Your message dated Sun, 03 Mar 2024 13:17:20 +0000
with message-id <e1rglis-00a68m...@fasolo.debian.org>
and subject line Bug#1063603: fixed in composer 2.5.5-1+deb12u1
has caused the Debian Bug report #1063603,
regarding composer: CVE-2024-24821
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1063603: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063603
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: composer
Version: 2.6.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for composer.
CVE-2024-24821[0]:
| Composer is a dependency Manager for the PHP language. In affected
| versions several files within the local working directory are
| included during the invocation of Composer and in the context of the
| executing user. As such, under certain conditions arbitrary code
| execution may lead to local privilege escalation, provide lateral
| user movement or malicious code execution when Composer is invoked
| within a directory with tampered files. All Composer CLI commands
| are affected, including composer.phar's self-update. The following
| scenarios are of high risk: Composer being run with sudo, Pipelines
| which may execute Composer on untrusted projects, Shared
| environments with developers who run Composer individually on the
| same project. This vulnerability has been addressed in versions
| 2.7.0 and 2.2.23. It is advised that the patched versions are
| applied at the earliest convenience. Where not possible, the
| following should be addressed: Remove all sudo composer privileges
| for all users to mitigate root privilege escalation, and avoid
| running Composer within an untrusted directory, or if needed, verify
| that the contents of `vendor/composer/InstalledVersions.php` and
| `vendor/composer/installed.php` do not include untrusted code. A
| reset can also be done on these files by the following:```sh rm
| vendor/composer/installed.php vendor/composer/InstalledVersions.php
| composer install --no-scripts --no-plugins ```
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-24821
https://www.cve.org/CVERecord?id=CVE-2024-24821
[1] https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
[2]
https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: composer
Source-Version: 2.5.5-1+deb12u1
Done: David Prévot <taf...@debian.org>
We believe that the bug you reported is fixed in the latest version of
composer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1063...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated composer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 13 Feb 2024 16:09:38 +0100
Source: composer
Architecture: source
Version: 2.5.5-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1063603
Changes:
composer (2.5.5-1+deb12u1) bookworm-security; urgency=medium
.
* Track debian/bookworm
* Merge pull request from GHSA-7c6p-848j-wh5h [CVE-2024-24821]
(Closes: #1063603)
* Force system dependencies loading
Checksums-Sha1:
f012ca8e256569d786c190bbf5c1b89a125402da 2391 composer_2.5.5-1+deb12u1.dsc
e2d5b65f92956358abbfc07df002aa9d685097ef 634104 composer_2.5.5.orig.tar.xz
c51250e2f434e302073739751f845466f7a3526c 18356
composer_2.5.5-1+deb12u1.debian.tar.xz
63486043b9013a8991d56e43bcc356d5e7c8b39e 9727
composer_2.5.5-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
b253627020d663eff991b4d083dddf078da586e5cc66b1f4f0c6f43ff83fb2bb 2391
composer_2.5.5-1+deb12u1.dsc
9d24f477e5a3c1c2ab12c1cf734a0d66d4572740d9edad44e462c5dc60983bce 634104
composer_2.5.5.orig.tar.xz
f781e2e4cbcb2545860ab621cb1462c367fd8c3642bcd29345784f8f117aa3c0 18356
composer_2.5.5-1+deb12u1.debian.tar.xz
efe0d78db671720c3f5277d135ff71f3c3b4302b5cce6909491280b965a8ab88 9727
composer_2.5.5-1+deb12u1_amd64.buildinfo
Files:
f40ae2fddfbdd7dffbde447d481270d1 2391 php optional composer_2.5.5-1+deb12u1.dsc
97b67f831115179d0fc8bacc64942951 634104 php optional composer_2.5.5.orig.tar.xz
2029cba8c58804c55714c5179d495b75 18356 php optional
composer_2.5.5-1+deb12u1.debian.tar.xz
c2608488dd92506ae4245d4e790a2891 9727 php optional
composer_2.5.5-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmXYmpoSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08GSAH/3CxYeGnxV8IDCuWhf9JJf2KehbZnS+L
OBZkEJCR0efylTR1tk++eQHi7udaJoEw2vm7AznqtcYp3Iv9wJP4fdvCfXOluBvU
br8Lc76PhyS4edGEF7+fk2H1EQ4OvElT8aeBSNnruQeRyBcoHcxx7jtZzQqHxfoG
mQ+3VAc7i5hJtSsBCbjSWX5XoR5xAdo2tNVK4aqfJ1D0jmElYRqNyeGuhSamikml
esIMhYWgqN7I5yz706xsfLh2oVz92wzorgVbIJKfGm1Sp2dT3n14bYxEx7n9eMGe
g5fw0YLJZPwSEJpyWgUtL3u1ngzUQicGbXw2qL6UpI6QSckeRk5V9Qs=
=f9SA
-----END PGP SIGNATURE-----
pgpdvP6bMtA_2.pgp
Description: PGP signature
--- End Message ---
