Your message dated Mon, 02 Mar 2015 19:08:51 +0100 with message-id <54F4A733.40709@thykier.net> and subject line Re: Bug#779508: unblock: php-monolog/1.11.0-2 has caused the Debian Bug report #779508, regarding unblock: php-monolog/1.11.0-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 779508: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779508 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: php-monolog/1.11.0-2
- From: David Prévot <taffit@debian.org>
- Date: Sun, 1 Mar 2015 13:16:07 -0400
- Message-id: <[🔎] 20150301171607.GA749@mikado.tilapin.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package php-monolog It fixes a potential security issue (mail header injection) by cherry-picking an upstream commit that was already included in version 1.12.0-1 (as available in experimental). The patch also includes an update to the test suite (showing how the issue may have been exploited). php-monolog (1.11.0-2) unstable; urgency=medium * Add gbp.conf to track the Jessie branch * Fix a potential security issue (header injection) Prevent header injection through content type / encoding in NativeMailerHandler. -- David Prévot <taffit@debian.org> Sun, 01 Mar 2015 01:56:16 -0400 Please find attached the full debdiff, as well as the new patch itself to ease the review. unblock php-monolog/1.11.0-2 Thanks in advance for considering. Regards Daviddiff --git a/debian/changelog b/debian/changelog index 8a207aa..a8bf6bb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +php-monolog (1.11.0-2) unstable; urgency=medium + + * Add gbp.conf to track the Jessie branch + * Fix a potential security issue (header injection) + Prevent header injection through content type / encoding in + NativeMailerHandler. + + -- David Prévot <taffit@debian.org> Sun, 01 Mar 2015 01:56:16 -0400 + php-monolog (1.11.0-1) unstable; urgency=medium [ gkedzierski ] diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..fae4302 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff --git a/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch new file mode 100644 index 0000000..1c27746 --- /dev/null +++ b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch @@ -0,0 +1,65 @@ +From: Jordi Boggiano <j.boggiano@seld.be> +Date: Sun, 28 Dec 2014 14:32:10 +0000 +Subject: Prevent header injection through content type / encoding in + NativeMailerHandler, fixes #458, closes #448 + +Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458 +Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001 +--- + src/Monolog/Handler/NativeMailerHandler.php | 8 ++++++++ + tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++ + 2 files changed, 26 insertions(+) + +diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php +index 7605a14..0fe6b64 100644 +--- a/src/Monolog/Handler/NativeMailerHandler.php ++++ b/src/Monolog/Handler/NativeMailerHandler.php +@@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler + */ + public function setContentType($contentType) + { ++ if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) { ++ throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection'); ++ } ++ + $this->contentType = $contentType; + + return $this; +@@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler + */ + public function setEncoding($encoding) + { ++ if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) { ++ throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection'); ++ } ++ + $this->encoding = $encoding; + + return $this; +diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php +index 50ceace..c2553ee 100644 +--- a/tests/Monolog/Handler/NativeMailerHandlerTest.php ++++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php +@@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase + $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org'); + $mailer->addHeader(array("Content-Type: text/html\r\nFrom: faked@attacker.org")); + } ++ ++ /** ++ * @expectedException InvalidArgumentException ++ */ ++ public function testSetterContentTypeInjection() ++ { ++ $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org'); ++ $mailer->setContentType("text/html\r\nFrom: faked@attacker.org"); ++ } ++ ++ /** ++ * @expectedException InvalidArgumentException ++ */ ++ public function testSetterEncodingInjection() ++ { ++ $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org'); ++ $mailer->setEncoding("utf-8\r\nFrom: faked@attacker.org"); ++ } + } diff --git a/debian/patches/series b/debian/patches/series index 5286df5..9766944 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch 0002-Drop-Git-test.patch 0003-Drop-failing-test-too-precise-time.patch +0004-Prevent-header-injection-through-content-type-encodi.patchFrom: Jordi Boggiano <j.boggiano@seld.be> Date: Sun, 28 Dec 2014 14:32:10 +0000 Subject: Prevent header injection through content type / encoding in NativeMailerHandler, fixes #458, closes #448 Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458 Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001 --- src/Monolog/Handler/NativeMailerHandler.php | 8 ++++++++ tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php index 7605a14..0fe6b64 100644 --- a/src/Monolog/Handler/NativeMailerHandler.php +++ b/src/Monolog/Handler/NativeMailerHandler.php @@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler */ public function setContentType($contentType) { + if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) { + throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection'); + } + $this->contentType = $contentType; return $this; @@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler */ public function setEncoding($encoding) { + if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) { + throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection'); + } + $this->encoding = $encoding; return $this; diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php index 50ceace..c2553ee 100644 --- a/tests/Monolog/Handler/NativeMailerHandlerTest.php +++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php @@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org'); $mailer->addHeader(array("Content-Type: text/html\r\nFrom: faked@attacker.org")); } + + /** + * @expectedException InvalidArgumentException + */ + public function testSetterContentTypeInjection() + { + $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org'); + $mailer->setContentType("text/html\r\nFrom: faked@attacker.org"); + } + + /** + * @expectedException InvalidArgumentException + */ + public function testSetterEncodingInjection() + { + $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org'); + $mailer->setEncoding("utf-8\r\nFrom: faked@attacker.org"); + } }Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: David Prévot <taffit@debian.org>, 779508-done@bugs.debian.org
- Subject: Re: Bug#779508: unblock: php-monolog/1.11.0-2
- From: Niels Thykier <niels@thykier.net>
- Date: Mon, 02 Mar 2015 19:08:51 +0100
- Message-id: <54F4A733.40709@thykier.net>
- In-reply-to: <[🔎] 20150301171607.GA749@mikado.tilapin.org>
- References: <[🔎] 20150301171607.GA749@mikado.tilapin.org>
On 2015-03-01 18:16, David Prévot wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > > Please unblock package php-monolog > > It fixes a potential security issue (mail header injection) by > cherry-picking an upstream commit that was already included in version > 1.12.0-1 (as available in experimental). The patch also includes an > update to the test suite (showing how the issue may have been > exploited). > > [...] > > Please find attached the full debdiff, as well as the new patch itself > to ease the review. > > unblock php-monolog/1.11.0-2 > > Thanks in advance for considering. > > Regards > > David > Unblocked, thanks. Please note that the message for setEncoding is probably wrong and should have gotten a s/content type/encoding/. But I consider it a minor / cosmetic issue. ~Niels
--- End Message ---