[packages/composer] Up to 1.10.22, fixes CVE-2021-29472

Mon May 10 17:35:28 CEST 2021

commit cc5c8887ebae8eb6d5e16714b0cab4cc0b4a1469
Author: Elan Ruusamäe <glen at pld-linux.org>
Date:   Mon May 10 18:27:55 2021 +0300

    Up to 1.10.22, fixes CVE-2021-29472
    
    https://blog.packagist.com/composer-command-injection-vulnerability/

 autoload.patch | 20 ++++++++++----------
 composer.spec  |  4 ++--
 2 files changed, 12 insertions(+), 12 deletions(-)
---

diff --git a/composer.spec b/composer.spec
index 07bb61d..754917a 100644
--- a/composer.spec
+++ b/composer.spec
@@ -10,12 +10,12 @@
 %define		php_min_version 5.3.4
 Summary:	Dependency Manager for PHP
 Name:		composer
-Version:	1.10.16
+Version:	1.10.22
 Release:	1
 License:	MIT
 Group:		Development/Languages/PHP
 Source0:	https://github.com/composer/composer/archive/%{version}/%{name}-%{version}.tar.gz
-# Source0-md5:	6d217ad0ce7d007280de12070680b36a
+# Source0-md5:	26ca3d0e9229d7fa8b13d7b22fa9243e
 Source2:	https://raw.githubusercontent.com/iArren/%{name}-bash-completion/86a8129/composer
 # Source2-md5:	cdeebf0a0da1fd07d0fd886d0461642e
 Source3:	autoload.php
diff --git a/autoload.patch b/autoload.patch
index b6474e4..493e0ea 100644
--- a/autoload.patch
+++ b/autoload.patch
@@ -1,5 +1,5 @@
---- composer-1.6.5/bin/composer~	2018-05-04 12:44:59.000000000 +0300
-+++ composer-1.6.5/bin/composer	2018-05-20 18:46:39.628512375 +0300
+--- composer-1.10.22/bin/composer~	2021-04-27 14:10:45.000000000 +0300
++++ composer-1.10.22/bin/composer	2021-05-10 18:32:01.839944783 +0300
 @@ -6,7 +6,11 @@
  }
  
@@ -11,8 +11,8 @@
 +	require '/usr/share/php/Composer/autoload.php';
 +}
  
- use Composer\Factory;
- use Composer\XdebugHandler;
+ use Composer\Console\Application;
+ use Composer\XdebugHandler\XdebugHandler;
 --- composer-1.9.0/src/Composer/Json/JsonFile.php~	2019-08-02 21:55:33.000000000 +0300
 +++ composer-1.9.0/src/Composer/Json/JsonFile.php	2019-08-11 19:59:58.343540127 +0300
 @@ -34,7 +34,7 @@
@@ -24,14 +24,14 @@
  
      private $path;
      private $rfs;
---- composer-1.0.0-15.alpha11/src/Composer/Autoload/AutoloadGenerator.php~	2015-11-14 18:21:07.000000000 +0200
-+++ composer-1.0.0-15.alpha11/src/Composer/Autoload/AutoloadGenerator.php	2015-11-26 14:52:01.344498517 +0200
-@@ -275,7 +275,7 @@
-         file_put_contents($targetDir.'/autoload_real.php', $this->getAutoloadRealFile(true, (bool) $includePathFileContents, $targetDirLoader, (bool) $includeFilesFileContents, $vendorPathCode, $appBaseDirCode, $suffix, $useGlobalIncludePath, $prependAutoloader));
+--- composer-1.10.22/src/Composer/Autoload/AutoloadGenerator.php~	2021-04-27 14:10:45.000000000 +0300
++++ composer-1.10.22/src/Composer/Autoload/AutoloadGenerator.php	2021-05-10 18:34:23.023946419 +0300
+@@ -315,7 +315,7 @@
+         $this->filePutContentsIfModified($targetDir.'/autoload_real.php', $this->getAutoloadRealFile(true, (bool) $includePathFileContents, $targetDirLoader, (bool) $includeFilesFileContents, $vendorPathCode, $appBaseDirCode, $suffix, $useGlobalIncludePath, $prependAutoloader, $staticPhpVersion));
  
          $this->safeCopy(__DIR__.'/ClassLoader.php', $targetDir.'/ClassLoader.php');
 -        $this->safeCopy(__DIR__.'/../../../LICENSE', $targetDir.'/LICENSE');
 +        $this->safeCopy(__DIR__.'/../res/LICENSE', $targetDir.'/LICENSE');
  
-         $this->eventDispatcher->dispatchScript(ScriptEvents::POST_AUTOLOAD_DUMP, $this->devMode, array(), array(
-             'optimize' => (bool) $scanPsr0Packages,
+         if ($this->runScripts) {
+             $this->eventDispatcher->dispatchScript(ScriptEvents::POST_AUTOLOAD_DUMP, $this->devMode, array(), array(
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/composer.git/commitdiff/cc5c8887ebae8eb6d5e16714b0cab4cc0b4a1469

