libphp-phpmailer: CVE-2016-10033

Debian Bug report logs - #849365
libphp-phpmailer: CVE-2016-10033

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libphp-phpmailer: CVE-2016-10033

Date: Mon, 26 Dec 2016 10:54:47 +0100

Source: libphp-phpmailer
Version: 5.2.9+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

the following vulnerability was published for libphp-phpmailer.

CVE-2016-10033[0]:
remote code execution

Details though at the point of writing this bugreport are not yet
available. It is fixed in the new upstream version 5.2.18.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10033
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 849365@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 849365@bugs.debian.org

Subject: Re: Bug#849365: libphp-phpmailer: CVE-2016-10033

Date: Wed, 28 Dec 2016 05:38:04 +0100

On Mon, Dec 26, 2016 at 10:54:47AM +0100, Salvatore Bonaccorso wrote:
> Source: libphp-phpmailer
> Version: 5.2.9+dfsg-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> 
> Hi,
> 
> the following vulnerability was published for libphp-phpmailer.
> 
> CVE-2016-10033[0]:
> remote code execution

Further analysis of the fix via
https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc
has shown that this fix might be incomplete. See

http://www.openwall.com/lists/oss-security/2016/12/28/1

for further details.

Regards,
Salvatore

Message #15 received at 849365@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 849365@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#849365: libphp-phpmailer: CVE-2016-10033

Date: Wed, 28 Dec 2016 11:31:11 +0100

Hi

On Wed, Dec 28, 2016 at 05:38:04AM +0100, Salvatore Bonaccorso wrote:
> On Mon, Dec 26, 2016 at 10:54:47AM +0100, Salvatore Bonaccorso wrote:
> > Source: libphp-phpmailer
> > Version: 5.2.9+dfsg-2
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > 
> > Hi,
> > 
> > the following vulnerability was published for libphp-phpmailer.
> > 
> > CVE-2016-10033[0]:
> > remote code execution
> 
> Further analysis of the fix via
> https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc
> has shown that this fix might be incomplete. See
> 
> http://www.openwall.com/lists/oss-security/2016/12/28/1
> 
> for further details.

There was now a followup:

http://www.openwall.com/lists/oss-security/2016/12/28/4

Note, that I have marked CVE-2016-10045 in the security-tracker as
not-affected, since the patch for CVE-2016-10033 introducing the issue
was not applied anywhere yet. So when CVE-2016-10033 is fixed, make
sure that the fix is complete to not make libphp-phpmailer vulnerable
to CVE-2016-10045.

Not sure though if we should change the way we track both CVEs and
treat libphp-phpmailer as vulnerable to both. But CVE-2016-10045 is
specific to the bypass of the CVE-2016-10033, so TTBOMK we are
tracking it right this way.

Regards,
Salvatore

Message #20 received at 849365@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 849365@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#849365: libphp-phpmailer: CVE-2016-10033 (wordpress not vulnerable)

Date: Thu, 29 Dec 2016 00:45:20 +0000

[Message part 1 (text/plain, inline)]

On Wed, 28 Dec 2016 11:31:11 +0100 Salvatore Bonaccorso <carnil@debian.org>
wrote:
> > > the following vulnerability was published for libphp-phpmailer.
> > >
> > > CVE-2016-10033[0]:
> > > remote code execution

I would like to point out that wordpress has an embedded/modified version
of PHPmailer in it at wp-includes/class-phpmailer.php
However, the wordpress developers have stated that if it is used correctly
it is no vulnerable to it. It means that the core system and
correctly written plugins have no impact[1].

Sorry, to hijack the libphp-phpmailer bug but I thought it should be noted
somewhere wordpress, for once, isn't vulnerable.

 - Craig

1: https://core.trac.wordpress.org/ticket/37210

-- 
Craig Small (@smallsees)   http://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #25 received at 849365@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 849365@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#849365: libphp-phpmailer: CVE-2016-10033

