Update dependency composer/composer to >=2.2.24 <2.3.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
composer/composer (source)	>=1.9.0 <2.3.0 -> >=2.2.24 <2.3.0

GitHub Vulnerability Alerts

CVE-2023-43655

Impact

Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Patches

2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.

Workarounds

Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

CVE-2024-24821

Impact

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.

The following are of high risk:

• Composer being run with sudo.
• Pipelines which may execute Composer on untrusted projects.
• Shared environments with developers who run Composer individually on the same project.

Patches

2.7.0, 2.2.23

Workarounds

• It is advised that the patched versions are applied at the earliest convenience.

Where not possible, the following should be addressed:

• Remove all sudo composer privileges for all users to mitigate root privilege escalation.
• Avoid running Composer within an untrusted directory, or if needed, verify that the contents of vendor/composer/InstalledVersions.php and vendor/composer/installed.php do not include untrusted code.

A reset can also be done on these files by the following:

rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins

CVE-2024-35242

Impact

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid cloning potentially compromised repositories.

CVE-2024-35241

Impact

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

---

Release Notes

composer/composer (composer/composer)

v2.2.24

Compare Source

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.

• Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
• Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
• Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b958)
• Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67)
• Security: Fixed perforce argument escaping (3773f77)
• Security: Fixed handling of zip bombs when extracting archives (de5f7e3)
• Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a74, 04a63b3)

v2.2.23

Compare Source

• Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)

v2.2.22

Compare Source

• Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
  • Fixed authentication issue when downloading several files from private Bitbucket in parallel (#​11464)
  • Fixed handling of broken junctions on windows (#​11550)
  • Fixed loading of root aliases on path repo packages when doing partial updates (#​11632)
  • Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#​11534)
  • Fixed binary proxies not being transparent when included by another PHP process and returning a value (#​11454)
  • Fixed support for plugin classes being marked as readonly (#​11404)
  • Fixed GitHub rate limit reporting (#​11366)
  • Fixed issue displaying solver problems with branch names containing % signs (#​11359)

v2.2.21

Compare Source

• Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#​11326)

v2.2.20

Compare Source

• Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive (#​11315)

v2.2.19

Compare Source

• Fixed URL sanitizer to handle new GitHub personal access tokens format (#​11137)
  • Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#​11229)
  • Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#​11037)
  • Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Read more information about the use of Renovate Bot within Laminas.