[pkg-php-pear] Bug#990579: composer: Security update broke git clone with cacheOptions

Harald Laabs github at dasr.de
Fri Jul 2 14:23:32 BST 2021


Package: composer
Version: 1.2.2-1+deb9u1
Severity: important

0005-Merge-pull-request-from-GHSA-h5h8-pc6h-jvvx.patch includes:
-        $command = 'git clone --no-checkout %s %s '.$cacheOptions.'&& cd '.$flag.'%2$s && git remote add composer %1$s && git fetch composer';
+        $command = 'git clone --no-checkout -- %s %s '.$cacheOptions.'&& cd '.$flag.'%2$s && git remote add composer -- %1$s && git fetch composer';

git clone expects options before URL and PATH. It will still work if
the '--' is not put before URL and PATH. The cacheOptions need to be
moved to the left (before --), otherwise this cannot work anymore in
case of $cacheOptions != ''.

Best regards,
Harald



More information about the pkg-php-pear mailing list