Hi, I've taken the liberty to fix this security issue in an NMU to sid. Attached is the debdiff.
Cheers, Thijs
diff -Nru libphp-swiftmailer-5.4.2/debian/changelog libphp-swiftmailer-5.4.2/debian/changelog
--- libphp-swiftmailer-5.4.2/debian/changelog 2016-06-10 14:26:56.000000000 +0000
+++ libphp-swiftmailer-5.4.2/debian/changelog 2017-01-04 16:31:03.000000000 +0000
@@ -1,3 +1,11 @@
+libphp-swiftmailer (5.4.2-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix CVE-2016-10074: Remote Code Execution by applying patch
+ e6ccf40d from upstream (Closes: #849626).
+
+ -- Thijs Kinkhorst <th...@debian.org> Wed, 04 Jan 2017 16:31:03 +0000
+
libphp-swiftmailer (5.4.2-1) unstable; urgency=medium
* Imported Upstream version 5.4.2
diff -Nru libphp-swiftmailer-5.4.2/debian/patches/0001-fix-CVE-2016-10074.patch libphp-swiftmailer-5.4.2/debian/patches/0001-fix-CVE-2016-10074.patch
--- libphp-swiftmailer-5.4.2/debian/patches/0001-fix-CVE-2016-10074.patch 1970-01-01 00:00:00.000000000 +0000
+++ libphp-swiftmailer-5.4.2/debian/patches/0001-fix-CVE-2016-10074.patch 2017-01-04 16:31:03.000000000 +0000
@@ -0,0 +1,53 @@
+diff -Nur libphp-swiftmailer-5.4.2.orig/lib/classes/Swift/Transport/MailTransport.php libphp-swiftmailer-5.4.2/lib/classes/Swift/Transport/MailTransport.php
+--- libphp-swiftmailer-5.4.2.orig/lib/classes/Swift/Transport/MailTransport.php 2016-05-01 08:45:47.000000000 +0000
++++ libphp-swiftmailer-5.4.2/lib/classes/Swift/Transport/MailTransport.php 2017-01-04 15:53:43.400445794 +0000
+@@ -237,6 +237,36 @@
+ }
+
+ /**
++ * Fix CVE-2016-10074 by disallowing potentially unsafe shell characters.
++ *
++ * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
++ *
++ * @param string $string The string to be validated
++ *
++ * @return bool
++ */
++ private function _isShellSafe($string)
++ {
++ // Future-proof
++ if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
++ return false;
++ }
++
++ $length = strlen($string);
++ for ($i = 0; $i < $length; ++$i) {
++ $c = $string[$i];
++ // All other characters have a special meaning in at least one common shell, including = and +.
++ // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
++ // Note that this does permit non-Latin alphanumeric characters based on the current locale.
++ if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
++ return false;
++ }
++ }
++
++ return true;
++ }
++
++ /**
+ * Return php mail extra params to use for invoker->mail.
+ *
+ * @param $extraParams
+@@ -247,7 +277,11 @@
+ private function _formatExtraParams($extraParams, $reversePath)
+ {
+ if (false !== strpos($extraParams, '-f%s')) {
+- $extraParams = empty($reversePath) ? str_replace('-f%s', '', $extraParams) : sprintf($extraParams, escapeshellarg($reversePath));
++ if (empty($reversePath) || false === $this->_isShellSafe($reversePath)) {
++ $extraParams = str_replace('-f%s', '', $extraParams);
++ } else {
++ $extraParams = sprintf($extraParams, $reversePath);
++ }
+ }
+
+ return !empty($extraParams) ? $extraParams : null;
diff -Nru libphp-swiftmailer-5.4.2/debian/patches/series libphp-swiftmailer-5.4.2/debian/patches/series
--- libphp-swiftmailer-5.4.2/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ libphp-swiftmailer-5.4.2/debian/patches/series 2017-01-04 16:31:03.000000000 +0000
@@ -0,0 +1 @@
+0001-fix-CVE-2016-10074.patch
signature.asc
Description: OpenPGP digital signature
