[pkg-php-pear] Bug#913912: libphp-phpmailer: CVE-2018-19296
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 1 15:42:17 GMT 2018
Hi
Attached is the proposed debdiff for this issue backported to the
repsective base version 5.2.14.
Regards,
Salvatore
-------------- next part --------------
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog libphp-phpmailer-5.2.14+dfsg/debian/changelog
--- libphp-phpmailer-5.2.14+dfsg/debian/changelog 2017-02-25 19:15:08.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/changelog 2018-12-01 15:09:47.000000000 +0100
@@ -1,3 +1,10 @@
+libphp-phpmailer (5.2.14+dfsg-2.4) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * object injection vulnerability (CVE-2018-19296) (Closes: #913912)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 01 Dec 2018 15:09:47 +0100
+
libphp-phpmailer (5.2.14+dfsg-2.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch 1970-01-01 01:00:00.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch 2018-12-01 15:09:27.000000000 +0100
@@ -0,0 +1,114 @@
+From: Marcus Bointon <marcus at synchromedia.co.uk>
+Date: Thu, 15 Nov 2018 23:27:24 +0100
+Subject: Backport changes for CVE-2018-19296
+Origin: https://github.com/PHPMailer/PHPMailer/commit/f1231a9771505f4f34da060390d82eadb8448271
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19296
+Bug-Debian: https://bugs.debian.org/913912
+
+[Salvatore Bonaccorso: Backport changes to 5.2.14: Check for permitted
+path for $this->DKIM_private before checking if file_exists following
+the logic applied for the upstream patch]
+---
+ class.phpmailer.php | 31 ++++++++++++++++++++++++-------
+ test/phpmailerTest.php | 16 ++++++++++++++++
+ 2 files changed, 40 insertions(+), 7 deletions(-)
+
+--- a/class.phpmailer.php
++++ b/class.phpmailer.php
+@@ -1263,6 +1263,7 @@ class PHPMailer
+ if (!empty($this->DKIM_domain)
+ && !empty($this->DKIM_private)
+ && !empty($this->DKIM_selector)
++ && self::isPermittedPath($this->DKIM_private)
+ && file_exists($this->DKIM_private)) {
+ $header_dkim = $this->DKIM_Add(
+ $this->MIMEHeader . $this->mailHeader,
+@@ -1425,6 +1426,18 @@ class PHPMailer
+ }
+
+ /**
++ * Check whether a file path is of a permitted type.
++ * Used to reject URLs and phar files from functions that access local file paths,
++ * such as addAttachment.
++ * @param string $path A relative or absolute path to a file.
++ * @return bool
++ */
++ protected static function isPermittedPath($path)
++ {
++ return !preg_match('#^[a-z]+://#i', $path);
++ }
++
++ /**
+ * Send mail using the PHP mail() function.
+ * @param string $header The message headers
+ * @param string $body The message body
+@@ -1723,7 +1736,7 @@ class PHPMailer
+ // There is no English translation file
+ if ($langcode != 'en') {
+ // Make sure language file path is readable
+- if (!is_readable($lang_file)) {
++ if (!self::isPermittedPath($lang_file) or !is_readable($lang_file)) {
+ $foundlang = false;
+ } else {
+ // Overwrite language-specific strings.
+@@ -2420,6 +2433,8 @@ class PHPMailer
+ * Add an attachment from a path on the filesystem.
+ * Never use a user-supplied path to a file!
+ * Returns false if the file could not be found or read.
++ * Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client.
++ * If you need to do that, fetch the resource yourself and pass it in via a local file or string.
+ * @param string $path Path to the attachment.
+ * @param string $name Overrides the attachment name.
+ * @param string $encoding File encoding (see $Encoding).
+@@ -2431,7 +2446,7 @@ class PHPMailer
+ public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment')
+ {
+ try {
+- if (!@is_file($path)) {
++ if (!self::isPermittedPath($path) or !@is_file($path)) {
+ throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE);
+ }
+
+@@ -2612,7 +2627,7 @@ class PHPMailer
+ protected function encodeFile($path, $encoding = 'base64')
+ {
+ try {
+- if (!is_readable($path)) {
++ if (!self::isPermittedPath($path) or !file_exists($path)) {
+ throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE);
+ }
+ $magic_quotes = get_magic_quotes_runtime();
+@@ -2956,7 +2971,7 @@ class PHPMailer
+ */
+ public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline')
+ {
+- if (!@is_file($path)) {
++ if (!self::isPermittedPath($path) or !@is_file($path)) {
+ $this->setError($this->lang('file_access') . $path);
+ return false;
+ }
+--- a/test/phpmailerTest.php
++++ b/test/phpmailerTest.php
+@@ -740,6 +740,22 @@ class PHPMailerTest extends PHPUnit_Fram
+ }
+
+ /**
++ * Rejection of non-local file attachments test.
++ */
++ public function testRejectNonLocalFileAttachment()
++ {
++ $this->assertFalse(
++ $this->Mail->addAttachment('https://github.com/PHPMailer/PHPMailer/raw/master/README.md'),
++ 'addAttachment should reject remote URLs'
++ );
++
++ $this->assertFalse(
++ $this->Mail->addAttachment('phar://phar.php'),
++ 'addAttachment should reject phar resources'
++ );
++ }
++
++ /**
+ * Simple plain string attachment test.
+ */
+ public function testPlainStringAttachment()
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/series libphp-phpmailer-5.2.14+dfsg/debian/patches/series
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/series 2017-02-25 19:15:08.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/patches/series 2018-12-01 14:57:11.000000000 +0100
@@ -1,3 +1,4 @@
0001-Fix-actual-autoloader-path.patch
0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
0003-CVE-2017-5223.patch
+0004-CVE-2018-19296.patch
More information about the pkg-php-pear
mailing list