[pkg-php-pear] Bug#990579: composer: Security update broke git clone with cacheOptions
Harald Laabs
github at dasr.de
Fri Jul 2 14:23:32 BST 2021
Package: composer
Version: 1.2.2-1+deb9u1
Severity: important
0005-Merge-pull-request-from-GHSA-h5h8-pc6h-jvvx.patch includes:
- $command = 'git clone --no-checkout %s %s '.$cacheOptions.'&& cd '.$flag.'%2$s && git remote add composer %1$s && git fetch composer';
+ $command = 'git clone --no-checkout -- %s %s '.$cacheOptions.'&& cd '.$flag.'%2$s && git remote add composer -- %1$s && git fetch composer';
git clone expects options before URL and PATH. It will still work if
the '--' is not put before URL and PATH. The cacheOptions need to be
moved to the left (before --), otherwise this cannot work anymore in
case of $cacheOptions != ''.
Best regards,
Harald
More information about the pkg-php-pear
mailing list