Bug#988799: marked as done (unblock: libphp-phpmailer/6.2.0-2)

Debian Bug Tracking System Wed, 19 May 2021 11:27:33 -0700

Your message dated Wed, 19 May 2021 18:23:17 +0000
with message-id <[email protected]>
and subject line unblock libphp-phpmailer
has caused the Debian Bug report #988799,
regarding unblock: libphp-phpmailer/6.2.0-2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
988799: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988799
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
User: [email protected]
Usertags: unblock
Severity: normal

Please unblock package libphp-phpmailer

[ Reason ]
To fix a CVE (regression). PHPMailer 6.2.0 allows object injection
through Phar Deserialization via addAttachment with a UNC pathname.

[ Impact ]
To be honest, I don't know exactly, but the security team marked the bug
as grave.

[ Tests ]
None.

[ Risks ]
The patches are small and easy to review.

unblock libphp-phpmailer/6.2.0-2

Paul

diff -Nru libphp-phpmailer-6.2.0/debian/changelog 
libphp-phpmailer-6.2.0/debian/changelog
--- libphp-phpmailer-6.2.0/debian/changelog     2021-01-06 20:59:29.000000000 
+0100
+++ libphp-phpmailer-6.2.0/debian/changelog     2021-05-18 21:29:05.000000000 
+0200
@@ -1,3 +1,9 @@
+libphp-phpmailer (6.2.0-2) unstable; urgency=medium
+
+  * Add upstream patches to fix CVE-2020-36326 (Closes: #988732)
+
+ -- Paul Gevers <[email protected]>  Tue, 18 May 2021 21:29:05 +0200
+
 libphp-phpmailer (6.2.0-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru 
libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch
 
libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch
--- 
libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
libphp-phpmailer-6.2.0/debian/patches/0001-Match-all-RFC3986-scheme-patterns.patch
  2021-05-18 21:29:05.000000000 +0200
@@ -0,0 +1,26 @@
+From 7f267fb4aadfcf62e3ddc50494c469c6b9c4405a Mon Sep 17 00:00:00 2001
+From: Marcus Bointon <[email protected]>
+Date: Thu, 29 Apr 2021 10:50:09 +0200
+Subject: [PATCH] Match all RFC3986 scheme patterns
+
+---
+ src/PHPMailer.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/PHPMailer.php b/src/PHPMailer.php
+index 7081ed7..7c35f4a 100644
+--- a/src/PHPMailer.php
++++ b/src/PHPMailer.php
+@@ -1811,7 +1811,8 @@ class PHPMailer
+      */
+     protected static function isPermittedPath($path)
+     {
+-        return !preg_match('#^[a-z]+://#i', $path);
++        //Matches scheme definition from 
https://tools.ietf.org/html/rfc3986#section-3.1
++        return !preg_match('#^[a-z][a-z\d+.-]*://#i', $path);
+     }
+ 
+     /**
+-- 
+2.30.2
+
diff -Nru 
libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch
 
libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch
--- 
libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
libphp-phpmailer-6.2.0/debian/patches/0001-Reorder-path-checks-fixes-CVE-2020-36326.patch
   2021-05-18 21:29:05.000000000 +0200
@@ -0,0 +1,33 @@
+From 26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a Mon Sep 17 00:00:00 2001
+From: Marcus Bointon <[email protected]>
+Date: Thu, 29 Apr 2021 10:52:38 +0200
+Subject: [PATCH] Reorder path checks, fixes CVE-2020-36326
+
+---
+ src/PHPMailer.php | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/PHPMailer.php b/src/PHPMailer.php
+index 7c35f4a..66eaa38 100644
+--- a/src/PHPMailer.php
++++ b/src/PHPMailer.php
+@@ -1824,12 +1824,15 @@ class PHPMailer
+      */
+     protected static function fileIsAccessible($path)
+     {
++        if (!static::isPermittedPath($path)) {
++            return false;
++        }
+         $readable = file_exists($path);
+         //If not a UNC path (expected to start with \\), check read 
permission, see #2069
+         if (strpos($path, '\\\\') !== 0) {
+             $readable = $readable && is_readable($path);
+         }
+-        return static::isPermittedPath($path) && $readable;
++        return  $readable;
+     }
+ 
+     /**
+-- 
+2.30.2
+
diff -Nru libphp-phpmailer-6.2.0/debian/patches/series 
libphp-phpmailer-6.2.0/debian/patches/series
--- libphp-phpmailer-6.2.0/debian/patches/series        1970-01-01 
01:00:00.000000000 +0100
+++ libphp-phpmailer-6.2.0/debian/patches/series        2021-05-18 
21:29:05.000000000 +0200
@@ -0,0 +1,2 @@
+0001-Match-all-RFC3986-scheme-patterns.patch
+0001-Reorder-path-checks-fixes-CVE-2020-36326.patch

OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---
Unblocked.
--- End Message ---

Bug#988799: marked as done (unblock: libphp-phpmailer/6.2.0-2)

Reply via email to