[pkg-php-pear] Bug#1073931: composer: security update broke feature branches

Heiko Przybyl htto at users.noreply.github.com
Thu Jun 20 12:59:17 BST 2024


Package: composer
Version: 2.0.9-2+deb11u3
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: htto at users.noreply.github.com, team at security.debian.org

Dear Maintainer,

yesterday unattended-upgrades installed version 2.0.9-2+deb11u3 composer
including security fixes for bugs #1073125 and #1073126. Unfortunately, patch
backporting introduces a major issue, so that any feature branch (branch not in
master|main|latest|next|current|support|tip|trunk|default|develop) of a git
repository checkout is unable to run composer install with the following error:
```
PHP Fatal error:  Uncaught TypeError: Argument 1 passed to Symfony\Component\Process\Process::fromShellCommandline() must be of the type string, array given, called in /usr/share/php/Composer/Util/ProcessExecutor.php on line 112 and defined in /usr/share/php/Symfony/Component/Process/Process.php:193
Stack trace:
#0 /usr/share/php/Composer/Util/ProcessExecutor.php(112): Symfony\Component\Process\Process::fromShellCommandline()
#1 /usr/share/php/Composer/Util/ProcessExecutor.php(65): Composer\Util\ProcessExecutor->doExecute()
#2 /usr/share/php/Composer/Package/Version/VersionGuesser.php(279): Composer\Util\ProcessExecutor->execute()
#3 /usr/share/php/Composer/Package/Version/VersionGuesser.php(161): Composer\Package\Version\VersionGuesser->guessFeatureVersion()
#4 /usr/share/php/Composer/Package/Version/VersionGuesser.php(71): Composer\Package\Version\VersionGuesser->guessGitVersion()
#5 /usr/share/php/Composer/Package/Loader/RootPackageLoader.php(81): Composer\Package\Version\VersionGuesser->guessVersion()
#6 /usr/share/php/Com in /usr/share/php/Symfony/Component/Process/Process.php on line 193
```

It seems the backporting didn't properly test or notice that applying upstreams
security fixes did turn some string values into arrays [1, 2] which aren't
compatible with the string signature of the symfony/process version you ship.

Simple reproducer: Run composer install on the checkout of the feature-branch of 
https://github.com/htto/debian-oldstable-composer

This basically broke all our feature branches' composer installation, locally
and in any CI/CD pipeline.

I hope this gets adressed quickly.

Kind regards
Heiko


[1] https://sources.debian.org/patches/composer/2.0.9-2%2Bdeb11u3/0016-Merge-pull-request-from-GHSA-47f6-5gq3-vx9c.patch/#L22
[2] https://sources.debian.org/patches/composer/2.0.9-2%2Bdeb11u3/0015-Merge-pull-request-from-GHSA-v9qv-c7wm-wgmf.patch/#L43


-- System Information:
Debian Release: 11.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages composer depends on:
ii  jsonlint                     1.8.3-2
ii  php-cli                      2:7.4+76
ii  php-common                   2:76
ii  php-composer-ca-bundle       1.2.9-1
ii  php-composer-semver          3.2.4-2
ii  php-composer-spdx-licenses   1.5.5-2
ii  php-composer-xdebug-handler  1.4.5-1
ii  php-json-schema              5.2.10-2
ii  php-psr-log                  1.1.3-2
ii  php-react-promise            2.7.0-2
ii  php-symfony-console          4.4.19+dfsg-2+deb11u4
ii  php-symfony-filesystem       4.4.19+dfsg-2+deb11u4
ii  php-symfony-finder           4.4.19+dfsg-2+deb11u4
ii  php-symfony-process          4.4.19+dfsg-2+deb11u4
ii  php7.4-cli [php-cli]         7.4.33-1+deb11u5

Versions of packages composer recommends:
ii  git    1:2.30.2-1+deb11u2
ii  unzip  6.0-26+deb11u1

Versions of packages composer suggests:
pn  fossil                <none>
pn  mercurial             <none>
ii  php-zip               2:7.4+76
ii  php7.4-zip [php-zip]  7.4.33-1+deb11u5
pn  subversion            <none>

-- no debconf information



More information about the pkg-php-pear mailing list