Your message dated Wed, 19 May 2021 18:23:17 +0000 with message-id <E1ljQqj-0004K5-DF@respighi.debian.org> and subject line unblock libphp-phpmailer has caused the Debian Bug report #988799, regarding unblock: libphp-phpmailer/6.2.0-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 988799: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988799 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: libphp-phpmailer/6.2.0-2
- From: Paul Gevers <elbrus@debian.org>
- Date: Wed, 19 May 2021 20:00:02 +0200
- Message-id: <[🔎] 440769a7-1310-7a6f-9fba-7f733a4176cf@debian.org>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Severity: normal Please unblock package libphp-phpmailer [ Reason ] To fix a CVE (regression). PHPMailer 6.2.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. [ Impact ] To be honest, I don't know exactly, but the security team marked the bug as grave. [ Tests ] None. [ Risks ] The patches are small and easy to review. unblock libphp-phpmailer/6.2.0-2 Pauldiff -Nru libphp-phpmailer-6.2.0/debian/changelog libphp-phpmailer-6.2.0/debian/changelog --- libphp-phpmailer-6.2.0/debian/changelog 2021-01-06 20:59:29.000000000 +0100 +++ libphp-phpmailer-6.2.0/debian/changelog 2021-05-18 21:29:05.000000000 +0200 @@ -1,3 +1,9 @@ +libphp-phpmailer (6.2.0-2) unstable; urgency=medium + + * Add upstream patches to fix CVE-2020-36326 (Closes: #988732) + + -- Paul Gevers <elbrus@debian.org> Tue, 18 May 2021 21:29:05 +0200 + libphp-phpmailer (6.2.0-1) unstable; urgency=medium * New upstream release diff -Nru libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch --- libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch 1970-01-01 01:00:00.000000000 +0100 +++ libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch 2021-05-18 21:29:05.000000000 +0200 @@ -0,0 +1,26 @@ +From 7f267fb4aadfcf62e3ddc50494c469c6b9c4405a Mon Sep 17 00:00:00 2001 +From: Marcus Bointon <marcus@synchromedia.co.uk> +Date: Thu, 29 Apr 2021 10:50:09 +0200 +Subject: [PATCH] Match all RFC3986 scheme patterns + +--- + src/PHPMailer.php | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/PHPMailer.php b/src/PHPMailer.php +index 7081ed7..7c35f4a 100644 +--- a/src/PHPMailer.php ++++ b/src/PHPMailer.php +@@ -1811,7 +1811,8 @@ class PHPMailer + */ + protected static function isPermittedPath($path) + { +- return !preg_match('#^[a-z]+://#i', $path); ++ //Matches scheme definition from https://tools.ietf.org/html/rfc3986#section-3.1 ++ return !preg_match('#^[a-z][a-z\d+.-]*://#i', $path); + } + + /** +-- +2.30.2 + diff -Nru libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch --- libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch 1970-01-01 01:00:00.000000000 +0100 +++ libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch 2021-05-18 21:29:05.000000000 +0200 @@ -0,0 +1,33 @@ +From 26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a Mon Sep 17 00:00:00 2001 +From: Marcus Bointon <marcus@synchromedia.co.uk> +Date: Thu, 29 Apr 2021 10:52:38 +0200 +Subject: [PATCH] Reorder path checks, fixes CVE-2020-36326 + +--- + src/PHPMailer.php | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/PHPMailer.php b/src/PHPMailer.php +index 7c35f4a..66eaa38 100644 +--- a/src/PHPMailer.php ++++ b/src/PHPMailer.php +@@ -1824,12 +1824,15 @@ class PHPMailer + */ + protected static function fileIsAccessible($path) + { ++ if (!static::isPermittedPath($path)) { ++ return false; ++ } + $readable = file_exists($path); + //If not a UNC path (expected to start with \\), check read permission, see #2069 + if (strpos($path, '\\\\') !== 0) { + $readable = $readable && is_readable($path); + } +- return static::isPermittedPath($path) && $readable; ++ return $readable; + } + + /** +-- +2.30.2 + diff -Nru libphp-phpmailer-6.2.0/debian/patches/series libphp-phpmailer-6.2.0/debian/patches/series --- libphp-phpmailer-6.2.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libphp-phpmailer-6.2.0/debian/patches/series 2021-05-18 21:29:05.000000000 +0200 @@ -0,0 +1,2 @@ +0001-Match-all-RFC3986-scheme-patterns.patch +0001-Reorder-path-checks-fixes-CVE-2020-36326.patchAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 988799-done@bugs.debian.org
- Subject: unblock libphp-phpmailer
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Wed, 19 May 2021 18:23:17 +0000
- Message-id: <E1ljQqj-0004K5-DF@respighi.debian.org>
Unblocked.
--- End Message ---