Update dependency composer/composer to ^2.9.6 [SECURITY] - autoclosed#992
Closed
renovate[bot] wants to merge 1 commit into8.21.xfrom
Closed
Update dependency composer/composer to ^2.9.6 [SECURITY] - autoclosed#992renovate[bot] wants to merge 1 commit into8.21.xfrom
renovate[bot] wants to merge 1 commit into8.21.xfrom
Conversation
| datasource | package | from | to | | ---------- | ----------------- | ----- | ----- | | packagist | composer/composer | 2.9.5 | 2.9.6 |
renovate
bot
changed the title
renovate
bot
deleted the
renovate/packagist-composer-composer-vulnerability
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2.9.5→^2.9.6GitHub Vulnerability Alerts
CVE-2026-40261
Impact
The
Perforce::syncCodeBase()method appended the$sourceReferenceparameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 thePerforce::generateP4Command()method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping from the source url field. Composer would execute these injected commands even if Perforce is not installed.The source reference and url are provided as part of package metadata. Any Composer package repository can serve package metadata declaring perforce as a source type with a malicious source reference or source url. This means the vulnerability can be exploited through any package served by a compromised or malicious Composer repository. An attack does not require Perforce to be installed on the client, as Composer will attempt to execute the constructed command regardless.
This vulnerability is exploitable when installing or updating dependencies from source (
--prefer-source, default when installing dev prefixed versions), even if you do not use Perforce.Patches
Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)
Note, the fix for the source url in the
Perforce::generateP4Command()was addressed as part of the patches for GHSA-wg36-wvj6-r67p / CVE-2026-40176 in the same versions.Workarounds
--prefer-distor thepreferred-install: distconfig setting.CVE-2026-40176
Impact
The
Perforce::generateP4Command()method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository could inject arbitrary commands through these values, leading to command execution in the context of the user running Composer. Composer would execute these injected commands even if Perforce is not installed.VCS repositories are only loaded from the root composer.json file located in the directory you execute Composer commands in and from the composer config directory (e.g.
~/.config/composer/composer.json). So this vulnerability cannot be exploited through composer.json files of packages installed as dependencies.You are at risk of command execution if you run Composer commands on untrusted projects with attacker supplied composer.json files, regardless of whether you or any of your dependencies use Perforce.
Patches
Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)
Workarounds
Release Notes
composer/composer (composer/composer)
v2.9.6Compare Source
2bcbfc3)5e71d77)ef3fc08)-do not cause issues (6621d45,d836b90,5e08c76)Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Read more about the use of Renovate Bot within
ocramius/*projects.