Package: composer Version: 2.0.9-2+deb11u3 Severity: grave Justification: renders package unusable X-Debbugs-Cc: h...@users.noreply.github.com, t...@security.debian.org
Dear Maintainer, yesterday unattended-upgrades installed version 2.0.9-2+deb11u3 composer including security fixes for bugs #1073125 and #1073126. Unfortunately, patch backporting introduces a major issue, so that any feature branch (branch not in master|main|latest|next|current|support|tip|trunk|default|develop) of a git repository checkout is unable to run composer install with the following error: ``` PHP Fatal error: Uncaught TypeError: Argument 1 passed to Symfony\Component\Process\Process::fromShellCommandline() must be of the type string, array given, called in /usr/share/php/Composer/Util/ProcessExecutor.php on line 112 and defined in /usr/share/php/Symfony/Component/Process/Process.php:193 Stack trace: #0 /usr/share/php/Composer/Util/ProcessExecutor.php(112): Symfony\Component\Process\Process::fromShellCommandline() #1 /usr/share/php/Composer/Util/ProcessExecutor.php(65): Composer\Util\ProcessExecutor->doExecute() #2 /usr/share/php/Composer/Package/Version/VersionGuesser.php(279): Composer\Util\ProcessExecutor->execute() #3 /usr/share/php/Composer/Package/Version/VersionGuesser.php(161): Composer\Package\Version\VersionGuesser->guessFeatureVersion() #4 /usr/share/php/Composer/Package/Version/VersionGuesser.php(71): Composer\Package\Version\VersionGuesser->guessGitVersion() #5 /usr/share/php/Composer/Package/Loader/RootPackageLoader.php(81): Composer\Package\Version\VersionGuesser->guessVersion() #6 /usr/share/php/Com in /usr/share/php/Symfony/Component/Process/Process.php on line 193 ``` It seems the backporting didn't properly test or notice that applying upstreams security fixes did turn some string values into arrays [1, 2] which aren't compatible with the string signature of the symfony/process version you ship. Simple reproducer: Run composer install on the checkout of the feature-branch of https://github.com/htto/debian-oldstable-composer This basically broke all our feature branches' composer installation, locally and in any CI/CD pipeline. I hope this gets adressed quickly. Kind regards Heiko [1] https://sources.debian.org/patches/composer/2.0.9-2%2Bdeb11u3/0016-Merge-pull-request-from-GHSA-47f6-5gq3-vx9c.patch/#L22 [2] https://sources.debian.org/patches/composer/2.0.9-2%2Bdeb11u3/0015-Merge-pull-request-from-GHSA-v9qv-c7wm-wgmf.patch/#L43 -- System Information: Debian Release: 11.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages composer depends on: ii jsonlint 1.8.3-2 ii php-cli 2:7.4+76 ii php-common 2:76 ii php-composer-ca-bundle 1.2.9-1 ii php-composer-semver 3.2.4-2 ii php-composer-spdx-licenses 1.5.5-2 ii php-composer-xdebug-handler 1.4.5-1 ii php-json-schema 5.2.10-2 ii php-psr-log 1.1.3-2 ii php-react-promise 2.7.0-2 ii php-symfony-console 4.4.19+dfsg-2+deb11u4 ii php-symfony-filesystem 4.4.19+dfsg-2+deb11u4 ii php-symfony-finder 4.4.19+dfsg-2+deb11u4 ii php-symfony-process 4.4.19+dfsg-2+deb11u4 ii php7.4-cli [php-cli] 7.4.33-1+deb11u5 Versions of packages composer recommends: ii git 1:2.30.2-1+deb11u2 ii unzip 6.0-26+deb11u1 Versions of packages composer suggests: pn fossil <none> pn mercurial <none> ii php-zip 2:7.4+76 ii php7.4-zip [php-zip] 7.4.33-1+deb11u5 pn subversion <none> -- no debconf information