Bug#849796: unblock: libphp-phpmailer/(5.2.14+dfsg-2.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi
Please unblock package libphp-phpmailer/lower the age it needs to
transition to testing.
libphp-phpmailer as uploaded by Thijs fixes a vulnerability
CVE-2016-10033 (and making sure tha the fix is not incomplete, so not
affected by CVE-2016-10045 itself). The changelog entry is:
> libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
>
> * Non-maintainer upload by the Security Team.
> * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
> 4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
>
> -- Thijs Kinkhorst <thijs@debian.org> Fri, 30 Dec 2016 11:22:28 +0000
and attached the full debdiff.
unblock libphp-phpmailer/(5.2.14+dfsg-2.1
Regards,
Salvatore
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog libphp-phpmailer-5.2.14+dfsg/debian/changelog
--- libphp-phpmailer-5.2.14+dfsg/debian/changelog 2016-03-05 16:06:02.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/changelog 2016-12-30 12:22:28.000000000 +0100
@@ -1,3 +1,11 @@
+libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
+ 4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
+
+ -- Thijs Kinkhorst <thijs@debian.org> Fri, 30 Dec 2016 11:22:28 +0000
+
libphp-phpmailer (5.2.14+dfsg-2) unstable; urgency=medium
* Team upload
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch 1970-01-01 01:00:00.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch 2016-12-30 12:22:28.000000000 +0100
@@ -0,0 +1,117 @@
+diff -Nur libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php
+--- libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php 2015-11-01 10:15:28.000000000 +0000
++++ libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php 2016-12-30 11:20:08.368756474 +0000
+@@ -164,6 +164,7 @@
+
+ /**
+ * The path to the sendmail program.
++ * Must contain only a path to an executable, with no parameters or switches
+ * @var string
+ */
+ public $Sendmail = '/usr/sbin/sendmail';
+@@ -1329,19 +1330,27 @@
+ */
+ protected function sendmailSend($header, $body)
+ {
+- if ($this->Sender != '') {
++ if (!(is_file($this->Sendmail) and is_executable($this->Sendmail))) {
++ throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
++ }
++ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
++ if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
+ if ($this->Mailer == 'qmail') {
+- $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
++ $sendmailFmt = '%s -f%s';
+ } else {
+- $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
++ $sendmailFmt = '%s -oi -f%s -t';
+ }
+ } else {
+ if ($this->Mailer == 'qmail') {
+- $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
++ $sendmailFmt = '%s';
+ } else {
+- $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
++ $sendmailFmt = '%s -oi -t';
+ }
+ }
++
++ // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing.
++ $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
++
+ if ($this->SingleTo) {
+ foreach ($this->SingleToArray as $toAddr) {
+ if (!@$mail = popen($sendmail, 'w')) {
+@@ -1388,6 +1397,38 @@
+ }
+
+ /**
++ * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
++ *
++ * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
++ * @param string $string The string to be validated
++ * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
++ * @access protected
++ * @return boolean
++ */
++ protected static function isShellSafe($string)
++ {
++ // Future-proof
++ if (escapeshellcmd($string) !== $string or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
++ return false;
++ }
++
++ $length = strlen($string);
++
++ for ($i = 0; $i < $length; $i++) {
++ $c = $string[$i];
++
++ // All other characters have a special meaning in at least one common shell, including = and +.
++ // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
++ // Note that this does permit non-Latin alphanumeric characters based on the current locale.
++ if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
++ return false;
++ }
++ }
++
++ return true;
++ }
++
++ /**
+ * Send mail using the PHP mail() function.
+ * @param string $header The message headers
+ * @param string $body The message body
+@@ -1404,12 +1445,14 @@
+ }
+ $to = implode(', ', $toArr);
+
+- if (empty($this->Sender)) {
+- $params = ' ';
+- } else {
+- $params = sprintf('-f%s', $this->Sender);
++ $params = null;
++ if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
++ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
++ if (self::isShellSafe($this->Sender)) {
++ $params = sprintf('-f%s', $this->Sender);
++ }
+ }
+- if ($this->Sender != '' and !ini_get('safe_mode')) {
++ if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
+ $old_from = ini_get('sendmail_from');
+ ini_set('sendmail_from', $this->Sender);
+ }
+@@ -1463,10 +1506,10 @@
+ if (!$this->smtpConnect($this->SMTPOptions)) {
+ throw new phpmailerException($this->lang('smtp_connect_failed'), self::STOP_CRITICAL);
+ }
+- if ('' == $this->Sender) {
+- $smtp_from = $this->From;
+- } else {
++ if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
+ $smtp_from = $this->Sender;
++ } else {
++ $smtp_from = $this->From;
+ }
+ if (!$this->smtp->mail($smtp_from)) {
+ $this->setError($this->lang('from_failed') . $smtp_from . ' : ' . implode(',', $this->smtp->getError()));
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/series libphp-phpmailer-5.2.14+dfsg/debian/patches/series
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/series 2016-03-05 15:51:34.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/patches/series 2016-12-30 12:22:28.000000000 +0100
@@ -1 +1,2 @@
0001-Fix-actual-autoloader-path.patch
+0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/rules libphp-phpmailer-5.2.14+dfsg/debian/rules
--- libphp-phpmailer-5.2.14+dfsg/debian/rules 2016-03-05 15:51:34.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/rules 2016-12-30 12:22:28.000000000 +0100
@@ -6,6 +6,7 @@
phpab \
--output autoload.php \
--blacklist '*test*' \
+ --exclude '*/.pc/*' \
.
override_dh_installdocs:
Reply to: