FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Composer -- Multiple command injections via malicious git/hg branch names

Affected packages
php81-composer < 2.7.7
php82-composer < 2.7.7
php83-composer < 2.7.7

Details

VuXML ID 5f608c68-276c-11ef-8caa-0897988a1c07
Discovery 2024-06-10
Entry 2024-06-10

Composer project reports:

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

[source]

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

[source]

References

CVE Name CVE-2024-35241
CVE Name CVE-2024-35242
URL https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
URL https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.