From nobody Mon Jun 10 21:34:09 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VylS20Nv6z5MwRK; Mon, 10 Jun 2024 21:34:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VylS16wD8z4NXx; Mon, 10 Jun 2024 21:34:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718055250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=js2gVQyTtyvlCWVGqfyH9hFjBjdRc5LiR16+HD4z9Y0=; b=f8tiklvp0FXQZDQU0XOOvq1FY+FIwgl4ZTCI7C/numvd902JkRLKERWUshBqRPx4ENPRU0 hJ7nNP9rFwX+PISBA8+XEak2wUfg98OWqxL4qhyhuIcc5wtJY6qHFDo8vqmLT/xtlxo00R FQ8XaBHqjCNzdAV/zvDvT1nAk9GE+aMYdVVUUZbkhKO4YYnla0HP8vlEzAMWoe4vZSE1eF nQsHxKMhBkeLhdCY2csFvG9BIBSyjui+zBdEaHnRBZ/3aB+KD2V6bKGVxTS39H/fFZ+obx 0SjSmDBZpXImgLTmltJBHDjgpNIJoB2paH7GGQAykMO1NDmHqi+g5RkzdIRweg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718055250; a=rsa-sha256; cv=none; b=IAnOnFkUhH4/315tffaIvR/7afzbvKB3Qx/8DdC7sE8x3h+u5BXtBtiFsFhe5kE1pNBRTy uy94P5Tg+wnQ+hJMb8bVn46eqJOFLPsYQst1jCOT5oCyjus3gkSoP+XzuUfkzwL4nhmCLR Dlno6hl7j4wHTh723NWtdXsxx7G4G1bUzU9PtboLsn6IKGs5sZ/Z7yNEg633rQLZ59FuR+ qlQ4/Fsgcczh4YpNZyfhcJgrEad45GWygBKfTIFV17998mlZFODFVmHGdWR4LldPPkQHVB mQwPuKGNokySFs52Ji4G0lkp0+9oPMNyYYAqDNvghDQiBmdisEwMU6+TXUe0Nw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718055250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=js2gVQyTtyvlCWVGqfyH9hFjBjdRc5LiR16+HD4z9Y0=; b=s6jaU8vloGvs13w1bl9WyitZHLIxTDK9DTcMPHivA7nJP6PPGNH/j8wQnLfDJT0SexEvOF dZOnoiVv/her320c/RPsc3NlXG8FL1mN0CkoEqQ7Kki9+UQYS85oYjw72bhGcmptRZyZKg U9r+YMScIyVzR6bkIzQc6v1swUZ6z9eag6a5jdVASh464+6z+QLPMIf/0iCgPCZEwBFH94 9dTgdipBV+U9tecAfsAzqJiTwZkz5ZOQWVEDSbZ1LrBKtT+hXEL6mWdk4hJPfIk6Rsw0g1 faMCTGeHeP6Qfa5N5jt6yuixcc0HBVcpJPSlRu8GGovZpvc72T3kNGEm6JawLg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VylS16WWWzjL6; Mon, 10 Jun 2024 21:34:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45ALY9GC063396; Mon, 10 Jun 2024 21:34:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45ALY91H063393; Mon, 10 Jun 2024 21:34:09 GMT (envelope-from git) Date: Mon, 10 Jun 2024 21:34:09 GMT Message-Id: <202406102134.45ALY91H063393@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Guido Falsi Subject: git: 26f8cc466c21 - main - security/vuxml: Report php composer vulnerabilities. List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: madpilot X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 26f8cc466c2149dae90f6f80a51ac653b3237840 Auto-Submitted: auto-generated The branch main has been updated by madpilot: URL: https://cgit.FreeBSD.org/ports/commit/?id=26f8cc466c2149dae90f6f80a51ac653b3237840 commit 26f8cc466c2149dae90f6f80a51ac653b3237840 Author: Guido Falsi AuthorDate: 2024-06-10 21:32:37 +0000 Commit: Guido Falsi CommitDate: 2024-06-10 21:34:05 +0000 security/vuxml: Report php composer vulnerabilities. Obtained from: https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf --- security/vuxml/vuln/2024.xml | 45 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 37aa9fcb07a3..13ed7aba8c18 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,48 @@ + + Composer -- Multiple command injections via malicious git/hg branch names + + + php81-composer + 2.7.7 + + + php82-composer + 2.7.7 + + + php83-composer + 2.7.7 + + + + +

Composer project reports:

+
+

The status, reinstall and remove commands with packages + installed from source via git containing specially crafted + branch names in the repository can be used to execute + code.

+
+
+

The composer install command running inside a git/hg + repository which has specially crafted branch names can + lead to command injection. So this requires cloning + untrusted repositories.

+
+ + + + CVE-2024-35241 + https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c + CVE-2024-35242 + https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf + + + 2024-06-10 + 2024-06-10 + + + kanboard -- Project Takeover via IDOR in ProjectPermissionController