From nobody Fri Sep 29 20:57:24 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ry2jJ2Wcpz4vfZc; Fri, 29 Sep 2023 20:57:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ry2jJ21jVz3SLc; Fri, 29 Sep 2023 20:57:24 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696021044; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Iwau72MNUVji4qSpZ+yaiiXWc6hMrPPYjOiQPTZ8ycQ=; b=v7W1zPP1OietsLr0rSioxJ5M3Q5NJC25vDThm4QKOieE6yzJMaJt1wbaf+Old+X8KFdnd1 TkErAL1HfRNjWxir49fYkjtZg0JFWinBfhBSp14IXWcgFa8OU1YynKyQ3a7hPtMMgh9UM1 hW1R6n5ZPRAj274QnyzJ8wmAlfPmjec6CxSQM2EmJ99n8ipn0fSfdatwyKYMRV0z6t94eO 63Pwu4KZGyw7tgR5AdnliZso73gdGbHiRGKkL/MdVeYhZIEqZj9FXd7Csz3cVlNkv7EKDp lukSp6bs2U9SHoGT3Ef9eUUYoihucS0Dulx00KLcpdQUGzdu5ou8xe+a7NgH7w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696021044; a=rsa-sha256; cv=none; b=MKo6DTBlEMVs/TA6hUlay9069kijtg4vKS3WqjKHbQOTXkvnWa7yqgmOXSWfmzr1Yd3Aqo b0xsqjKcBf2mdLhkMq2a0n4vQNzaMI4NpINSCYCM2w1Hfb/Yp+uywxInnfaLgTNe12VFDl 414fdxXPa69AcmZ+Kk/RDGwjRid/pkGYEmgjQ18Sroch9tV2jlSJP56Kq2NQ1vkxoGY9mw er08GuMQpOgTXA4YgLAIBHkBxf3mrxKbohPb8Db/4Xv2KOfoM7pRYr6cfJLUahBiyRW4pQ o3Ne6xqLGwdahPT30Jnqymcs1+FZcqVL4CDLI2p1IVZQNCyJqvk0G87g80elOg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696021044; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Iwau72MNUVji4qSpZ+yaiiXWc6hMrPPYjOiQPTZ8ycQ=; b=XmwQE3069G7LDvmoakqVvgB4nF2O+QD+Q4ar3tShA134UQmbgPQModKHaHyDvGbD+1D64g p9c/Oo5vX1+JqkPh54QNzMiDOcehlGSv1xzJTM6Eo2yHL2Ek54VN+vNluXCfqv2kj2KBIs K2YTM6jUeYVg8JH/6cB/AoVwe9GdUM5zKEa1ZPt9i9C9EcH0HHglVlxaXEKi5527uQQChB TNqXW3vlZj5j2YCXUc5TlGtSMCB9M3dBEZDhbiVMGnBBKuVJiX91b9SxOd2L5Qg63YlAM2 0P0opFbOWP/mGAc6V3Mz9zqxSuuxG0i6yQCPtJ8nQwNiw/dIj6fQDBqoPGKvsg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ry2jJ15N1z4Wf; Fri, 29 Sep 2023 20:57:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38TKvOdv017724; Fri, 29 Sep 2023 20:57:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38TKvOja017721; Fri, 29 Sep 2023 20:57:24 GMT (envelope-from git) Date: Fri, 29 Sep 2023 20:57:24 GMT Message-Id: <202309292057.38TKvOja017721@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Guido Falsi Subject: git: 04f4d5ba9b2a - main - security/vuxml: Add devel/php-composer* vulnerability List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: madpilot X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 04f4d5ba9b2a920d6fd52ebec4d8fdfb18de8adb Auto-Submitted: auto-generated The branch main has been updated by madpilot: URL: https://cgit.FreeBSD.org/ports/commit/?id=04f4d5ba9b2a920d6fd52ebec4d8fdfb18de8adb commit 04f4d5ba9b2a920d6fd52ebec4d8fdfb18de8adb Author: Guido Falsi AuthorDate: 2023-09-29 20:56:19 +0000 Commit: Guido Falsi CommitDate: 2023-09-29 20:56:19 +0000 security/vuxml: Add devel/php-composer* vulnerability --- security/vuxml/vuln/2023.xml | 47 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 7d506465a787..fdcf2b9b620d 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,50 @@ + + Remote Code Execution via web-accessible composer + + + php80-composer + 1.10.27 + + + php81-composer + 1.10.27 + + + php82-composer + 1.10.27 + + + php80-composer2 + 2.6.4 + + + php81-composer2 + 2.6.4 + + + php82-composer2 + 2.6.4 + + + + +

Composer project reports:

+
+

Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

+

Workaround: Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

+
+ + + + CVE-2023-43655 + https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf + + + 2023-09-29 + 2023-09-29 + + + chromium -- multiple vulnerabilities