Hi Attached is the proposed debdiff for this issue backported to the repsective base version 5.2.14.
Regards, Salvatore
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog libphp-phpmailer-5.2.14+dfsg/debian/changelog --- libphp-phpmailer-5.2.14+dfsg/debian/changelog 2017-02-25 19:15:08.000000000 +0100 +++ libphp-phpmailer-5.2.14+dfsg/debian/changelog 2018-12-01 15:09:47.000000000 +0100 @@ -1,3 +1,10 @@ +libphp-phpmailer (5.2.14+dfsg-2.4) unstable; urgency=medium + + * Non-maintainer upload. + * object injection vulnerability (CVE-2018-19296) (Closes: #913912) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 01 Dec 2018 15:09:47 +0100 + libphp-phpmailer (5.2.14+dfsg-2.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch --- libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch 1970-01-01 01:00:00.000000000 +0100 +++ libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch 2018-12-01 15:09:27.000000000 +0100 @@ -0,0 +1,114 @@ +From: Marcus Bointon <mar...@synchromedia.co.uk> +Date: Thu, 15 Nov 2018 23:27:24 +0100 +Subject: Backport changes for CVE-2018-19296 +Origin: https://github.com/PHPMailer/PHPMailer/commit/f1231a9771505f4f34da060390d82eadb8448271 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19296 +Bug-Debian: https://bugs.debian.org/913912 + +[Salvatore Bonaccorso: Backport changes to 5.2.14: Check for permitted +path for $this->DKIM_private before checking if file_exists following +the logic applied for the upstream patch] +--- + class.phpmailer.php | 31 ++++++++++++++++++++++++------- + test/phpmailerTest.php | 16 ++++++++++++++++ + 2 files changed, 40 insertions(+), 7 deletions(-) + +--- a/class.phpmailer.php ++++ b/class.phpmailer.php +@@ -1263,6 +1263,7 @@ class PHPMailer + if (!empty($this->DKIM_domain) + && !empty($this->DKIM_private) + && !empty($this->DKIM_selector) ++ && self::isPermittedPath($this->DKIM_private) + && file_exists($this->DKIM_private)) { + $header_dkim = $this->DKIM_Add( + $this->MIMEHeader . $this->mailHeader, +@@ -1425,6 +1426,18 @@ class PHPMailer + } + + /** ++ * Check whether a file path is of a permitted type. ++ * Used to reject URLs and phar files from functions that access local file paths, ++ * such as addAttachment. ++ * @param string $path A relative or absolute path to a file. ++ * @return bool ++ */ ++ protected static function isPermittedPath($path) ++ { ++ return !preg_match('#^[a-z]+://#i', $path); ++ } ++ ++ /** + * Send mail using the PHP mail() function. + * @param string $header The message headers + * @param string $body The message body +@@ -1723,7 +1736,7 @@ class PHPMailer + // There is no English translation file + if ($langcode != 'en') { + // Make sure language file path is readable +- if (!is_readable($lang_file)) { ++ if (!self::isPermittedPath($lang_file) or !is_readable($lang_file)) { + $foundlang = false; + } else { + // Overwrite language-specific strings. +@@ -2420,6 +2433,8 @@ class PHPMailer + * Add an attachment from a path on the filesystem. + * Never use a user-supplied path to a file! + * Returns false if the file could not be found or read. ++ * Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client. ++ * If you need to do that, fetch the resource yourself and pass it in via a local file or string. + * @param string $path Path to the attachment. + * @param string $name Overrides the attachment name. + * @param string $encoding File encoding (see $Encoding). +@@ -2431,7 +2446,7 @@ class PHPMailer + public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment') + { + try { +- if (!@is_file($path)) { ++ if (!self::isPermittedPath($path) or !@is_file($path)) { + throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE); + } + +@@ -2612,7 +2627,7 @@ class PHPMailer + protected function encodeFile($path, $encoding = 'base64') + { + try { +- if (!is_readable($path)) { ++ if (!self::isPermittedPath($path) or !file_exists($path)) { + throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE); + } + $magic_quotes = get_magic_quotes_runtime(); +@@ -2956,7 +2971,7 @@ class PHPMailer + */ + public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline') + { +- if (!@is_file($path)) { ++ if (!self::isPermittedPath($path) or !@is_file($path)) { + $this->setError($this->lang('file_access') . $path); + return false; + } +--- a/test/phpmailerTest.php ++++ b/test/phpmailerTest.php +@@ -740,6 +740,22 @@ class PHPMailerTest extends PHPUnit_Fram + } + + /** ++ * Rejection of non-local file attachments test. ++ */ ++ public function testRejectNonLocalFileAttachment() ++ { ++ $this->assertFalse( ++ $this->Mail->addAttachment('https://github.com/PHPMailer/PHPMailer/raw/master/README.md'), ++ 'addAttachment should reject remote URLs' ++ ); ++ ++ $this->assertFalse( ++ $this->Mail->addAttachment('phar://phar.php'), ++ 'addAttachment should reject phar resources' ++ ); ++ } ++ ++ /** + * Simple plain string attachment test. + */ + public function testPlainStringAttachment() diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/series libphp-phpmailer-5.2.14+dfsg/debian/patches/series --- libphp-phpmailer-5.2.14+dfsg/debian/patches/series 2017-02-25 19:15:08.000000000 +0100 +++ libphp-phpmailer-5.2.14+dfsg/debian/patches/series 2018-12-01 14:57:11.000000000 +0100 @@ -1,3 +1,4 @@ 0001-Fix-actual-autoloader-path.patch 0002-Fix-CVE-2016-10033-CVE-2016-10045.patch 0003-CVE-2017-5223.patch +0004-CVE-2018-19296.patch