Bug 1185376 - (CVE-2021-29472) VUL-0: CVE-2021-29472: php-composer: crafted URL values allow code to be executed in the HgDriver
VUL-0: CVE-2021-29472: php-composer: crafted URL values allow code to be exec...
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.2
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-04-28 06:39 UTC by Alexander Bergmann
Modified: 2021-09-21 16:22 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-04-28 06:39:41 UTC

Composer is a dependency manager for PHP. URLs for Mercurial repositories in the
root composer.json and package source download URLs are not sanitized correctly.
Specifically crafted URL values allow code to be executed in the HgDriver if
hg/Mercurial is installed on the system. The impact to Composer users directly
is limited as the composer.json file is typically under their own control and
source download URLs can only be supplied by third party Composer repositories
they explicitly trust to download and execute source code from, e.g. Composer
plugins. The main impact is to services passing user input to Composer,
including Packagist.org and Private Packagist. This allowed users to trigger
remote code execution. The vulnerability has been patched on Packagist.org and
Private Packagist within 12h of receiving the initial vulnerability report and
based on a review of logs, to the best of our knowledge, was not abused by
anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may
also be vulnerable and should upgrade their composer/composer dependency
immediately. Versions 1.10.22 and 2.0.13 include patches for this issue.

Comment 1 Johannes Weberhofer 2021-09-16 15:40:26 UTC
Updated package to fix the issue.
Comment 2 OBSbugzilla Bot 2021-09-16 16:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1185376) was mentioned in
https://build.opensuse.org/request/show/919546 15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2+Backports:SLE-15-SP3 / php-composer
Comment 3 Swamp Workflow Management 2021-09-21 16:22:19 UTC
# maintenance_jira_update_notice
openSUSE-SU-2021:1289-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1185376,1187416
CVE References: CVE-2021-29472
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    php-composer-1.10.22-lp152.2.3.1
openSUSE Backports SLE-15-SP3 (src):    php-composer-1.10.22-bp153.2.3.1
openSUSE Backports SLE-15-SP2 (src):    php-composer-1.10.22-bp152.2.3.1
openSUSE Backports SLE-15-SP1 (src):    php-composer-1.10.22-bp151.3.3.1