Bug#504255: CVE-2007-3215: remote shell command execution in class.phpmailer.php

Sun, 02 Nov 2008 03:31:11 -0800 

Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit :

> Thanks for spotting this problem.
> 
> The referred [2] patch is actually not exactly apllicable to the version
> of class.phpmailer.php shipped in phpgroupware 0.9.11, and the correct
> one is attached.
> 
> I'll try and work on preparing a patched package later today.
> 
> Best regards,

Here's a proposed change for the source package, that should solve this
problem.

$ interdiff -z phpgroupware_0.9.16.011-2.2.diff.gz 
phpgroupware_0.9.16.011-2.3.diff.gz
diff -u phpgroupware-0.9.16.011/debian/changelog 
phpgroupware-0.9.16.011/debian/changelog
--- phpgroupware-0.9.16.011/debian/changelog
+++ phpgroupware-0.9.16.011/debian/changelog
@@ -1,3 +1,11 @@
+phpgroupware (0.9.16.011-2.3) stable-security; urgency=high
+
+  * Non-maintainer upload.
+  * Fix remote shell command execution in class.phpmailer.php :
+    CVE-2007-3215 (Closes: #504255).
+
+ -- Olivier Berger <[EMAIL PROTECTED]>  Sun, 02 Nov 2008 11:36:15 +0100
+
 phpgroupware (0.9.16.011-2.2) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- phpgroupware-0.9.16.011.orig/felamimail/inc/class.phpmailer.inc.php
+++ phpgroupware-0.9.16.011/felamimail/inc/class.phpmailer.inc.php
@@ -591,9 +591,9 @@
      */
     function sendmail_send($header, $body) {
         if ($this->Sender != "")
-            $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, 
$this->Sender);
+         $sendmail = sprintf("%s -oi -f %s -t", 
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
         else
-            $sendmail = sprintf("%s -oi -t", $this->Sendmail);
+         $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));
 
         if([EMAIL PROTECTED] = popen($sendmail, "w"))
         {
---------------------

Note that I haven't tested phpgroupware-felamimail to see if this patch is 
valid.

I'm not so sure about the changelog format also... and in any case, I can't 
upload it.

Can someone from the security team take care of review and the upload ?

Best regards,
-- 
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

Attachment: signature.asc
Description: Ceci est une partie de message numériquement signée

Reply via email to