Bug 29183

Summary: php-phpmailer new security issue CVE-2021-3603
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, mageia, mageia, mhrambo3501, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: php-phpmailer-6.1.6-1.mga8.src.rpm CVE: CVE-2021-3603
Status comment:
Attachments: PHPMailer minimal test script

David Walser 2021-06-27 18:24:42 CEST

Status comment: (none) => Fixed upstream in 6.5.0
CC: (none) => mrambo
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Aurelien Oudelet 2021-06-28 05:54:01 CEST 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => mageia
CC: (none) => ouaurelien

Comment 2 David Walser 2021-06-28 14:10:09 CEST 
Updated packages uploaded by Marc.

php-phpmailer-6.5.0-1.mga7
php-phpmailer-6.5.0-1.mga8

CC: (none) => mageia
Status comment: Fixed upstream in 6.5.0 => (none)
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: mageia => qa-bugs
Version: Cauldron => 8

Comment 3 Marc Krämer 2021-06-28 14:11:38 CEST 
@David: thanks - I didn't have the time, to check the changelog and the CVE's fixed, I'll write an advisory this evening.
Comment 4 Marc Krämer 2021-06-28 17:01:34 CEST 
Updated php-phpmailer packages fix security vulnerabilities:

PHPMailer contained a vulnerability that can result in untrusted code being called. [2]

PHPMailer allowed object injection through Phar Deserialization via addAttachment with a UNC pathname. [3]

Full release notes available on [1]

References:
[1] https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3603
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36326

========================

Updated packages in core/updates_testing:
php-phpmailer-6.5.0-1.mga8.noarch

SRPM:
php-phpmailer-6.5.0-1.mga8.src.rpm

CVE: (none) => CVE-2021-34551, CVE-2021-3603

Marc Krämer 2021-06-28 17:02:08 CEST

CVE: CVE-2021-34551, CVE-2021-3603 => CVE-2021-36326, CVE-2021-3603

Comment 5 David Walser 2021-06-28 17:26:16 CEST 
You forgot CVE-2021-34551.

Upstream reference for CVE-2021-36326:
https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66

That one didn't affect us, so shouldn't be listed.

CVE: CVE-2021-36326, CVE-2021-3603 => CVE-2021-34551, CVE-2021-3603

Comment 6 Marc Krämer 2021-06-28 17:28:48 CEST 
nope, 34551 is only on windows - so it did not affect us either.
Comment 7 David Walser 2021-06-28 18:09:57 CEST 
Indeed.

Summary: php-phpmailer new security issues CVE-2021-3603 and CVE-2021-34551 => php-phpmailer new security issue CVE-2021-3603
CVE: CVE-2021-34551, CVE-2021-3603 => CVE-2021-3603

Comment 8 PC LX 2021-06-29 15:22:22 CEST 
Installed and tested without issues.


Tested using several production level PHP script without regressions.
Also tested using the attached minimal PHP script.



System: Mageia 7, x86_64, PHP 7.3.28, Intel CPU.



$ uname -a
Linux marte 5.10.45-desktop-2.mga7 #1 SMP Sat Jun 19 15:58:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q php-phpmailer 
php-phpmailer-6.5.0-1.mga7
$ php --version
PHP 7.3.28 (cli) (built: Apr 27 2021 16:53:53) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.28, Copyright (c) 1998-2018 Zend Technologies

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => mageia

Comment 9 PC LX 2021-06-29 15:25:08 CEST 
Created attachment 12825 [details]
PHPMailer minimal test script
Comment 10 Thomas Andrews 2021-07-12 01:41:50 CEST 
I tried to use the test script, I really did. But I don't have a clue about running it, or php. Somebody else needs to test this, or we just pass the Mageia 8 update along on a clean install. I DID get that far...

CC: (none) => andrewsfarm

Comment 11 Thomas Andrews 2021-07-12 02:01:04 CEST 
Well, this is embarrassing. I finally figured out what was wrong. When I installed php-phpmailer and dependencies, php-cli wasn't among them. So there I was, trying to learn why the "php" command couldn't be found, when it was because it hadn't been installed!

No installation issues on the update. Failed to get the script to run until I installed php-cli. After that, it ran just fine. Connected to one of my gmail accounts, and successfully sent mail to another of them.

Giving this an OK, and Validating. Advisory in Comment 4.

Now I need to go bandage the spot where I've been banging my head against the wall...

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 12 Thomas Andrews 2021-07-12 02:28:30 CEST 
Just to add, Thunderbird received the test email, so, of course, that confirms that it was sent successfully.
Comment 13 Aurelien Oudelet 2021-07-12 20:41:26 CEST 
type: security
subject: Updated php-phpmailer package fixes security vulnerability
CVE:
 - CVE-2021-3603
src:
  7:
   core:
     - php-phpmailer-6.5.0-1.mga7
  8:
   core:
     - php-phpmailer-6.5.0-1.mga8
description: |
  PHPMailer contained a vulnerability that can result in untrusted code being
  called (CVE-2021-3603).
  
  See upstream release notes.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29183
 - https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0
 - https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-77mr-wc79-m8j3

Keywords: (none) => advisory

Comment 14 Mageia Robot 2021-07-12 22:27:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0345.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED