Bug#849796: marked as done (unblock: libphp-phpmailer/(5.2.14+dfsg-2.1)

Sat, 31 Dec 2016 01:37:33 -0800 

Your message dated Sat, 31 Dec 2016 09:31:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#849796: unblock: libphp-phpmailer/(5.2.14+dfsg-2.1
has caused the Debian Bug report #849796,
regarding unblock: libphp-phpmailer/(5.2.14+dfsg-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
849796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849796
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Hi

Please unblock package libphp-phpmailer/lower the age it needs to
transition to testing.

libphp-phpmailer as uploaded by Thijs fixes a vulnerability
CVE-2016-10033 (and making sure tha the fix is not incomplete, so not
affected by CVE-2016-10045 itself). The changelog entry is:

> libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
> 
>   * Non-maintainer upload by the Security Team.
>   * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
>     4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
> 
>  -- Thijs Kinkhorst <[email protected]>  Fri, 30 Dec 2016 11:22:28 +0000

and attached the full debdiff.

unblock libphp-phpmailer/(5.2.14+dfsg-2.1

Regards,
Salvatore

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog 
libphp-phpmailer-5.2.14+dfsg/debian/changelog
--- libphp-phpmailer-5.2.14+dfsg/debian/changelog       2016-03-05 
16:06:02.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/changelog       2016-12-30 
12:22:28.000000000 +0100
@@ -1,3 +1,11 @@
+libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
+    4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
+
+ -- Thijs Kinkhorst <[email protected]>  Fri, 30 Dec 2016 11:22:28 +0000
+
 libphp-phpmailer (5.2.14+dfsg-2) unstable; urgency=medium
 
   * Team upload
diff -Nru 
libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
 
libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
--- 
libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
    2016-12-30 12:22:28.000000000 +0100
@@ -0,0 +1,117 @@
+diff -Nur libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php 
libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php
+--- libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php      2015-11-01 
10:15:28.000000000 +0000
++++ libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php       2016-12-30 
11:20:08.368756474 +0000
+@@ -164,6 +164,7 @@
+ 
+     /**
+      * The path to the sendmail program.
++     * Must contain only a path to an executable, with no parameters or 
switches
+      * @var string
+      */
+     public $Sendmail = '/usr/sbin/sendmail';
+@@ -1329,19 +1330,27 @@
+      */
+     protected function sendmailSend($header, $body)
+     {
+-        if ($this->Sender != '') {
++        if (!(is_file($this->Sendmail) and is_executable($this->Sendmail))) {
++            throw new phpmailerException($this->lang('execute') . 
$this->Sendmail, self::STOP_CRITICAL);
++        }
++        // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will 
be escaped.
++        if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
+             if ($this->Mailer == 'qmail') {
+-                $sendmail = sprintf('%s -f%s', 
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
++                $sendmailFmt = '%s -f%s';
+             } else {
+-                $sendmail = sprintf('%s -oi -f%s -t', 
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
++                $sendmailFmt = '%s -oi -f%s -t';
+             }
+         } else {
+             if ($this->Mailer == 'qmail') {
+-                $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
++                $sendmailFmt = '%s';
+             } else {
+-                $sendmail = sprintf('%s -oi -t', 
escapeshellcmd($this->Sendmail));
++                $sendmailFmt = '%s -oi -t';
+             }
+         }
++
++        // TODO: If possible, this should be changed to escapeshellarg.  
Needs thorough testing.
++        $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), 
$this->Sender);
++
+         if ($this->SingleTo) {
+             foreach ($this->SingleToArray as $toAddr) {
+                 if (!@$mail = popen($sendmail, 'w')) {
+@@ -1388,6 +1397,38 @@
+     }
+ 
+     /**
++     * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially 
unsafe shell characters.
++     *
++     * Note that escapeshellarg and escapeshellcmd are inadequate for our 
purposes, especially on Windows.
++     * @param string $string The string to be validated
++     * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 
bug report
++     * @access protected
++     * @return boolean
++     */
++    protected static function isShellSafe($string)
++    {
++        // Future-proof
++        if (escapeshellcmd($string) !== $string or 
!in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
++            return false;
++        }
++
++        $length = strlen($string);
++
++        for ($i = 0; $i < $length; $i++) {
++            $c = $string[$i];
++
++            // All other characters have a special meaning in at least one 
common shell, including = and +.
++            // Full stop (.) has a special meaning in cmd.exe, but its impact 
should be negligible here.
++            // Note that this does permit non-Latin alphanumeric characters 
based on the current locale.
++            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
++                return false;
++            }
++        }
++
++        return true;
++    }
++
++    /**
+      * Send mail using the PHP mail() function.
+      * @param string $header The message headers
+      * @param string $body The message body
+@@ -1404,12 +1445,14 @@
+         }
+         $to = implode(', ', $toArr);
+ 
+-        if (empty($this->Sender)) {
+-            $params = ' ';
+-        } else {
+-            $params = sprintf('-f%s', $this->Sender);
++        $params = null;
++        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
++            // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters 
will be escaped.
++            if (self::isShellSafe($this->Sender)) {
++                $params = sprintf('-f%s', $this->Sender);
++            }
+         }
+-        if ($this->Sender != '' and !ini_get('safe_mode')) {
++        if (!empty($this->Sender) and !ini_get('safe_mode') and 
$this->validateAddress($this->Sender)) {
+             $old_from = ini_get('sendmail_from');
+             ini_set('sendmail_from', $this->Sender);
+         }
+@@ -1463,10 +1506,10 @@
+         if (!$this->smtpConnect($this->SMTPOptions)) {
+             throw new phpmailerException($this->lang('smtp_connect_failed'), 
self::STOP_CRITICAL);
+         }
+-        if ('' == $this->Sender) {
+-            $smtp_from = $this->From;
+-        } else {
++        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
+             $smtp_from = $this->Sender;
++        } else {
++            $smtp_from = $this->From;
+         }
+         if (!$this->smtp->mail($smtp_from)) {
+             $this->setError($this->lang('from_failed') . $smtp_from . ' : ' . 
implode(',', $this->smtp->getError()));
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/series 
libphp-phpmailer-5.2.14+dfsg/debian/patches/series
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/series  2016-03-05 
15:51:34.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/patches/series  2016-12-30 
12:22:28.000000000 +0100
@@ -1 +1,2 @@
 0001-Fix-actual-autoloader-path.patch
+0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/rules 
libphp-phpmailer-5.2.14+dfsg/debian/rules
--- libphp-phpmailer-5.2.14+dfsg/debian/rules   2016-03-05 15:51:34.000000000 
+0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/rules   2016-12-30 12:22:28.000000000 
+0100
@@ -6,6 +6,7 @@
        phpab \
                --output autoload.php \
                --blacklist '*test*' \
+               --exclude '*/.pc/*' \
                .
 
 override_dh_installdocs:

--- End Message ---
--- Begin Message --- 
Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
> 
> Hi
> 
> Please unblock package libphp-phpmailer/lower the age it needs to
> transition to testing.
> 
> libphp-phpmailer as uploaded by Thijs fixes a vulnerability
> CVE-2016-10033 (and making sure tha the fix is not incomplete, so not
> affected by CVE-2016-10045 itself). The changelog entry is:
> 
>> [...]
> 
> and attached the full debdiff.
> 
> unblock libphp-phpmailer/(5.2.14+dfsg-2.1
> 
> Regards,
> Salvatore
> 
> [...]

Hinted, thanks.

~Niels

--- End Message ---

Reply via email to