FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Composer -- Multiple command injections via malicious git/hg branch names

Affected packages
php81-composer < 2.7.7
php82-composer < 2.7.7
php83-composer < 2.7.7

Details

VuXML ID 5f608c68-276c-11ef-8caa-0897988a1c07
Discovery 2024-06-10
Entry 2024-06-10

Composer project reports:

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

References

CVE Name CVE-2024-35241
CVE Name CVE-2024-35242
URL https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
URL https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf