Hi, I've taken the liberty to fix this security issue in an NMU to sid. Attached is the debdiff.
Cheers, Thijs
diff -Nru libphp-swiftmailer-5.4.2/debian/changelog libphp-swiftmailer-5.4.2/debian/changelog --- libphp-swiftmailer-5.4.2/debian/changelog 2016-06-10 14:26:56.000000000 +0000 +++ libphp-swiftmailer-5.4.2/debian/changelog 2017-01-04 16:31:03.000000000 +0000 @@ -1,3 +1,11 @@ +libphp-swiftmailer (5.4.2-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2016-10074: Remote Code Execution by applying patch + e6ccf40d from upstream (Closes: #849626). + + -- Thijs Kinkhorst <th...@debian.org> Wed, 04 Jan 2017 16:31:03 +0000 + libphp-swiftmailer (5.4.2-1) unstable; urgency=medium * Imported Upstream version 5.4.2 diff -Nru libphp-swiftmailer-5.4.2/debian/patches/0001-fix-CVE-2016-10074.patch libphp-swiftmailer-5.4.2/debian/patches/0001-fix-CVE-2016-10074.patch --- libphp-swiftmailer-5.4.2/debian/patches/0001-fix-CVE-2016-10074.patch 1970-01-01 00:00:00.000000000 +0000 +++ libphp-swiftmailer-5.4.2/debian/patches/0001-fix-CVE-2016-10074.patch 2017-01-04 16:31:03.000000000 +0000 @@ -0,0 +1,53 @@ +diff -Nur libphp-swiftmailer-5.4.2.orig/lib/classes/Swift/Transport/MailTransport.php libphp-swiftmailer-5.4.2/lib/classes/Swift/Transport/MailTransport.php +--- libphp-swiftmailer-5.4.2.orig/lib/classes/Swift/Transport/MailTransport.php 2016-05-01 08:45:47.000000000 +0000 ++++ libphp-swiftmailer-5.4.2/lib/classes/Swift/Transport/MailTransport.php 2017-01-04 15:53:43.400445794 +0000 +@@ -237,6 +237,36 @@ + } + + /** ++ * Fix CVE-2016-10074 by disallowing potentially unsafe shell characters. ++ * ++ * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows. ++ * ++ * @param string $string The string to be validated ++ * ++ * @return bool ++ */ ++ private function _isShellSafe($string) ++ { ++ // Future-proof ++ if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) { ++ return false; ++ } ++ ++ $length = strlen($string); ++ for ($i = 0; $i < $length; ++$i) { ++ $c = $string[$i]; ++ // All other characters have a special meaning in at least one common shell, including = and +. ++ // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here. ++ // Note that this does permit non-Latin alphanumeric characters based on the current locale. ++ if (!ctype_alnum($c) && strpos('@_-.', $c) === false) { ++ return false; ++ } ++ } ++ ++ return true; ++ } ++ ++ /** + * Return php mail extra params to use for invoker->mail. + * + * @param $extraParams +@@ -247,7 +277,11 @@ + private function _formatExtraParams($extraParams, $reversePath) + { + if (false !== strpos($extraParams, '-f%s')) { +- $extraParams = empty($reversePath) ? str_replace('-f%s', '', $extraParams) : sprintf($extraParams, escapeshellarg($reversePath)); ++ if (empty($reversePath) || false === $this->_isShellSafe($reversePath)) { ++ $extraParams = str_replace('-f%s', '', $extraParams); ++ } else { ++ $extraParams = sprintf($extraParams, $reversePath); ++ } + } + + return !empty($extraParams) ? $extraParams : null; diff -Nru libphp-swiftmailer-5.4.2/debian/patches/series libphp-swiftmailer-5.4.2/debian/patches/series --- libphp-swiftmailer-5.4.2/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libphp-swiftmailer-5.4.2/debian/patches/series 2017-01-04 16:31:03.000000000 +0000 @@ -0,0 +1 @@ +0001-fix-CVE-2016-10074.patch
signature.asc
Description: OpenPGP digital signature