~alpine/aports

[alpine-aports] [PATCH v3.4] main/php5-phpmailer: security upgrade to 5.2.4 - fixes #6624

Details
Message ID
<20170112091831.1554-1-sergej.lukin@gmail.com>
Sender timestamp
1484212711
DKIM signature
missing
Download raw message
Patch: +92 -9
CVE-2016-10033
CVE-2016-10045

Issues were fixed in 5.2.18 and 5.2.20
However, there were major changes between 5.2.0 and 5.2.20
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

5.2.0 is NOT AVAILABLE anymore for download
Next available version is 5.2.4
https://github.com/PHPMailer/PHPMailer/releases?after=v5.2.5
(not sure if there were major changes between 5.2.0 and 5.2.4)

This upgrade contains patch which is based on 2 commits
containing fix for CVE-2016-10045 and CVE-2016-10033:
https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae
https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0
These commits were adjusted to 5.2.4
---
 main/php5-phpmailer/APKBUILD                       | 30 ++++++---
 .../CVE-2016-10033,CVE-2016-10045.patch            | 71 ++++++++++++++++++++++
 2 files changed, 92 insertions(+), 9 deletions(-)
 create mode 100644 main/php5-phpmailer/CVE-2016-10033,CVE-2016-10045.patch

diff --git a/main/php5-phpmailer/APKBUILD b/main/php5-phpmailer/APKBUILD
index e0e60c8..17b9a34 100644
--- a/main/php5-phpmailer/APKBUILD
+++ b/main/php5-phpmailer/APKBUILD
@@ -1,12 +1,13 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Timo Teräs <timo.teras@iki.fi>
# Maintainer:  Timo Teräs <timo.teras@iki.fi>
_php=php5
pkgname=${_php}-phpmailer
_pkgname=PHPMailer
pkgver=5.2.0
pkgver=5.2.4
pkgrel=0
pkgdesc="PHP class for SMTP mailing"
url="http://code.google.com/a/apache-extras.org/p/phpmailer/"
url="https://github.com/PHPMailer/PHPMailer/releases"
arch="noarch"
license="LGPL"
depends="$_php"
@@ -14,13 +15,19 @@ depends_dev=
makedepends="$depends_dev"
install=""
subpackages=""
source="http://phpmailer.apache-extras.org.codespot.com/files/PHPMailer_$pkgver.tgz"
source="${_pkgname}-${pkgver}.tar.gz::https://github.com/PHPMailer/PHPMailer/archive/v${pkgver}.tar.gz
	CVE-2016-10033,CVE-2016-10045.patch
	"
# secfixes:
#   5.2.0-r1:
#     - CVE-2016-10033
#     - CVE-2016-10045

_builddir="$srcdir/${_pkgname}_$pkgver"
builddir="$srcdir/${_pkgname}-$pkgver"

prepare() {
	local i
	cd "$_builddir"
	cd "$builddir"
	for i in $source; do
		case $i in
		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
@@ -29,13 +36,18 @@ prepare() {
}

build() {
	cd "$_builddir"
	cd "$builddir"
}

package() {
	cd "$_builddir"
	cd "$builddir"
	install -d -m755 "$pkgdir"/usr/share/pear
	install -D -m644 "$_builddir"/class.*.php "$pkgdir"/usr/share/pear || return 1
	install -D -m644 "$builddir"/class.*.php "$pkgdir"/usr/share/pear || return 1
}

md5sums="aed567b80e6a3b3175d4ce27f3a9a243  PHPMailer_5.2.0.tgz"
md5sums="dbe2d8e10e4a981187e4ea1afa4b66d1  PHPMailer-5.2.4.tar.gz
d7ceb90217a458f00ca5d971171dcb05  CVE-2016-10033,CVE-2016-10045.patch"
sha256sums="6fbc37fec49f3e2621633f1441ee6f6e6d9750459fefe79ae75df98da9ba25e7  PHPMailer-5.2.4.tar.gz
c8d984a4dd8a11dd286a8d6b3a1ca4bd058137719ffd81cedb9dfc9106bd8b3b  CVE-2016-10033,CVE-2016-10045.patch"
sha512sums="84f3f984bf9c463c6b28fe16c628ee31e104ff56174ff5de07d520083e47cec7c0d6b24095fa952af1c1116bed6ba62912d78d9aef67f01722b697e75cc40f69  PHPMailer-5.2.4.tar.gz
79f574321b55bd1f3b6e3bbc17cfbbf042e82510f354b663eb1d947ac585b232562c4536e227c5f18341b7a4afb278cfad9317a34ffb8abdc316e519c90430ac  CVE-2016-10033,CVE-2016-10045.patch"
diff --git a/main/php5-phpmailer/CVE-2016-10033,CVE-2016-10045.patch b/main/php5-phpmailer/CVE-2016-10033,CVE-2016-10045.patch
new file mode 100644
index 0000000..4ade577
--- /dev/null
+++ b/main/php5-phpmailer/CVE-2016-10033,CVE-2016-10045.patch
@@ -0,0 +1,71 @@
This patch is based on 2 commits containing fix for CVE-2016-10045 and CVE-2016-10033:
https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae
https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0
which were adjusted to PHPMailer_5.2.4 source code

diff -ru PHPMailer_5.2.4/class.phpmailer.php.orig PHPMailer_5.2.4/class.phpmailer.php
--- PHPMailer_5.2.4/class.phpmailer.php.orig
+++ PHPMailer_5.2.4/class.phpmailer.php
@@ -861,6 +861,38 @@
   }
 
   /**
+   * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
+   *
+   * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
+   * @param string $string The string to be validated
+   * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
+   * @access protected
+   * @return boolean
+   */
+  protected static function isShellSafe($string)
+  {
+      // Future-proof
+      if (escapeshellcmd($string) !== $string or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
+          return false;
+      }
+
+      $length = strlen($string);
+
+      for ($i = 0; $i < $length; $i++) {
+          $c = $string[$i];
+
+          // All other characters have a special meaning in at least one common shell, including = and +.
+          // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
+          // Note that this does permit non-Latin alphanumeric characters based on the current locale.
+          if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
+              return false;
+          }
+      }
+
+      return true;
+  }
+
+  /**
    * Sends mail using the $Sendmail program.
    * @param string $header The message headers
    * @param string $body The message body
@@ -869,8 +901,10 @@
    * @return bool
    */
   protected function SendmailSend($header, $body) {
-    if ($this->Sender != '') {
-      $sendmail = sprintf("%s -oi -f%s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+    // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+    if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
+      // TODO: If possible, this should be changed to escapeshellarg.  Needs thorough testing.
+      $sendmail = sprintf("%s -oi -f%s -t", escapeshellcmd($this->Sendmail), $this->Sender);
     } else {
       $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));
     }
@@ -925,7 +959,9 @@
     if (empty($this->Sender)) {
       $params = "-oi ";
     } else {
-      $params = sprintf("-oi -f%s", $this->Sender);
+      if (self::isShellSafe($this->Sender)) {
+        $params = sprintf("-oi -f%s", $this->Sender);
+      }
     }
     if ($this->Sender != '' and !ini_get('safe_mode')) {
       $old_from = ini_get('sendmail_from');
-- 
2.8.3



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)