Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Severity: normal Please unblock package libphp-phpmailer [ Reason ] To fix a CVE (regression). PHPMailer 6.2.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. [ Impact ] To be honest, I don't know exactly, but the security team marked the bug as grave. [ Tests ] None. [ Risks ] The patches are small and easy to review. unblock libphp-phpmailer/6.2.0-2 Paul
diff -Nru libphp-phpmailer-6.2.0/debian/changelog libphp-phpmailer-6.2.0/debian/changelog
--- libphp-phpmailer-6.2.0/debian/changelog 2021-01-06 20:59:29.000000000 +0100
+++ libphp-phpmailer-6.2.0/debian/changelog 2021-05-18 21:29:05.000000000 +0200
@@ -1,3 +1,9 @@
+libphp-phpmailer (6.2.0-2) unstable; urgency=medium
+
+ * Add upstream patches to fix CVE-2020-36326 (Closes: #988732)
+
+ -- Paul Gevers <elbrus@debian.org> Tue, 18 May 2021 21:29:05 +0200
+
libphp-phpmailer (6.2.0-1) unstable; urgency=medium
* New upstream release
diff -Nru libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch
--- libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch 1970-01-01 01:00:00.000000000 +0100
+++ libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch 2021-05-18 21:29:05.000000000 +0200
@@ -0,0 +1,26 @@
+From 7f267fb4aadfcf62e3ddc50494c469c6b9c4405a Mon Sep 17 00:00:00 2001
+From: Marcus Bointon <marcus@synchromedia.co.uk>
+Date: Thu, 29 Apr 2021 10:50:09 +0200
+Subject: [PATCH] Match all RFC3986 scheme patterns
+
+---
+ src/PHPMailer.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/PHPMailer.php b/src/PHPMailer.php
+index 7081ed7..7c35f4a 100644
+--- a/src/PHPMailer.php
++++ b/src/PHPMailer.php
+@@ -1811,7 +1811,8 @@ class PHPMailer
+ */
+ protected static function isPermittedPath($path)
+ {
+- return !preg_match('#^[a-z]+://#i', $path);
++ //Matches scheme definition from https://tools.ietf.org/html/rfc3986#section-3.1
++ return !preg_match('#^[a-z][a-z\d+.-]*://#i', $path);
+ }
+
+ /**
+--
+2.30.2
+
diff -Nru libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch
--- libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch 1970-01-01 01:00:00.000000000 +0100
+++ libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch 2021-05-18 21:29:05.000000000 +0200
@@ -0,0 +1,33 @@
+From 26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a Mon Sep 17 00:00:00 2001
+From: Marcus Bointon <marcus@synchromedia.co.uk>
+Date: Thu, 29 Apr 2021 10:52:38 +0200
+Subject: [PATCH] Reorder path checks, fixes CVE-2020-36326
+
+---
+ src/PHPMailer.php | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/PHPMailer.php b/src/PHPMailer.php
+index 7c35f4a..66eaa38 100644
+--- a/src/PHPMailer.php
++++ b/src/PHPMailer.php
+@@ -1824,12 +1824,15 @@ class PHPMailer
+ */
+ protected static function fileIsAccessible($path)
+ {
++ if (!static::isPermittedPath($path)) {
++ return false;
++ }
+ $readable = file_exists($path);
+ //If not a UNC path (expected to start with \\), check read permission, see #2069
+ if (strpos($path, '\\\\') !== 0) {
+ $readable = $readable && is_readable($path);
+ }
+- return static::isPermittedPath($path) && $readable;
++ return $readable;
+ }
+
+ /**
+--
+2.30.2
+
diff -Nru libphp-phpmailer-6.2.0/debian/patches/series libphp-phpmailer-6.2.0/debian/patches/series
--- libphp-phpmailer-6.2.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libphp-phpmailer-6.2.0/debian/patches/series 2021-05-18 21:29:05.000000000 +0200
@@ -0,0 +1,2 @@
+0001-Match-all-RFC3986-scheme-patterns.patch
+0001-Reorder-path-checks-fixes-CVE-2020-36326.patch
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature