Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit : > Thanks for spotting this problem. > > The referred [2] patch is actually not exactly apllicable to the version > of class.phpmailer.php shipped in phpgroupware 0.9.11, and the correct > one is attached. > > I'll try and work on preparing a patched package later today. > > Best regards,
Here's a proposed change for the source package, that should solve this problem. $ interdiff -z phpgroupware_0.9.16.011-2.2.diff.gz phpgroupware_0.9.16.011-2.3.diff.gz diff -u phpgroupware-0.9.16.011/debian/changelog phpgroupware-0.9.16.011/debian/changelog --- phpgroupware-0.9.16.011/debian/changelog +++ phpgroupware-0.9.16.011/debian/changelog @@ -1,3 +1,11 @@ +phpgroupware (0.9.16.011-2.3) stable-security; urgency=high + + * Non-maintainer upload. + * Fix remote shell command execution in class.phpmailer.php : + CVE-2007-3215 (Closes: #504255). + + -- Olivier Berger <[EMAIL PROTECTED]> Sun, 02 Nov 2008 11:36:15 +0100 + phpgroupware (0.9.16.011-2.2) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- phpgroupware-0.9.16.011.orig/felamimail/inc/class.phpmailer.inc.php +++ phpgroupware-0.9.16.011/felamimail/inc/class.phpmailer.inc.php @@ -591,9 +591,9 @@ */ function sendmail_send($header, $body) { if ($this->Sender != "") - $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender); + $sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); else - $sendmail = sprintf("%s -oi -t", $this->Sendmail); + $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail)); if([EMAIL PROTECTED] = popen($sendmail, "w")) { --------------------- Note that I haven't tested phpgroupware-felamimail to see if this patch is valid. I'm not so sure about the changelog format also... and in any case, I can't upload it. Can someone from the security team take care of review and the upload ? Best regards, -- Olivier BERGER <[EMAIL PROTECTED]> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
signature.asc
Description: Ceci est une partie de message numériquement signée