Date: Thu, 29 Dec 2016 08:45:02 +0100

Hi,

On Wed, Dec 28, 2016 at 11:31:11AM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> On Wed, Dec 28, 2016 at 05:38:04AM +0100, Salvatore Bonaccorso wrote:
> > On Mon, Dec 26, 2016 at 10:54:47AM +0100, Salvatore Bonaccorso wrote:
> > > Source: libphp-phpmailer
> > > Version: 5.2.9+dfsg-2
> > > Severity: grave
> > > Tags: security upstream
> > > Justification: user security hole
> > > 
> > > Hi,
> > > 
> > > the following vulnerability was published for libphp-phpmailer.
> > > 
> > > CVE-2016-10033[0]:
> > > remote code execution
> > 
> > Further analysis of the fix via
> > https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc
> > has shown that this fix might be incomplete. See
> > 
> > http://www.openwall.com/lists/oss-security/2016/12/28/1
> > 
> > for further details.
> 
> There was now a followup:
> 
> http://www.openwall.com/lists/oss-security/2016/12/28/4
> 
> Note, that I have marked CVE-2016-10045 in the security-tracker as
> not-affected, since the patch for CVE-2016-10033 introducing the issue
> was not applied anywhere yet. So when CVE-2016-10033 is fixed, make
> sure that the fix is complete to not make libphp-phpmailer vulnerable
> to CVE-2016-10045.
> 
> Not sure though if we should change the way we track both CVEs and
> treat libphp-phpmailer as vulnerable to both. But CVE-2016-10045 is
> specific to the bypass of the CVE-2016-10033, so TTBOMK we are
> tracking it right this way.

Note there was another followup, which now seem to concludes the fix,
details in 

http://www.openwall.com/lists/oss-security/2016/12/28/6

Regards,
Salvatore

Message #30 received at 849365@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: <849365@bugs.debian.org>

Subject: Patch for NMU 5.2.14+dfsg-2.1

Date: Fri, 30 Dec 2016 13:07:11 +0100

[Message part 1 (text/plain, inline)]

Hi,

On behalf of the Security Team I've taken the liberty to upload to
unstable a fix for CVE-2016-10033. The debdiff is attached.


Cheers,
Thijs

[849365.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #35 received at 849365-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 849365-close@bugs.debian.org

Subject: Bug#849365: fixed in libphp-phpmailer 5.2.14+dfsg-2.1

Date: Fri, 30 Dec 2016 12:19:02 +0000

Source: libphp-phpmailer
Source-Version: 5.2.14+dfsg-2.1

We believe that the bug you reported is fixed in the latest version of
libphp-phpmailer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849365@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated libphp-phpmailer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 30 Dec 2016 11:22:28 +0000
Source: libphp-phpmailer
Binary: libphp-phpmailer
Architecture: source all
Version: 5.2.14+dfsg-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
 libphp-phpmailer - full featured email transfer class for PHP
Closes: 849365
Changes:
 libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
     4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
Checksums-Sha1:
 df5692fde82a79d13099b6a98bed3b2c3c7df035 1725 libphp-phpmailer_5.2.14+dfsg-2.1.dsc
 9377456502201ad9726ca3380085989b403d0a32 8376 libphp-phpmailer_5.2.14+dfsg-2.1.debian.tar.xz
 21787b4f76e05cc9fcccb13c44fbcacd6f88c26e 146990 libphp-phpmailer_5.2.14+dfsg-2.1_all.deb
 1fa767c9ca5d65243265c9e73f83fc8bdf4b5ed9 5448 libphp-phpmailer_5.2.14+dfsg-2.1_amd64.buildinfo
Checksums-Sha256:
 41896a97b246e3802e3feb1794e6408985dbb93461b1a2210dde4c50c5b40887 1725 libphp-phpmailer_5.2.14+dfsg-2.1.dsc
 2baeddfecc1d58c5fa145df86f3934a54f3b770b57f5322f225c211ddb21ac53 8376 libphp-phpmailer_5.2.14+dfsg-2.1.debian.tar.xz
 ee7d6edceaab0e492c24e813e020bea57d70fc562df982686f3039f99fc97243 146990 libphp-phpmailer_5.2.14+dfsg-2.1_all.deb
 91af522e6479ef466562777f1e3498f95e6b94d74259d0ab803b81a891a47a68 5448 libphp-phpmailer_5.2.14+dfsg-2.1_amd64.buildinfo
Files:
 17c85cb076d7c537cc74832345bd59f8 1725 php optional libphp-phpmailer_5.2.14+dfsg-2.1.dsc
 1083c3c296bc7d14467fadb38d685737 8376 php optional libphp-phpmailer_5.2.14+dfsg-2.1.debian.tar.xz
 24ff78c1b9bbf205e38ff0ec7d39f234 146990 php optional libphp-phpmailer_5.2.14+dfsg-2.1_all.deb
 d19f70cf7582391ee9b584ef71600aef 5448 php optional libphp-phpmailer_5.2.14+dfsg-2.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJYZk4BAAoJEFb2GnlAHawETXAH/A966SYswH+JzvJEum6quLRV
wz5zIaGgoVu2E5Jh5y9r3JdgZGwmwsC8faPbHF4O27uoX1ko4QPn+wqhivpu3UCA
03KNHV2/ABkK/T3QdjVbtJkJo/5nf1pL3Ktcop+jiGmyUMSO5Op8e0PI4gxbOdjf
IhXXmfZ/bfzcWMBjOwmQkIG2rnfQkl58RzJBdaeh5xH6VFPAEZC7SjFS+nQBYjlc
d/fp8iFflDUi9Vy4KEqw0+JMqcTBX/2rpRpeK98rrIk6zlhxD0lG+fWbEMNKl1Pn
8XHeIgXg3dtx9SjYISobc3auL/XV16leUHqH/BL1L4mF4ci2gYqwRihtatwgEdg=
=/cAe
-----END PGP SIGNATURE-----

