org>

We believe that the bug you reported is fixed in the latest version of
composer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1073...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated composer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 21 Jun 2024 11:35:18 +0200
Source: composer
Architecture: source
Version: 2.0.9-2+deb11u4
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1073931
Changes:
 composer (2.0.9-2+deb11u4) bullseye-security; urgency=medium
 .
   * Adapt test before calling fromShellCommandline (Closes: #1073931)
Checksums-Sha1:
 a40b12cee001c8953e8b7125c569ce7c426a8967 2103 composer_2.0.9-2+deb11u4.dsc
 69697b28b1765bfd9fec6569d6b27716265cc778 31544 
composer_2.0.9-2+deb11u4.debian.tar.xz
 72a94cbacabb176f840cf76d184670cd38ed35c3 9586 
composer_2.0.9-2+deb11u4_amd64.buildinfo
Checksums-Sha256:
 d617c5c30254c8d0b4d9dd13d9d9de73a7a6a120df01e5cffe32b99beda74b3d 2103 
composer_2.0.9-2+deb11u4.dsc
 6495796732fdbfc465f78335c2b379aed15c6b2fb003c999c3c640fdb8654565 31544 
composer_2.0.9-2+deb11u4.debian.tar.xz
 2febe1c61108a9248ac18044012949955f522d3f568d92bb1dbe61bcc5eaa549 9586 
composer_2.0.9-2+deb11u4_amd64.buildinfo
Files:
 fddb7e31343d8998fea86d30f7d0c13a 2103 php optional composer_2.0.9-2+deb11u4.dsc
 2583f260e9fbac2ff91279a59e29f0c4 31544 php optional 
composer_2.0.9-2+deb11u4.debian.tar.xz
 9e59e16b8d171ccef57e79f5c2572fc3 9586 php optional 
composer_2.0.9-2+deb11u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmZ1ch0SHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08FhYH/jqJPpPVzjyopB4Bo08gEsXR1+OPbABk
3bm73BD7RQAyxM55iDEIiTjf7HrCPCzyD0Wg1oE9EvJ9+s13NIHnZUDTYjYGfh8w
F5BTAm74185TEYQpcQtA+YQ4a9p82LWSExb7UIhQJPMe+bYdLgxYqEUeAr3+fZ3d
1Y5R6uJQkNU6+N7j0hKRcKfwa5gdVrrh4ePREVIoBsrvNlfIszmCdsnFqwwhvkFm
VWvpYHRtIRDB7x4udPD0gyPdG+5SobQjUkWyd4elMqwgaXwmjClSa9DO1UHpxzY7
0C5uQ3hHklDTClc5fMXzEy+oVROUAFwajbqc1U8oS8rP+L18ebhBfRI=
=D9OH
-----END PGP SIGNATURE-----

Attachment: pgpajDww2cLse.pgp
Description: PGP signature


--- End Message ---

Reply via email to