Source: composer Version: 2.6.6-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for composer. CVE-2024-24821[0]: | Composer is a dependency Manager for the PHP language. In affected | versions several files within the local working directory are | included during the invocation of Composer and in the context of the | executing user. As such, under certain conditions arbitrary code | execution may lead to local privilege escalation, provide lateral | user movement or malicious code execution when Composer is invoked | within a directory with tampered files. All Composer CLI commands | are affected, including composer.phar's self-update. The following | scenarios are of high risk: Composer being run with sudo, Pipelines | which may execute Composer on untrusted projects, Shared | environments with developers who run Composer individually on the | same project. This vulnerability has been addressed in versions | 2.7.0 and 2.2.23. It is advised that the patched versions are | applied at the earliest convenience. Where not possible, the | following should be addressed: Remove all sudo composer privileges | for all users to mitigate root privilege escalation, and avoid | running Composer within an untrusted directory, or if needed, verify | that the contents of `vendor/composer/InstalledVersions.php` and | `vendor/composer/installed.php` do not include untrusted code. A | reset can also be done on these files by the following:```sh rm | vendor/composer/installed.php vendor/composer/InstalledVersions.php | composer install --no-scripts --no-plugins ``` If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24821 https://www.cve.org/CVERecord?id=CVE-2024-24821 [1] https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h [2] https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore