[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#849796: marked as done (unblock: libphp-phpmailer/(5.2.14+dfsg-2.1)

Your message dated Sat, 31 Dec 2016 09:31:00 +0000
with message-id <ee181bc2-b82e-550e-219b-b9063fbc6fae@thykier.net>
and subject line Re: Bug#849796: unblock: libphp-phpmailer/(5.2.14+dfsg-2.1
has caused the Debian Bug report #849796,
regarding unblock: libphp-phpmailer/(5.2.14+dfsg-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
849796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849796
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package libphp-phpmailer/lower the age it needs to
transition to testing.

libphp-phpmailer as uploaded by Thijs fixes a vulnerability
CVE-2016-10033 (and making sure tha the fix is not incomplete, so not
affected by CVE-2016-10045 itself). The changelog entry is:

> libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
> 
>   * Non-maintainer upload by the Security Team.
>   * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
>     4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
> 
>  -- Thijs Kinkhorst <thijs@debian.org>  Fri, 30 Dec 2016 11:22:28 +0000

and attached the full debdiff.

unblock libphp-phpmailer/(5.2.14+dfsg-2.1

Regards,
Salvatore

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog libphp-phpmailer-5.2.14+dfsg/debian/changelog
--- libphp-phpmailer-5.2.14+dfsg/debian/changelog	2016-03-05 16:06:02.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/changelog	2016-12-30 12:22:28.000000000 +0100
@@ -1,3 +1,11 @@
+libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
+    4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Fri, 30 Dec 2016 11:22:28 +0000
+
 libphp-phpmailer (5.2.14+dfsg-2) unstable; urgency=medium
 
   * Team upload
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch	1970-01-01 01:00:00.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch	2016-12-30 12:22:28.000000000 +0100
@@ -0,0 +1,117 @@
+diff -Nur libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php
+--- libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php	2015-11-01 10:15:28.000000000 +0000
++++ libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php	2016-12-30 11:20:08.368756474 +0000
+@@ -164,6 +164,7 @@
+ 
+     /**
+      * The path to the sendmail program.
++     * Must contain only a path to an executable, with no parameters or switches
+      * @var string
+      */
+     public $Sendmail = '/usr/sbin/sendmail';
+@@ -1329,19 +1330,27 @@
+      */
+     protected function sendmailSend($header, $body)
+     {
+-        if ($this->Sender != '') {
++        if (!(is_file($this->Sendmail) and is_executable($this->Sendmail))) {
++            throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
++        }
++        // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
++        if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
+             if ($this->Mailer == 'qmail') {
+-                $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
++                $sendmailFmt = '%s -f%s';
+             } else {
+-                $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
++                $sendmailFmt = '%s -oi -f%s -t';
+             }
+         } else {
+             if ($this->Mailer == 'qmail') {
+-                $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
++                $sendmailFmt = '%s';
+             } else {
+-                $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
++                $sendmailFmt = '%s -oi -t';
+             }
+         }
++
++        // TODO: If possible, this should be changed to escapeshellarg.  Needs thorough testing.
++        $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
++
+         if ($this->SingleTo) {
+             foreach ($this->SingleToArray as $toAddr) {
+                 if (!@$mail = popen($sendmail, 'w')) {
+@@ -1388,6 +1397,38 @@
+     }
+ 
+     /**
++     * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
++     *
++     * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
++     * @param string $string The string to be validated
++     * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
++     * @access protected
++     * @return boolean
++     */
++    protected static function isShellSafe($string)
++    {
++        // Future-proof
++        if (escapeshellcmd($string) !== $string or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
++            return false;
++        }
++
++        $length = strlen($string);
++
++        for ($i = 0; $i < $length; $i++) {
++            $c = $string[$i];
++
++            // All other characters have a special meaning in at least one common shell, including = and +.
++            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
++            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
++            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
++                return false;
++            }
++        }
++
++        return true;
++    }
++
++    /**
+      * Send mail using the PHP mail() function.
+      * @param string $header The message headers
+      * @param string $body The message body
+@@ -1404,12 +1445,14 @@
+         }
+         $to = implode(', ', $toArr);
+ 
+-        if (empty($this->Sender)) {
+-            $params = ' ';
+-        } else {
+-            $params = sprintf('-f%s', $this->Sender);
++        $params = null;
++        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
++            // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
++            if (self::isShellSafe($this->Sender)) {
++                $params = sprintf('-f%s', $this->Sender);
++            }
+         }
+-        if ($this->Sender != '' and !ini_get('safe_mode')) {
++        if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
+             $old_from = ini_get('sendmail_from');
+             ini_set('sendmail_from', $this->Sender);
+         }
+@@ -1463,10 +1506,10 @@
+         if (!$this->smtpConnect($this->SMTPOptions)) {
+             throw new phpmailerException($this->lang('smtp_connect_failed'), self::STOP_CRITICAL);
+         }
+-        if ('' == $this->Sender) {
+-            $smtp_from = $this->From;
+-        } else {
++        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
+             $smtp_from = $this->Sender;
++        } else {
++            $smtp_from = $this->From;
+         }
+         if (!$this->smtp->mail($smtp_from)) {
+             $this->setError($this->lang('from_failed') . $smtp_from . ' : ' . implode(',', $this->smtp->getError()));
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/series libphp-phpmailer-5.2.14+dfsg/debian/patches/series
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/series	2016-03-05 15:51:34.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/patches/series	2016-12-30 12:22:28.000000000 +0100
@@ -1 +1,2 @@
 0001-Fix-actual-autoloader-path.patch
+0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/rules libphp-phpmailer-5.2.14+dfsg/debian/rules
--- libphp-phpmailer-5.2.14+dfsg/debian/rules	2016-03-05 15:51:34.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/rules	2016-12-30 12:22:28.000000000 +0100
@@ -6,6 +6,7 @@
 	phpab \
 		--output autoload.php \
 		--blacklist '*test*' \
+		--exclude '*/.pc/*' \
 		.
 
 override_dh_installdocs:

--- End Message ---
--- Begin Message --- 
Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package libphp-phpmailer/lower the age it needs to
> transition to testing.
> 
> libphp-phpmailer as uploaded by Thijs fixes a vulnerability
> CVE-2016-10033 (and making sure tha the fix is not incomplete, so not
> affected by CVE-2016-10045 itself). The changelog entry is:
> 
>> [...]
> 
> and attached the full debdiff.
> 
> unblock libphp-phpmailer/(5.2.14+dfsg-2.1
> 
> Regards,
> Salvatore
> 
> [...]

Hinted, thanks.

~Niels

--- End Message ---
Reply to: