Bug#988799: marked as done (unblock: libphp-phpmailer/6.2.0-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 19 May 2021 18:23:17 +0000
with message-id <E1ljQqj-0004K5-DF@respighi.debian.org>
and subject line unblock libphp-phpmailer
has caused the Debian Bug report #988799,
regarding unblock: libphp-phpmailer/6.2.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988799: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988799
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libphp-phpmailer/6.2.0-2
• From: Paul Gevers <elbrus@debian.org>
• Date: Wed, 19 May 2021 20:00:02 +0200
• Message-id: <[🔎] 440769a7-1310-7a6f-9fba-7f733a4176cf@debian.org>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package libphp-phpmailer

[ Reason ]
To fix a CVE (regression). PHPMailer 6.2.0 allows object injection
through Phar Deserialization via addAttachment with a UNC pathname.

[ Impact ]
To be honest, I don't know exactly, but the security team marked the bug
as grave.

[ Tests ]
None.

[ Risks ]
The patches are small and easy to review.

unblock libphp-phpmailer/6.2.0-2

Paul

diff -Nru libphp-phpmailer-6.2.0/debian/changelog libphp-phpmailer-6.2.0/debian/changelog
--- libphp-phpmailer-6.2.0/debian/changelog	2021-01-06 20:59:29.000000000 +0100
+++ libphp-phpmailer-6.2.0/debian/changelog	2021-05-18 21:29:05.000000000 +0200
@@ -1,3 +1,9 @@
+libphp-phpmailer (6.2.0-2) unstable; urgency=medium
+
+  * Add upstream patches to fix CVE-2020-36326 (Closes: #988732)
+
+ -- Paul Gevers <elbrus@debian.org>  Tue, 18 May 2021 21:29:05 +0200
+
 libphp-phpmailer (6.2.0-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch
--- libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch	1970-01-01 01:00:00.000000000 +0100
+++ libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch	2021-05-18 21:29:05.000000000 +0200
@@ -0,0 +1,26 @@
+From 7f267fb4aadfcf62e3ddc50494c469c6b9c4405a Mon Sep 17 00:00:00 2001
+From: Marcus Bointon <marcus@synchromedia.co.uk>
+Date: Thu, 29 Apr 2021 10:50:09 +0200
+Subject: [PATCH] Match all RFC3986 scheme patterns
+
+---
+ src/PHPMailer.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/PHPMailer.php b/src/PHPMailer.php
+index 7081ed7..7c35f4a 100644
+--- a/src/PHPMailer.php
++++ b/src/PHPMailer.php
+@@ -1811,7 +1811,8 @@ class PHPMailer
+      */
+     protected static function isPermittedPath($path)
+     {
+-        return !preg_match('#^[a-z]+://#i', $path);
++        //Matches scheme definition from https://tools.ietf.org/html/rfc3986#section-3.1
++        return !preg_match('#^[a-z][a-z\d+.-]*://#i', $path);
+     }
+ 
+     /**
+-- 
+2.30.2
+
diff -Nru libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch
--- libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch	1970-01-01 01:00:00.000000000 +0100
+++ libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch	2021-05-18 21:29:05.000000000 +0200
@@ -0,0 +1,33 @@
+From 26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a Mon Sep 17 00:00:00 2001
+From: Marcus Bointon <marcus@synchromedia.co.uk>
+Date: Thu, 29 Apr 2021 10:52:38 +0200
+Subject: [PATCH] Reorder path checks, fixes CVE-2020-36326
+
+---
+ src/PHPMailer.php | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/PHPMailer.php b/src/PHPMailer.php
+index 7c35f4a..66eaa38 100644
+--- a/src/PHPMailer.php
++++ b/src/PHPMailer.php
+@@ -1824,12 +1824,15 @@ class PHPMailer
+      */
+     protected static function fileIsAccessible($path)
+     {
++        if (!static::isPermittedPath($path)) {
++            return false;
++        }
+         $readable = file_exists($path);
+         //If not a UNC path (expected to start with \\), check read permission, see #2069
+         if (strpos($path, '\\\\') !== 0) {
+             $readable = $readable && is_readable($path);
+         }
+-        return static::isPermittedPath($path) && $readable;
++        return  $readable;
+     }
+ 
+     /**
+-- 
+2.30.2
+
diff -Nru libphp-phpmailer-6.2.0/debian/patches/series libphp-phpmailer-6.2.0/debian/patches/series
--- libphp-phpmailer-6.2.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libphp-phpmailer-6.2.0/debian/patches/series	2021-05-18 21:29:05.000000000 +0200
@@ -0,0 +1,2 @@
+0001-Match-all-RFC3986-scheme-patterns.patch
+0001-Reorder-path-checks-fixes-CVE-2020-36326.patch

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: 988799-done@bugs.debian.org
• Subject: unblock libphp-phpmailer
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Wed, 19 May 2021 18:23:17 +0000
• Message-id: <E1ljQqj-0004K5-DF@respighi.debian.org>

Unblocked.

--- End Message ---