Message #46 received at 849365-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 849365-close@bugs.debian.org

Subject: Bug#849365: fixed in libphp-phpmailer 5.2.9+dfsg-2+deb8u2

Date: Sat, 31 Dec 2016 21:02:32 +0000

Source: libphp-phpmailer
Source-Version: 5.2.9+dfsg-2+deb8u2

We believe that the bug you reported is fixed in the latest version of
libphp-phpmailer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849365@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated libphp-phpmailer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 31 Dec 2016 10:44:49 +0100
Source: libphp-phpmailer
Binary: libphp-phpmailer
Architecture: source all
Version: 5.2.9+dfsg-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
 libphp-phpmailer - full featured email transfer class for PHP
Closes: 849365
Changes:
 libphp-phpmailer (5.2.9+dfsg-2+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2016-10033 (and CVE-2016-10045): apply commits
     4835657c 9743ff5c 833c35fe from upstream. Closes: #849365.
Checksums-Sha1:
 91a429e2dcb8a0209e3906f79ead7cb5f2d7e7ef 1766 libphp-phpmailer_5.2.9+dfsg-2+deb8u2.dsc
 4378845c3167b57a38dce2c16803f022ef4df350 6988 libphp-phpmailer_5.2.9+dfsg-2+deb8u2.debian.tar.xz
 cacd20630232c80e6d5af55dd0f9dd9f8826388e 130966 libphp-phpmailer_5.2.9+dfsg-2+deb8u2_all.deb
Checksums-Sha256:
 47494de87ec3b2459ad01592f07f37b85af87eea3a75d73ea39e9abbea17915f 1766 libphp-phpmailer_5.2.9+dfsg-2+deb8u2.dsc
 afa37d9654aa397fbf4fcede94675ed0742283dc7ef35166d00b3a074eb6e505 6988 libphp-phpmailer_5.2.9+dfsg-2+deb8u2.debian.tar.xz
 59e1de75e1a4f5968fcac1bfbf48b3ad3f917f0f20e74dd78bff24bf877883b5 130966 libphp-phpmailer_5.2.9+dfsg-2+deb8u2_all.deb
Files:
 bb11272cc2baf1b6e4d211d8d6f57b43 1766 php optional libphp-phpmailer_5.2.9+dfsg-2+deb8u2.dsc
 425e2e355f46b7ce2bd7a5af6e16e540 6988 php optional libphp-phpmailer_5.2.9+dfsg-2+deb8u2.debian.tar.xz
 d4e5deb28ce38bf1a47093dab069eff2 130966 php optional libphp-phpmailer_5.2.9+dfsg-2+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJYZ3/KAAoJEFb2GnlAHawExG0H/jqZbQi0FAPN8p9FmgYCIxjh
p2pZYcpjzt/306I/in5HtXcHeQkWEzhD6Opt9F6A9ow+YONu8YHeKU20Eb+Fv4k1
658KP9N01fgUCH7D3JL49205BybNUE4eBiDw53S8IZyvJNozbMmR8qBGpYxHYYbt
s8YEBAakoGSC4T/+IPa2z7qb6E+MBrBoJifVhhtCsJ2ro+yluTa3iRkX21Zhc41b
rB7Vi3whyHgNQ+4Bdj9UyljL0bZAV73XfgLN/dR4b6+ND7oembO5f7QQSbENJ03a
FVpwRFlKCnkeY4oNNdJPrBceZgOjSBPUfqcYYPDDyvqo8tqyO6Kj5o9isWuvehg=
=PzAi
-----END PGP SIGNATURE-----

Message #51 received at 849365@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: <849365@bugs.debian.org>

Subject: Additional NMU for phpmailer 5.2.14+dfsg-2.2

Date: Mon, 2 Jan 2017 15:38:00 +0100

[Message part 1 (text/plain, inline)]

Hi,

In one of my environment a regression surfaced. If using specifically
the isSendmail() method and the default php.ini sendmail settings, you
would get an error.

This was fixed upstream but the backport lacked that specific commit.
I've made another NMU to rectify that.


Cheers,
Thijs

[phpmailer2.diff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.