Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Hi

Please unblock package libphp-phpmailer/lower the age it needs to
transition to testing.

libphp-phpmailer as uploaded by Thijs fixes a vulnerability
CVE-2016-10033 (and making sure tha the fix is not incomplete, so not
affected by CVE-2016-10045 itself). The changelog entry is:

> libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
> 
>   * Non-maintainer upload by the Security Team.
>   * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
>     4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
> 
>  -- Thijs Kinkhorst <th...@debian.org>  Fri, 30 Dec 2016 11:22:28 +0000

and attached the full debdiff.

unblock libphp-phpmailer/(5.2.14+dfsg-2.1

Regards,
Salvatore

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog 
libphp-phpmailer-5.2.14+dfsg/debian/changelog
--- libphp-phpmailer-5.2.14+dfsg/debian/changelog       2016-03-05 
16:06:02.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/changelog       2016-12-30 
12:22:28.000000000 +0100
@@ -1,3 +1,11 @@
+libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
+    4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
+
+ -- Thijs Kinkhorst <th...@debian.org>  Fri, 30 Dec 2016 11:22:28 +0000
+
 libphp-phpmailer (5.2.14+dfsg-2) unstable; urgency=medium
 
   * Team upload
diff -Nru 
libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
 
libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
--- 
libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
    2016-12-30 12:22:28.000000000 +0100
@@ -0,0 +1,117 @@
+diff -Nur libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php 
libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php
+--- libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php      2015-11-01 
10:15:28.000000000 +0000
++++ libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php       2016-12-30 
11:20:08.368756474 +0000
+@@ -164,6 +164,7 @@
+ 
+     /**
+      * The path to the sendmail program.
++     * Must contain only a path to an executable, with no parameters or 
switches
+      * @var string
+      */
+     public $Sendmail = '/usr/sbin/sendmail';
+@@ -1329,19 +1330,27 @@
+      */
+     protected function sendmailSend($header, $body)
+     {
+-        if ($this->Sender != '') {
++        if (!(is_file($this->Sendmail) and is_executable($this->Sendmail))) {
++            throw new phpmailerException($this->lang('execute') . 
$this->Sendmail, self::STOP_CRITICAL);
++        }
++        // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will 
be escaped.
++        if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
+             if ($this->Mailer == 'qmail') {
+-                $sendmail = sprintf('%s -f%s', 
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
++                $sendmailFmt = '%s -f%s';
+             } else {
+-                $sendmail = sprintf('%s -oi -f%s -t', 
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
++                $sendmailFmt = '%s -oi -f%s -t';
+             }
+         } else {
+             if ($this->Mailer == 'qmail') {
+-                $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
++                $sendmailFmt = '%s';
+             } else {
+-                $sendmail = sprintf('%s -oi -t', 
escapeshellcmd($this->Sendmail));
++                $sendmailFmt = '%s -oi -t';
+             }
+         }
++
++        // TODO: If possible, this should be changed to escapeshellarg.  
Needs thorough testing.
++        $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), 
$this->Sender);
++
+         if ($this->SingleTo) {
+             foreach ($this->SingleToArray as $toAddr) {
+                 if (!@$mail = popen($sendmail, 'w')) {
+@@ -1388,6 +1397,38 @@
+     }
+ 
+     /**
++     * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially 
unsafe shell characters.
++     *
++     * Note that escapeshellarg and escapeshellcmd are inadequate for our 
purposes, especially on Windows.
++     * @param string $string The string to be validated
++     * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 
bug report
++     * @access protected
++     * @return boolean
++     */
++    protected static function isShellSafe($string)
++    {
++        // Future-proof
++        if (escapeshellcmd($string) !== $string or 
!in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
++            return false;
++        }
++
++        $length = strlen($string);
++
++        for ($i = 0; $i < $length; $i++) {
++            $c = $string[$i];
++
++            // All other characters have a special meaning in at least one 
common shell, including = and +.
++            // Full stop (.) has a special meaning in cmd.exe, but its impact 
should be negligible here.
++            // Note that this does permit non-Latin alphanumeric characters 
based on the current locale.
++            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
++                return false;
++            }
++        }
++
++        return true;
++    }
++
++    /**
+      * Send mail using the PHP mail() function.
+      * @param string $header The message headers
+      * @param string $body The message body
+@@ -1404,12 +1445,14 @@
+         }
+         $to = implode(', ', $toArr);
+ 
+-        if (empty($this->Sender)) {
+-            $params = ' ';
+-        } else {
+-            $params = sprintf('-f%s', $this->Sender);
++        $params = null;
++        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
++            // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters 
will be escaped.
++            if (self::isShellSafe($this->Sender)) {
++                $params = sprintf('-f%s', $this->Sender);
++            }
+         }
+-        if ($this->Sender != '' and !ini_get('safe_mode')) {
++        if (!empty($this->Sender) and !ini_get('safe_mode') and 
$this->validateAddress($this->Sender)) {
+             $old_from = ini_get('sendmail_from');
+             ini_set('sendmail_from', $this->Sender);
+         }
+@@ -1463,10 +1506,10 @@
+         if (!$this->smtpConnect($this->SMTPOptions)) {
+             throw new phpmailerException($this->lang('smtp_connect_failed'), 
self::STOP_CRITICAL);
+         }
+-        if ('' == $this->Sender) {
+-            $smtp_from = $this->From;
+-        } else {
++        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
+             $smtp_from = $this->Sender;
++        } else {
++            $smtp_from = $this->From;
+         }
+         if (!$this->smtp->mail($smtp_from)) {
+             $this->setError($this->lang('from_failed') . $smtp_from . ' : ' . 
implode(',', $this->smtp->getError()));
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/series 
libphp-phpmailer-5.2.14+dfsg/debian/patches/series
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/series  2016-03-05 
15:51:34.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/patches/series  2016-12-30 
12:22:28.000000000 +0100
@@ -1 +1,2 @@
 0001-Fix-actual-autoloader-path.patch
+0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/rules 
libphp-phpmailer-5.2.14+dfsg/debian/rules
--- libphp-phpmailer-5.2.14+dfsg/debian/rules   2016-03-05 15:51:34.000000000 
+0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/rules   2016-12-30 12:22:28.000000000 
+0100
@@ -6,6 +6,7 @@
        phpab \
                --output autoload.php \
                --blacklist '*test*' \
+               --exclude '*/.pc/*' \
                .
 
 override_dh_installdocs:

Reply via email to