Bug#504255: CVE-2007-3215: remote shell command execution in class.phpmailer.php
FYI, a patch has been included in recent upload of phpgroupware (1:0.9.16.012+dfsg-9) in order to fix the code although it is normally not used. Best regards, -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#504255: CVE-2007-3215: remote shell command execution in class.phpmailer.php
Package: phpgroupware-felamimail Severity: grave Version: 0.9.16.011-2.2 Tags: security patch Hi, The following CVE (Common Vulnerabilities Exposures) id was published for PHPMailer, which affects the embedded copy shipped in phpgroupware-felamimail[0]. CVE-2007-3215[1]: PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php. The patch for class.phpmailer.php can be found at [2]. However, it would be better if phpgroupware-felamimail just depended on libphp-phpmailer (also available in etch) and the include/require calls changed to use the copy provided by that package, to avoid shipping yet another embedded code copy. If you fix the vulnerability please also make sure to include the CVE id in the changelog entry. [0] usr/share/phpgroupware/felamimail/inc/class.phpmailer.inc.php [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 http://security-tracker.debian.net/tracker/CVE-2007-3215 [2]http://sourceforge.net/tracker/index.php?func=detailaid=1734811group_id=26031atid=385707 Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net signature.asc Description: This is a digitally signed message part.
Bug#504255: CVE-2007-3215: remote shell command execution in class.phpmailer.php
Le dimanche 02 novembre 2008 à 00:56 -0600, Raphael Geissert a écrit : Hi, The following CVE (Common Vulnerabilities Exposures) id was published for PHPMailer, which affects the embedded copy shipped in phpgroupware-felamimail[0]. CVE-2007-3215[1]: PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php. The patch for class.phpmailer.php can be found at [2]. However, it would be better if phpgroupware-felamimail just depended on libphp-phpmailer (also available in etch) and the include/require calls changed to use the copy provided by that package, to avoid shipping yet another embedded code copy. If you fix the vulnerability please also make sure to include the CVE id in the changelog entry. [0] usr/share/phpgroupware/felamimail/inc/class.phpmailer.inc.php [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 http://security-tracker.debian.net/tracker/CVE-2007-3215 [2]http://sourceforge.net/tracker/index.php?func=detailaid=1734811group_id=26031atid=385707 Thanks for spotting this problem. The referred [2] patch is actually not exactly apllicable to the version of class.phpmailer.php shipped in phpgroupware 0.9.11, and the correct one is attached. I'll try and work on preparing a patched package later today. Best regards, -- Olivier BERGER [EMAIL PROTECTED] http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) --- class.phpmailer.inc.php.orig 2008-11-02 11:03:57.0 +0100 +++ class.phpmailer.inc.php 2008-11-02 11:08:25.0 +0100 @@ -591,9 +591,9 @@ */ function sendmail_send($header, $body) { if ($this-Sender != ) -$sendmail = sprintf(%s -oi -f %s -t, $this-Sendmail, $this-Sender); + $sendmail = sprintf(%s -oi -f %s -t, escapeshellcmd($this-Sendmail), escapeshellarg($this-Sender)); else -$sendmail = sprintf(%s -oi -t, $this-Sendmail); + $sendmail = sprintf(%s -oi -t, escapeshellcmd($this-Sendmail)); if([EMAIL PROTECTED] = popen($sendmail, w)) {
Bug#504255: CVE-2007-3215: remote shell command execution in class.phpmailer.php
Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit : Thanks for spotting this problem. The referred [2] patch is actually not exactly apllicable to the version of class.phpmailer.php shipped in phpgroupware 0.9.11, and the correct one is attached. I'll try and work on preparing a patched package later today. Best regards, Here's a proposed change for the source package, that should solve this problem. $ interdiff -z phpgroupware_0.9.16.011-2.2.diff.gz phpgroupware_0.9.16.011-2.3.diff.gz diff -u phpgroupware-0.9.16.011/debian/changelog phpgroupware-0.9.16.011/debian/changelog --- phpgroupware-0.9.16.011/debian/changelog +++ phpgroupware-0.9.16.011/debian/changelog @@ -1,3 +1,11 @@ +phpgroupware (0.9.16.011-2.3) stable-security; urgency=high + + * Non-maintainer upload. + * Fix remote shell command execution in class.phpmailer.php : +CVE-2007-3215 (Closes: #504255). + + -- Olivier Berger [EMAIL PROTECTED] Sun, 02 Nov 2008 11:36:15 +0100 + phpgroupware (0.9.16.011-2.2) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- phpgroupware-0.9.16.011.orig/felamimail/inc/class.phpmailer.inc.php +++ phpgroupware-0.9.16.011/felamimail/inc/class.phpmailer.inc.php @@ -591,9 +591,9 @@ */ function sendmail_send($header, $body) { if ($this-Sender != ) -$sendmail = sprintf(%s -oi -f %s -t, $this-Sendmail, $this-Sender); + $sendmail = sprintf(%s -oi -f %s -t, escapeshellcmd($this-Sendmail), escapeshellarg($this-Sender)); else -$sendmail = sprintf(%s -oi -t, $this-Sendmail); + $sendmail = sprintf(%s -oi -t, escapeshellcmd($this-Sendmail)); if([EMAIL PROTECTED] = popen($sendmail, w)) { - Note that I haven't tested phpgroupware-felamimail to see if this patch is valid. I'm not so sure about the changelog format also... and in any case, I can't upload it. Can someone from the security team take care of review and the upload ? Best regards, -- Olivier BERGER [EMAIL PROTECTED] http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) signature.asc Description: Ceci est une partie de message numériquement signée
Bug#504255: CVE-2007-3215: remote shell command execution in class.phpmailer.php
Le dimanche 02 novembre 2008 à 00:56 -0600, Raphael Geissert a écrit : However, it would be better if phpgroupware-felamimail just depended on libphp-phpmailer (also available in etch) and the include/require calls changed to use the copy provided by that package, to avoid shipping yet another embedded code copy. Regarding the dependency on libphp-mailer, it would of course be better. Still, as the versions differ significantly (1.65 in felamimail and 1.73 in libphp-phpmailer), I'm afraid of other bugs popping up, and have no will to test this old phpgroupware component. So I think it's better to stick with this version, and only apply the provided patch for this issue. Note also that felamimail was removed from the packaged phpgroupware modules in lenny, so this only applies up to etch. Still, a patched source package may be made (in unstable) for people willing to build unofficial packages from the sources, if/whenever I have time to work on that. Hope this helps. -- Olivier BERGER [EMAIL PROTECTED] http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]