From b9fc225fdbb8ab9619dd08555ebbdda9a496aef2 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 23 Jun 2020 09:24:04 +0200 Subject: sync with Fedora --- PHPMailer-5.2.28-cve2020-13625.patch | 88 ++++++++++++++++++++++++++++++++++++ php-PHPMailer.spec | 9 +++- 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 PHPMailer-5.2.28-cve2020-13625.patch diff --git a/PHPMailer-5.2.28-cve2020-13625.patch b/PHPMailer-5.2.28-cve2020-13625.patch new file mode 100644 index 0000000..7063ed4 --- /dev/null +++ b/PHPMailer-5.2.28-cve2020-13625.patch @@ -0,0 +1,88 @@ +diff -Naurp PHPMailer-acba50393dd03da69a50226c139722af8b153b11.orig/class.phpmailer.php PHPMailer-acba50393dd03da69a50226c139722af8b153b11.new/class.phpmailer.php +--- PHPMailer-acba50393dd03da69a50226c139722af8b153b11.orig/class.phpmailer.php 2020-06-20 23:41:09.301467536 +0200 ++++ PHPMailer-acba50393dd03da69a50226c139722af8b153b11.new/class.phpmailer.php 2020-06-21 00:12:06.174576353 +0200 +@@ -2621,9 +2621,9 @@ class PHPMailer + //Only include a filename property if we have one + if (!empty($name)) { + $mime[] = sprintf( +- 'Content-Type: %s; name="%s"%s', ++ 'Content-Type: %s; name=%s%s', + $type, +- $this->encodeHeader($this->secureHeader($name)), ++ self::quotedString($this->encodeHeader($this->secureHeader($name))), + $this->LE + ); + } else { +@@ -2642,34 +2642,22 @@ class PHPMailer + $mime[] = sprintf('Content-ID: <%s>%s', $cid, $this->LE); + } + +- // If a filename contains any of these chars, it should be quoted, +- // but not otherwise: RFC2183 & RFC2045 5.1 +- // Fixes a warning in IETF's msglint MIME checker +- // Allow for bypassing the Content-Disposition header totally ++ // Allow for bypassing the Content-Disposition header + if (!(empty($disposition))) { + $encoded_name = $this->encodeHeader($this->secureHeader($name)); +- if (preg_match('/[ \(\)<>@,;:\\"\/\[\]\?=]/', $encoded_name)) { ++ if (!empty($encoded_name)) { + $mime[] = sprintf( +- 'Content-Disposition: %s; filename="%s"%s', ++ 'Content-Disposition: %s; filename=%s%s', + $disposition, +- $encoded_name, ++ self::quotedString($encoded_name), + $this->LE . $this->LE + ); + } else { +- if (!empty($encoded_name)) { +- $mime[] = sprintf( +- 'Content-Disposition: %s; filename=%s%s', +- $disposition, +- $encoded_name, +- $this->LE . $this->LE +- ); +- } else { +- $mime[] = sprintf( +- 'Content-Disposition: %s%s', +- $disposition, +- $this->LE . $this->LE +- ); +- } ++ $mime[] = sprintf( ++ 'Content-Disposition: %s%s', ++ $disposition, ++ $this->LE . $this->LE ++ ); + } + } else { + $mime[] = $this->LE; +@@ -3974,6 +3962,28 @@ class PHPMailer + } + + /** ++ * If a string contains any "special" characters, double-quote the name, ++ * and escape any double quotes with a backslash. ++ * ++ * @param string $str ++ * ++ * @return string ++ * ++ * @see RFC822 3.4.1 ++ */ ++ public static function quotedString($str) ++ { ++ if (preg_match('/[ ()<>@,;:"\/\[\]?=]/', $str)) { ++ //If the string contains any of these chars, it must be double-quoted ++ //and any double quotes must be escaped with a backslash ++ return '"' . str_replace('"', '\\"', $str) . '"'; ++ } ++ ++ //Return the string untouched, it doesn't need quoting ++ return $str; ++ } ++ ++ /** + * Allows for public read access to 'to' property. + * @note: Before the send() call, queued addresses (i.e. with IDN) are not yet included. + * @access public diff --git a/php-PHPMailer.spec b/php-PHPMailer.spec index e770d29..6166a86 100644 --- a/php-PHPMailer.spec +++ b/php-PHPMailer.spec @@ -17,7 +17,7 @@ Name: php-PHPMailer Summary: PHP email transport class with a lot of features Version: 5.2.28 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ URL: https://github.com/%{github_user}/%{github_app} @@ -26,6 +26,7 @@ Source0: https://github.com/%{github_user}/%{github_app}/archive/%{github_tag}/% # Fix language default path # Don't rely on autoloader (for app which overides __construct) Patch0: %{github_app}-path.patch +Patch1: %{github_app}-5.2.28-cve2020-13625.patch Buildarch: noarch @@ -77,6 +78,7 @@ Full Featured Email Transfer Class for PHP. PHPMailer features: %setup -q -n %{arch_name} %patch0 -p1 -b .rpm +%patch1 -p1 -b .cve2020-13625 #------------------------------------------------------------------------------- @@ -139,6 +141,11 @@ version_compare($mailer->Version, "%{version}", "=") or exit(1); %changelog +* Sun Jun 21 2020 Patrick Monnerat 5.2.28-2 +- Patch "cve2020-13625" fixes CVE-2020-13625 vulnerability. This is a backport + of https://github.com/PHPMailer/PHPMailer/commit/c2796cb. + https://bugzilla.redhat.com/show_bug.cgi?id=1848842 + * Thu Mar 19 2020 Remi Collet - 5.2.28-1 - update to 5.2.28 -- cgit