From 5301839eb4c41a40eb76aa23c69270382b71b4c2 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 31 Jul 2024 17:19:29 +0800 Subject: [PATCH 1/2] Bugfix for CVE-2024-35242 --- Bugfix-for-CVE-2024-35242.patch | 94 +++++++++++++++++++++++++++++++++ composer.spec | 10 +++- 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 Bugfix-for-CVE-2024-35242.patch diff --git a/Bugfix-for-CVE-2024-35242.patch b/Bugfix-for-CVE-2024-35242.patch new file mode 100644 index 0000000..71356f5 --- /dev/null +++ b/Bugfix-for-CVE-2024-35242.patch @@ -0,0 +1,94 @@ +From b7961dc0931a74cda7d92ee40399bf9bcc0e5d71 Mon Sep 17 00:00:00 2001 +From: root +Date: Wed, 31 Jul 2024 16:17:06 +0800 +Subject: [PATCH] Bugfix for CVE-2024-35242 + +--- + src/Composer/Package/Version/VersionGuesser.php | 15 ++++++++------- + .../Test/Package/Version/VersionGuesserTest.php | 6 +++--- + 2 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/src/Composer/Package/Version/VersionGuesser.php b/src/Composer/Package/Version/VersionGuesser.php +index 2b2b197..72fc799 100644 +--- a/src/Composer/Package/Version/VersionGuesser.php ++++ b/src/Composer/Package/Version/VersionGuesser.php +@@ -173,7 +173,7 @@ private function guessGitVersion(array $packageConfig, string $path): array + $featurePrettyVersion = $prettyVersion; + + // try to find the best (nearest) version branch to assume this feature's version +- $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'git rev-list %candidate%..%branch%', $path); ++ $result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['git', 'rev-list', '%candidate%..%branch%'], $path); + $version = $result['version']; + $prettyVersion = $result['pretty_version']; + } +@@ -248,7 +248,7 @@ private function guessHgVersion(array $packageConfig, string $path): ?array + $branches = array_map('strval', array_keys($driver->getBranches())); + + // try to find the best (nearest) version branch to assume this feature's version +- $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'hg log -r "not ancestors(\'%candidate%\') and ancestors(\'%branch%\')" --template "{node}\\n"', $path); ++ $result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['hg', 'log', '-r', 'not ancestors(\'%candidate%\') and ancestors(\'%branch%\')', '--template', '"{node}\\n"'], $path); + $result['commit'] = ''; + $result['feature_version'] = $version; + $result['feature_pretty_version'] = $version; +@@ -261,13 +261,12 @@ private function guessHgVersion(array $packageConfig, string $path): ?array + + /** + * @param array $packageConfig +- * @param string[] $branches +- * +- * @phpstan-param non-empty-string $scmCmdline ++ * @param list $branches ++ * @param list $scmCmdline + * + * @return array{version: string|null, pretty_version: string|null} + */ +- private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, string $scmCmdline, string $path): array ++ private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, array $scmCmdline, string $path): array + { + $prettyVersion = $version; + +@@ -309,7 +308,9 @@ private function guessFeatureVersion(array $packageConfig, ?string $version, arr + continue; + } + +- $cmdLine = str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $scmCmdline); ++ $cmdLine = array_map(static function (string $component) use ($candidate, $branch) { ++ return str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $component); ++ }, $scmCmdline); + $promises[] = $this->process->executeAsync($cmdLine, $path)->then(function (Process $process) use (&$length, &$version, &$prettyVersion, $candidateVersion, &$promises): void { + if (!$process->isSuccessful()) { + return; +diff --git a/tests/Composer/Test/Package/Version/VersionGuesserTest.php b/tests/Composer/Test/Package/Version/VersionGuesserTest.php +index 2e59afe..a55244a 100644 +--- a/tests/Composer/Test/Package/Version/VersionGuesserTest.php ++++ b/tests/Composer/Test/Package/Version/VersionGuesserTest.php +@@ -117,7 +117,7 @@ public function testGuessVersionReadsAndRespectsNonFeatureBranchesConfigurationF + 'stdout' => " arbitrary $commitHash Commit message\n* feature $anotherCommitHash Another message\n", + ], + [ +- 'cmd' => 'git rev-list arbitrary..feature', ++ 'cmd' => ['git', 'rev-list', 'arbitrary..feature'], + 'stdout' => "$anotherCommitHash\n", + ], + ], true); +@@ -147,7 +147,7 @@ public function testGuessVersionReadsAndRespectsNonFeatureBranchesConfigurationF + 'stdout' => " latest-testing $commitHash Commit message\n* feature $anotherCommitHash Another message\n", + ], + [ +- 'cmd' => 'git rev-list latest-testing..feature', ++ 'cmd' => ['git', 'rev-list', 'latest-testing..feature'], + 'stdout' => "$anotherCommitHash\n", + ], + ], true); +@@ -352,7 +352,7 @@ public function testRemoteBranchesAreSelected(): void + "remotes/origin/1.5 03a15d220da53c52eddd5f32ffca64a7b3801bea Commit message\n", + ], + [ +- 'cmd' => 'git rev-list remotes/origin/1.5..feature-branch', ++ 'cmd' => ['git', 'rev-list', 'remotes/origin/1.5..feature-branch'], + 'stdout' => "\n", + ], + ], true); +-- +2.27.0 + diff --git a/composer.spec b/composer.spec index 108171d..9f65026 100644 --- a/composer.spec +++ b/composer.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %undefine __brp_mangle_shebangs %global gh_commit aaf6ed5ccd27c23f79a545e351b4d7842a99d0bc @@ -39,6 +39,11 @@ Patch1: %{name}-noxdg.patch # Use Aliyun mirror by default Patch10: composer-add-aliyun-repository.patch +# CVE-2024-35242 +# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-35242 +# Upstream fix: https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396 +Patch11: Bugfix-for-CVE-2024-35242.patch + BuildArch: noarch # platform set in makesrc.sh BuildRequires: php(language) >= 7.2.5 @@ -220,6 +225,9 @@ install -Dpm 755 bin/%{name} %{buildroot}%{_bindir}/%{name} %doc composer.json %changelog +* Wed Jul 31 2024 lidongyue 2.7.1-2 +- Fix CVE-2024-35242 + * Mon May 6 2024 yangxinyu - 2.7.1-1 - New version 2.7.1 -- Gitee From 817c3fce7ad71866fd1efd4f9f9bb536caf63296 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 1 Aug 2024 10:42:39 +0800 Subject: [PATCH 2/2] Bugfix for CVE-2024-35241 --- Bugfix-for-CVE-2024-35241.patch | 28 ++++++++++++++++++++++++++++ composer.spec | 10 +++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 Bugfix-for-CVE-2024-35241.patch diff --git a/Bugfix-for-CVE-2024-35241.patch b/Bugfix-for-CVE-2024-35241.patch new file mode 100644 index 0000000..8f36af4 --- /dev/null +++ b/Bugfix-for-CVE-2024-35241.patch @@ -0,0 +1,28 @@ +From 7a3ed0f0520d5129c67556f883f4f7d03eff1ca9 Mon Sep 17 00:00:00 2001 +From: root +Date: Thu, 1 Aug 2024 10:37:47 +0800 +Subject: [PATCH] Bugfix for CVE-2024-35241 + +--- + src/Composer/Downloader/GitDownloader.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/Composer/Downloader/GitDownloader.php b/src/Composer/Downloader/GitDownloader.php +index 0840219..b29782d 100644 +--- a/src/Composer/Downloader/GitDownloader.php ++++ b/src/Composer/Downloader/GitDownloader.php +@@ -294,9 +294,9 @@ public function getUnpushedChanges(PackageInterface $package, string $path): ?st + $unpushedChanges = null; + } + foreach ($remoteBranches as $remoteBranch) { +- $command = sprintf('git diff --name-status %s...%s --', $remoteBranch, $branch); ++ $command = ['git', 'diff', '--name-status', $remoteBranch.'...'.$branch, '--']; + if (0 !== $this->process->execute($command, $output, $path)) { +- throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput()); ++ throw new \RuntimeException('Failed to execute ' . implode(' ', $command) . "\n\n" . $this->process->getErrorOutput()); + } + + $output = trim($output); +-- +2.27.0 + diff --git a/composer.spec b/composer.spec index 9f65026..8aed019 100644 --- a/composer.spec +++ b/composer.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %undefine __brp_mangle_shebangs %global gh_commit aaf6ed5ccd27c23f79a545e351b4d7842a99d0bc @@ -44,6 +44,11 @@ Patch10: composer-add-aliyun-repository.patch # Upstream fix: https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396 Patch11: Bugfix-for-CVE-2024-35242.patch +# CVE-2024-35241 +# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-35241 +# Upstream fix: https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704 +Patch12: Bugfix-for-CVE-2024-35241.patch + BuildArch: noarch # platform set in makesrc.sh BuildRequires: php(language) >= 7.2.5 @@ -225,6 +230,9 @@ install -Dpm 755 bin/%{name} %{buildroot}%{_bindir}/%{name} %doc composer.json %changelog +* Thu Aug 01 2024 lidongyue 2.7.1-3 +- Fix CVE-2024-35241 + * Wed Jul 31 2024 lidongyue 2.7.1-2 - Fix CVE-2024-35242 -- Gitee