Sergei Lukin: 1 main/php-phpmailer: security upgrade to 5.2.4 - fixes #6626 2 files changed, 92 insertions(+), 8 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.alpinelinux.org/~alpine/aports/patches/2005/mbox | git am -3Learn more about email & git
CVE-2016-10033 CVE-2016-10045 Issues were fixed in 5.2.18 and 5.2.20 However, there were major changes between 5.2.0 and 5.2.20 https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md 5.2.0 is NOT AVAILABLE anymore for download Next available version is 5.2.4 https://github.com/PHPMailer/PHPMailer/releases?after=v5.2.5 (not sure if there were major changes between 5.2.0 and 5.2.4) This upgrade contains patch which is based on 2 commits containing fix for CVE-2016-10045 and CVE-2016-10033: https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0 These commits were adjusted to 5.2.4 --- main/php-phpmailer/APKBUILD | 29 ++++++--- .../CVE-2016-10033,CVE-2016-10045.patch | 71 ++++++++++++++++++++++ 2 files changed, 92 insertions(+), 8 deletions(-) create mode 100644 main/php-phpmailer/CVE-2016-10033,CVE-2016-10045.patch diff --git a/main/php-phpmailer/APKBUILD b/main/php-phpmailer/APKBUILD index 19a27a3..1054f5b 100644 --- a/main/php-phpmailer/APKBUILD +++ b/main/php-phpmailer/APKBUILD @@ -1,8 +1,9 @@ +# Contributor: Sergei Lukin <sergej.lukin@gmail.com> # Contributor: Timo Teräs <timo.teras@iki.fi> # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=php-phpmailer _pkgname=PHPMailer -pkgver=5.2.0 +pkgver=5.2.4 pkgrel=0 pkgdesc="PHP class for SMTP mailing" url="http://code.google.com/a/apache-extras.org/p/phpmailer/" @@ -13,13 +14,20 @@ depends_dev= makedepends="$depends_dev" install="" subpackages="" -source="http://phpmailer.apache-extras.org.codespot.com/files/PHPMailer_$pkgver.tgz" +source="${_pkgname}-${pkgver}.tar.gz::https://github.com/PHPMailer/PHPMailer/archive/v${pkgver}.tar.gz + CVE-2016-10033,CVE-2016-10045.patch + " -_builddir="$srcdir/${_pkgname}_$pkgver" +# secfixes: +# 5.2.4-r0: +# - CVE-2016-10033 +# - CVE-2016-10045 + +builddir="$srcdir/${_pkgname}-$pkgver" prepare() { local i - cd "$_builddir" + cd "$builddir" for i in $source; do case $i in *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; @@ -28,13 +36,18 @@ prepare() { } build() { - cd "$_builddir" + cd "$builddir" } package() { - cd "$_builddir" + cd "$builddir" install -d -m755 "$pkgdir"/usr/share/pear - install -D -m644 "$_builddir"/class.*.php "$pkgdir"/usr/share/pear || return 1 + install -D -m644 "$builddir"/class.*.php "$pkgdir"/usr/share/pear || return 1 } -md5sums="aed567b80e6a3b3175d4ce27f3a9a243 PHPMailer_5.2.0.tgz" +md5sums="dbe2d8e10e4a981187e4ea1afa4b66d1 PHPMailer-5.2.4.tar.gz +d7ceb90217a458f00ca5d971171dcb05 CVE-2016-10033,CVE-2016-10045.patch" +sha256sums="6fbc37fec49f3e2621633f1441ee6f6e6d9750459fefe79ae75df98da9ba25e7 PHPMailer-5.2.4.tar.gz +c8d984a4dd8a11dd286a8d6b3a1ca4bd058137719ffd81cedb9dfc9106bd8b3b CVE-2016-10033,CVE-2016-10045.patch" +sha512sums="84f3f984bf9c463c6b28fe16c628ee31e104ff56174ff5de07d520083e47cec7c0d6b24095fa952af1c1116bed6ba62912d78d9aef67f01722b697e75cc40f69 PHPMailer-5.2.4.tar.gz +79f574321b55bd1f3b6e3bbc17cfbbf042e82510f354b663eb1d947ac585b232562c4536e227c5f18341b7a4afb278cfad9317a34ffb8abdc316e519c90430ac CVE-2016-10033,CVE-2016-10045.patch" diff --git a/main/php-phpmailer/CVE-2016-10033,CVE-2016-10045.patch b/main/php-phpmailer/CVE-2016-10033,CVE-2016-10045.patch new file mode 100644 index 0000000..4ade577 --- /dev/null +++ b/main/php-phpmailer/CVE-2016-10033,CVE-2016-10045.patch @@ -0,0 +1,71 @@ +This patch is based on 2 commits containing fix for CVE-2016-10045 and CVE-2016-10033: +https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae +https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0 +which were adjusted to PHPMailer_5.2.4 source code + +diff -ru PHPMailer_5.2.4/class.phpmailer.php.orig PHPMailer_5.2.4/class.phpmailer.php +--- PHPMailer_5.2.4/class.phpmailer.php.orig ++++ PHPMailer_5.2.4/class.phpmailer.php +@@ -861,6 +861,38 @@ + } + + /** ++ * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters. ++ * ++ * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows. ++ * @param string $string The string to be validated ++ * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report ++ * @access protected ++ * @return boolean ++ */ ++ protected static function isShellSafe($string) ++ { ++ // Future-proof ++ if (escapeshellcmd($string) !== $string or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) { ++ return false; ++ } ++ ++ $length = strlen($string); ++ ++ for ($i = 0; $i < $length; $i++) { ++ $c = $string[$i]; ++ ++ // All other characters have a special meaning in at least one common shell, including = and +. ++ // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here. ++ // Note that this does permit non-Latin alphanumeric characters based on the current locale. ++ if (!ctype_alnum($c) && strpos('@_-.', $c) === false) { ++ return false; ++ } ++ } ++ ++ return true; ++ } ++ ++ /** + * Sends mail using the $Sendmail program. + * @param string $header The message headers + * @param string $body The message body +@@ -869,8 +901,10 @@ + * @return bool + */ + protected function SendmailSend($header, $body) { +- if ($this->Sender != '') { +- $sendmail = sprintf("%s -oi -f%s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); ++ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. ++ if (!empty($this->Sender) and self::isShellSafe($this->Sender)) { ++ // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing. ++ $sendmail = sprintf("%s -oi -f%s -t", escapeshellcmd($this->Sendmail), $this->Sender); + } else { + $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail)); + } +@@ -925,7 +959,9 @@ + if (empty($this->Sender)) { + $params = "-oi "; + } else { +- $params = sprintf("-oi -f%s", $this->Sender); ++ if (self::isShellSafe($this->Sender)) { ++ $params = sprintf("-oi -f%s", $this->Sender); ++ } + } + if ($this->Sender != '' and !ini_get('safe_mode')) { + $old_from = ini_get('sendmail_from'); -- 2.4.11 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---