[pkg-php-pear] Bug#1063603: composer: CVE-2024-24821

Salvatore Bonaccorso carnil at debian.org
Fri Feb 9 20:08:43 GMT 2024


Source: composer
Version: 2.6.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for composer.

CVE-2024-24821[0]:
| Composer is a dependency Manager for the PHP language. In affected
| versions several files within the local working directory are
| included during the invocation of Composer and in the context of the
| executing user. As such, under certain conditions arbitrary code
| execution may lead to local privilege escalation, provide lateral
| user movement or malicious code execution when Composer is invoked
| within a directory with tampered files. All Composer CLI commands
| are affected, including composer.phar's self-update. The following
| scenarios are of high risk: Composer being run with sudo, Pipelines
| which may execute Composer on untrusted projects, Shared
| environments with developers who run Composer individually on the
| same project. This vulnerability has been addressed in versions
| 2.7.0 and 2.2.23. It is advised that the patched versions are
| applied at the earliest convenience. Where not possible, the
| following should be addressed: Remove all sudo composer privileges
| for all users to mitigate root privilege escalation, and avoid
| running Composer within an untrusted directory, or if needed, verify
| that the contents of `vendor/composer/InstalledVersions.php` and
| `vendor/composer/installed.php` do not include untrusted code.  A
| reset can also be done on these files by the following:```sh rm
| vendor/composer/installed.php vendor/composer/InstalledVersions.php
| composer install --no-scripts --no-plugins ```


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-24821
    https://www.cve.org/CVERecord?id=CVE-2024-24821
[1] https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
[2] https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the pkg-php-pear mailing list