composer: CVE-2024-24821

Debian Bug report logs - #1063603
composer: CVE-2024-24821

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: composer: CVE-2024-24821

Date: Fri, 09 Feb 2024 21:08:43 +0100

Source: composer
Version: 2.6.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for composer.

CVE-2024-24821[0]:
| Composer is a dependency Manager for the PHP language. In affected
| versions several files within the local working directory are
| included during the invocation of Composer and in the context of the
| executing user. As such, under certain conditions arbitrary code
| execution may lead to local privilege escalation, provide lateral
| user movement or malicious code execution when Composer is invoked
| within a directory with tampered files. All Composer CLI commands
| are affected, including composer.phar's self-update. The following
| scenarios are of high risk: Composer being run with sudo, Pipelines
| which may execute Composer on untrusted projects, Shared
| environments with developers who run Composer individually on the
| same project. This vulnerability has been addressed in versions
| 2.7.0 and 2.2.23. It is advised that the patched versions are
| applied at the earliest convenience. Where not possible, the
| following should be addressed: Remove all sudo composer privileges
| for all users to mitigate root privilege escalation, and avoid
| running Composer within an untrusted directory, or if needed, verify
| that the contents of `vendor/composer/InstalledVersions.php` and
| `vendor/composer/installed.php` do not include untrusted code.  A
| reset can also be done on these files by the following:```sh rm
| vendor/composer/installed.php vendor/composer/InstalledVersions.php
| composer install --no-scripts --no-plugins ```


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-24821
    https://www.cve.org/CVERecord?id=CVE-2024-24821
[1] https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
[2] https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 1063603-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1063603-close@bugs.debian.org

Subject: Bug#1063603: fixed in composer 2.7.1-1

Date: Sat, 10 Feb 2024 13:11:21 +0000

Source: composer
Source-Version: 2.7.1-1
Done: David Prévot <taffit@debian.org>

We believe that the bug you reported is fixed in the latest version of
composer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1063603@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated composer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Feb 2024 11:18:19 +0100
Source: composer
Architecture: source
Version: 2.7.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Closes: 1061291 1063603
Changes:
 composer (2.7.1-1) unstable; urgency=medium
 .
   [ Jordi Boggiano ]
   * Merge pull request from GHSA-7c6p-848j-wh5h [CVE-2024-24821]
     (Closes: #1063603)
   * Release 2.7.1
 .
   [ David Prévot ]
   * Extend recommended packages list (Closes: #1061291)
Checksums-Sha1:
 2bb260346e20febbb761adf104fbe8bad497b8c7 2319 composer_2.7.1-1.dsc
 2ca791fcbda58871f8c99993f2067c5aff50a99f 656568 composer_2.7.1.orig.tar.xz
 900c8ce598b05a97079154f7b074f72429917a75 14828 composer_2.7.1-1.debian.tar.xz
 2a086c71a8aee3b24e6fe14d40f9d1e52980dcd4 9780 composer_2.7.1-1_amd64.buildinfo
Checksums-Sha256:
 23efd15fbe114f027d680cd033414d8457828e65b01d369a8d73aa46489493a9 2319 composer_2.7.1-1.dsc
 f5b6f31279976d5f7a7a94549919fdeb5ae93441f301106c2e00863a554401f3 656568 composer_2.7.1.orig.tar.xz
 823b8a26ffcc9ce8e3d93eae611e1843ad0529280e50d53d0b526b76a29fb4f9 14828 composer_2.7.1-1.debian.tar.xz
 56ca7728c4bd037b739041d6d58fc5eb859a5660ce9ce67b93229de06a136aae 9780 composer_2.7.1-1_amd64.buildinfo
Files:
 b55f58eee9d4b011dadc6735bc1f9345 2319 php optional composer_2.7.1-1.dsc
 84d2ce883c00f0cd5f122087d960dde5 656568 php optional composer_2.7.1.orig.tar.xz
 002420de756501167af182c8e3c91479 14828 php optional composer_2.7.1-1.debian.tar.xz
 9f429bf5517dfd2795d97d28becc56f5 9780 php optional composer_2.7.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmXHVNMSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08R/wH/0TeDE8xTEtQngn7jpDB5zAi93JvoKCb
F1QPZQsjMWOSuOsS4S9XYaW5ppXuMrxFlmzJC9jXgILzwtiMK6tJzZuT9ttdWGu6
ZicnPG7DAuEhgw8Id3QEZBKpnf7h6Gw2yl3fvy5ZRI35aKnrJuAk/5LFSCJxeBQK
chsZpjUuzW7CwpWYllK7tQsUl2Swsd1jnF1wzhKbGTqK6QJtoDCwrNc/lVhDwYet
zhrIwA2GOfYYXCwUsxFVexkuW9fIhcEKltFhDXLxKqigNUa4+E7+70LMa+9ipadZ
t3nnIHJSJ1UUoWiHV5FGdFG2nTTHrvKy3RWmyv4a2eZ/LWCs0b3Wnyk=
=7Ky8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.