[Security] Bump symfony/process from 6.4.7 to 6.4.15

Bumps symfony/process from 6.4.7 to 6.4.15. This update includes a security fix.

Vulnerabilities fixed

Symfony vulnerable to command execution hijack on Windows with Process class

Description

On Window, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking.

Resolution

The Process class now uses the absolute path to cmd.exe.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.

Patched versions: 7.1.7; 6.4.14; 5.4.46 Affected versions: >= 7.0.0, = 6.0.0, < 6.4.14; < 5.4.46

Release notes

Sourced from symfony/process's releases.

v6.4.15

Changelog (https://github.com/symfony/process/compare/v6.4.14...v6.4.15)

• no significant changes

v6.4.14

Changelog (https://github.com/symfony/process/compare/v6.4.13...v6.4.14)

• security symfony/symfony#cve-2024-51736 [Process] Use PATH before CD to load the shell on Windows (@​nicolas-grekas)
• bug symfony/symfony#58752 [Process] Fix escaping /X arguments on Windows (@​nicolas-grekas)
• bug symfony/symfony#58735 [Process] Return built-in cmd.exe commands directly in ExecutableFinder (@​Seldaek)
• bug symfony/symfony#58723 [Process] Properly deal with not-found executables on Windows (@​nicolas-grekas)
• bug symfony/symfony#58711 [Process] Fix handling empty path found in the PATH env var with ExecutableFinder (@​nicolas-grekas)

v6.4.13

Changelog (https://github.com/symfony/process/compare/v6.4.12...v6.4.13)

• no significant changes

v6.4.12

Changelog (https://github.com/symfony/process/compare/v6.4.11...v6.4.12)

• bug symfony/symfony#58291 [Process] Fix finding executables independently of open_basedir (@​BlackbitDevs)
• bug symfony/symfony#58195 [Process] Fix the removal of host-specific configuration when managing the ini settings in PhpSubprocess (@​M-arcus)

v6.4.8

Changelog (https://github.com/symfony/process/compare/v6.4.7...v6.4.8)

• bug symfony/symfony#54863 [Process] Return false when open_basedir prevents access to /dev/tty (@​mjauvin)

Commits

• 3cb242f Merge branch '5.4' into 6.4
• 5d1662f normalize paths to avoid failures if a path is referenced by different names
• 25214ad Merge branch '5.4' into 6.4
• 0190687 [Process] Fix test
• 88638b9 Merge branch '5.4' into 6.4
• ee75984 security #cve-2024-51736 [Process] Use %PATH% before %CD% to load the shell o...
• 05c2ccc [Process] Use %PATH% before %CD% to load the shell on Windows
• 0776b99 Merge branch '5.4' into 6.4
• d94dda5 [Process] Fix escaping /X arguments on Windows
• 836d34f Merge branch '5.4' into 6.4
• Additional commits viewable in compare view