Composer version 1.4.13 appears to be missing security patch

Question

Composer version 1.4.13 appears to be missing security patch

cianevans opened this issue 3 years ago · comments

When downloading latest version (v1.4.13) via composer it does not seem to contain the security patch for "Disallow symlinks to out-of-path filenames" (cde4605).

This seems to download the following package:
https://codeload.github.com/pear/Archive_Tar/legacy.zip/2b87b41178cc6d4ad3cba678a46a1cae49786011

Steps to reproduce:

'composer require pear/archive_tar'
The package.xml states the version as 1.4.13, however if you look in Archive/Tar.php at line 2126 it is missing the code changes above.

Fortiguard blocks this download due to the follwing threat:
https://www.fortiguard.com/encyclopedia/ips/49786

Michiel Rook · Answer 1 · Thu Jul 15 2021 02:55:27 GMT+0800 (China Standard Time)

Hi @cianevans I'm rolling a new release next week, then this should be sorted as well. Thanks for reporting.

Michiel Rook · Answer 2 · Wed Jul 21 2021 03:37:49 GMT+0800 (China Standard Time)

1.4.14 was just released, this should be fixed now.