Mail archive
alpine-aports

[alpine-aports] [PATCH v3.5] main/php5-phpmailer: security fixes #6623

From: Sergei Lukin <sergej.lukin_at_gmail.com>
Date: Thu, 12 Jan 2017 07:40:00 +0000

CVE-2016-10033
CVE-2016-10045

Issues were fixed in 5.2.18 and 5.2.20
However, there were major changes between 5.2.4 and 5.2.20
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

This upgrade contains patch which is based on 2 commits
containing fix for CVE-2016-10045 and CVE-2016-10033:
https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae
https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0
Commits were adjusted to 5.2.4
---
 main/php5-phpmailer/APKBUILD                       | 22 +++++--
 .../CVE-2016-10033,CVE-2016-10045.patch            | 71 ++++++++++++++++++++++
 2 files changed, 87 insertions(+), 6 deletions(-)
 create mode 100644 main/php5-phpmailer/CVE-2016-10033,CVE-2016-10045.patch
diff --git a/main/php5-phpmailer/APKBUILD b/main/php5-phpmailer/APKBUILD
index f426768e84..12a3059865 100644
--- a/main/php5-phpmailer/APKBUILD
+++ b/main/php5-phpmailer/APKBUILD
_at_@ -1,10 +1,11 @@
+# Contributor: Sergei Lukin <sergej.lukin_at_gmail.com>
 # Contributor: Timo Teräs <timo.teras_at_iki.fi>
 # Maintainer:  Timo Teräs <timo.teras_at_iki.fi>
 _php=php5
 pkgname=${_php}-phpmailer
 _pkgname=PHPMailer
 pkgver=5.2.4
-pkgrel=0
+pkgrel=1
 pkgdesc="PHP class for SMTP mailing"
 url="http://code.google.com/a/apache-extras.org/p/phpmailer/"
 arch="noarch"
_at_@ -14,9 +15,15 @@ depends_dev=
 makedepends="$depends_dev"
 install=""
 subpackages=""
-source="https://storage.googleapis.com/google-code-archive-downloads/v2/apache-extras.org/phpmailer/${_pkgname}_${pkgver}.tgz"
+source="${_pkgname}-${pkgver}.tar.gz::https://github.com/PHPMailer/PHPMailer/archive/v${pkgver}.tar.gz
+	CVE-2016-10033,CVE-2016-10045.patch
+	"
+# secfixes:
+#   5.2.4-r1:
+#     - CVE-2016-10033
+#     - CVE-2016-10045
 
-builddir="$srcdir/${_pkgname}_$pkgver"
+builddir="$srcdir/${_pkgname}-$pkgver"
 build() {
 	cd "$builddir"
 }
_at_@ -27,6 +34,9 @@ package() {
 	install -D -m644 "$builddir"/class.*.php "$pkgdir"/usr/share/pear || return 1
 }
 
-md5sums="c990db0d0859599eafa4338ce90154a7  PHPMailer_5.2.4.tgz"
-sha256sums="805e414daf56a8bda443c0e0c209c5cc29a3fcb0c55b36450e5b4635c0991dd8  PHPMailer_5.2.4.tgz"
-sha512sums="c5bbac3d60db83052a76474b5e7c975fa6aaa0bf157fba21b4c382a645d113bcda5d8214e08a844904d0f6e99cf324dae5796bb8d1de29852591d23471d0436a  PHPMailer_5.2.4.tgz"
+md5sums="dbe2d8e10e4a981187e4ea1afa4b66d1  PHPMailer-5.2.4.tar.gz
+d7ceb90217a458f00ca5d971171dcb05  CVE-2016-10033,CVE-2016-10045.patch"
+sha256sums="6fbc37fec49f3e2621633f1441ee6f6e6d9750459fefe79ae75df98da9ba25e7  PHPMailer-5.2.4.tar.gz
+c8d984a4dd8a11dd286a8d6b3a1ca4bd058137719ffd81cedb9dfc9106bd8b3b  CVE-2016-10033,CVE-2016-10045.patch"
+sha512sums="84f3f984bf9c463c6b28fe16c628ee31e104ff56174ff5de07d520083e47cec7c0d6b24095fa952af1c1116bed6ba62912d78d9aef67f01722b697e75cc40f69  PHPMailer-5.2.4.tar.gz
+79f574321b55bd1f3b6e3bbc17cfbbf042e82510f354b663eb1d947ac585b232562c4536e227c5f18341b7a4afb278cfad9317a34ffb8abdc316e519c90430ac  CVE-2016-10033,CVE-2016-10045.patch"
diff --git a/main/php5-phpmailer/CVE-2016-10033,CVE-2016-10045.patch b/main/php5-phpmailer/CVE-2016-10033,CVE-2016-10045.patch
new file mode 100644
index 0000000000..4ade577f20
--- /dev/null
+++ b/main/php5-phpmailer/CVE-2016-10033,CVE-2016-10045.patch
_at_@ -0,0 +1,71 @@
+This patch is based on 2 commits containing fix for CVE-2016-10045 and CVE-2016-10033:
+https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae
+https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0
+which were adjusted to PHPMailer_5.2.4 source code
+
+diff -ru PHPMailer_5.2.4/class.phpmailer.php.orig PHPMailer_5.2.4/class.phpmailer.php
+--- PHPMailer_5.2.4/class.phpmailer.php.orig
++++ PHPMailer_5.2.4/class.phpmailer.php
+_at_@ -861,6 +861,38 @@
+   }
+ 
+   /**
++   * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
++   *
++   * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
++   * _at_param string $string The string to be validated
++   * _at_see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
++   * _at_access protected
++   * _at_return boolean
++   */
++  protected static function isShellSafe($string)
++  {
++      // Future-proof
++      if (escapeshellcmd($string) !== $string or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
++          return false;
++      }
++
++      $length = strlen($string);
++
++      for ($i = 0; $i < $length; $i++) {
++          $c = $string[$i];
++
++          // All other characters have a special meaning in at least one common shell, including = and +.
++          // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
++          // Note that this does permit non-Latin alphanumeric characters based on the current locale.
++          if (!ctype_alnum($c) && strpos('_at__-.', $c) === false) {
++              return false;
++          }
++      }
++
++      return true;
++  }
++
++  /**
+    * Sends mail using the $Sendmail program.
+    * _at_param string $header The message headers
+    * _at_param string $body The message body
+_at_@ -869,8 +901,10 @@
+    * _at_return bool
+    */
+   protected function SendmailSend($header, $body) {
+-    if ($this->Sender != '') {
+-      $sendmail = sprintf("%s -oi -f%s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
++    // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
++    if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
++      // TODO: If possible, this should be changed to escapeshellarg.  Needs thorough testing.
++      $sendmail = sprintf("%s -oi -f%s -t", escapeshellcmd($this->Sendmail), $this->Sender);
+     } else {
+       $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));
+     }
+_at_@ -925,7 +959,9 @@
+     if (empty($this->Sender)) {
+       $params = "-oi ";
+     } else {
+-      $params = sprintf("-oi -f%s", $this->Sender);
++      if (self::isShellSafe($this->Sender)) {
++        $params = sprintf("-oi -f%s", $this->Sender);
++      }
+     }
+     if ($this->Sender != '' and !ini_get('safe_mode')) {
+       $old_from = ini_get('sendmail_from');
-- 
2.11.0
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Thu Jan 12 2017 - 07:40:00 GMT