[pkg-php-pear] Bug#1073931: composer: security update broke feature branches
Heiko Przybyl
htto at users.noreply.github.com
Thu Jun 20 12:59:17 BST 2024
Package: composer
Version: 2.0.9-2+deb11u3
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: htto at users.noreply.github.com, team at security.debian.org
Dear Maintainer,
yesterday unattended-upgrades installed version 2.0.9-2+deb11u3 composer
including security fixes for bugs #1073125 and #1073126. Unfortunately, patch
backporting introduces a major issue, so that any feature branch (branch not in
master|main|latest|next|current|support|tip|trunk|default|develop) of a git
repository checkout is unable to run composer install with the following error:
```
PHP Fatal error: Uncaught TypeError: Argument 1 passed to Symfony\Component\Process\Process::fromShellCommandline() must be of the type string, array given, called in /usr/share/php/Composer/Util/ProcessExecutor.php on line 112 and defined in /usr/share/php/Symfony/Component/Process/Process.php:193
Stack trace:
#0 /usr/share/php/Composer/Util/ProcessExecutor.php(112): Symfony\Component\Process\Process::fromShellCommandline()
#1 /usr/share/php/Composer/Util/ProcessExecutor.php(65): Composer\Util\ProcessExecutor->doExecute()
#2 /usr/share/php/Composer/Package/Version/VersionGuesser.php(279): Composer\Util\ProcessExecutor->execute()
#3 /usr/share/php/Composer/Package/Version/VersionGuesser.php(161): Composer\Package\Version\VersionGuesser->guessFeatureVersion()
#4 /usr/share/php/Composer/Package/Version/VersionGuesser.php(71): Composer\Package\Version\VersionGuesser->guessGitVersion()
#5 /usr/share/php/Composer/Package/Loader/RootPackageLoader.php(81): Composer\Package\Version\VersionGuesser->guessVersion()
#6 /usr/share/php/Com in /usr/share/php/Symfony/Component/Process/Process.php on line 193
```
It seems the backporting didn't properly test or notice that applying upstreams
security fixes did turn some string values into arrays [1, 2] which aren't
compatible with the string signature of the symfony/process version you ship.
Simple reproducer: Run composer install on the checkout of the feature-branch of
https://github.com/htto/debian-oldstable-composer
This basically broke all our feature branches' composer installation, locally
and in any CI/CD pipeline.
I hope this gets adressed quickly.
Kind regards
Heiko
[1] https://sources.debian.org/patches/composer/2.0.9-2%2Bdeb11u3/0016-Merge-pull-request-from-GHSA-47f6-5gq3-vx9c.patch/#L22
[2] https://sources.debian.org/patches/composer/2.0.9-2%2Bdeb11u3/0015-Merge-pull-request-from-GHSA-v9qv-c7wm-wgmf.patch/#L43
-- System Information:
Debian Release: 11.9
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages composer depends on:
ii jsonlint 1.8.3-2
ii php-cli 2:7.4+76
ii php-common 2:76
ii php-composer-ca-bundle 1.2.9-1
ii php-composer-semver 3.2.4-2
ii php-composer-spdx-licenses 1.5.5-2
ii php-composer-xdebug-handler 1.4.5-1
ii php-json-schema 5.2.10-2
ii php-psr-log 1.1.3-2
ii php-react-promise 2.7.0-2
ii php-symfony-console 4.4.19+dfsg-2+deb11u4
ii php-symfony-filesystem 4.4.19+dfsg-2+deb11u4
ii php-symfony-finder 4.4.19+dfsg-2+deb11u4
ii php-symfony-process 4.4.19+dfsg-2+deb11u4
ii php7.4-cli [php-cli] 7.4.33-1+deb11u5
Versions of packages composer recommends:
ii git 1:2.30.2-1+deb11u2
ii unzip 6.0-26+deb11u1
Versions of packages composer suggests:
pn fossil <none>
pn mercurial <none>
ii php-zip 2:7.4+76
ii php7.4-zip [php-zip] 7.4.33-1+deb11u5
pn subversion <none>
-- no debconf information
More information about the pkg-php-pear
mailing list