Bug 2241496 (CVE-2023-43655)

Summary: CVE-2023-43655 composer: Remote Code Execution via web-accessible composer.phar
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2241497, 2241498    
Bug Blocks:    

Description Patrick Del Bello 2023-09-30 14:29:18 UTC 
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.


https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c
https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf
https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c
https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d
Comment 1 Patrick Del Bello 2023-09-30 14:29:33 UTC 
Created composer tracking bugs for this issue:

Affects: epel-all [bug 2241497]
Affects: fedora-all [bug 2241498]