Bug 24055 - php-phpmailer new security issue CVE-2018-19296
Summary: php-phpmailer new security issue CVE-2018-19296
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-25 20:12 CET by David Walser
Modified: 2019-01-05 19:31 CET (History)
5 users (show)

See Also:
Source RPM: php-phpmailer-6.0.5-1.mga7.src.rpm
CVE:
Status comment:


Attachments

David Walser 2018-12-25 20:13:04 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-12-26 12:03:10 CET
hmm, I missed this one when going over security bugs this morning :-(

Anyway, assigning.

CC: (none) => mageia, marja11
Assignee: bugsquad => php

Comment 2 Marc Krämer 2018-12-26 14:35:56 CET
Updated php-phpmailer packages fix security vulnerabilities:

SECURITY Fix potential object injection vulnerability.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DAZQPUD7WZXMJ2KIQY5P2I2UI545YPYO/
========================

Updated packages in core/updates_testing:
========================
php-phpmailer-5.2.27-1.1.mga6.noarch.rpm

SRPM:
php-phpmailer-5.2.27-1.1.mga6.src.rpm

Assignee: php => qa-bugs

Comment 3 David Walser 2018-12-26 16:12:19 CET
Thanks!  (don't forget the CVE)

Advisory:
========================

Updated php-phpmailer package fixes security vulnerability:

Potential object injection vulnerability (CVE-2018-19296).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DAZQPUD7WZXMJ2KIQY5P2I2UI545YPYO/

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 Lewis Smith 2019-01-01 21:51:28 CET
Trying M6/64

UPDATED to: php-phpmailer-5.2.27-1.1.mga6

Using my own earlier notes, which pillage other people's:
 https://bugs.mageia.org/show_bug.cgi?id=20069#c9
especially the sample file *changes* near the end of the comment. The base script is at https://github.com/PHPMailer/PHPMailer under "A Simple Example".

NOTE ALSO: the sample script has \ in the two 'use' lines; this caused an error:
 $ php mailtest.php
PHP Fatal error:  Class 'PHPMailer\PHPMailer\PHPMailer' not found in 
/home/lewis/tmp/mailtest on line 10
 = 
$mail = new PHPMailer(true);

So I changed additionally these two initial lines(\ to /)  to:
use PHPMailer/PHPMailer/PHPMailer;
use PHPMailer/PHPMailer/Exception;

which caused a different error, and sooner:
 $ php mailtest.php
PHP Warning:  The use statement with non-compound name 'PHPMailer' has no effect in /home/lewis/tmp/mailtest.php on line 4
PHP Parse error:  syntax error, unexpected '/', expecting ',' or ';' in /
home/lewis/tmp/mailtest.php on line 4
 =
use PHPMailer/PHPMailer/PHPMailer;

This has all worked before. Some syntax thingy. Have to stop now.

CC: (none) => lewyssmith

Comment 5 Marc Krämer 2019-01-01 23:57:59 CET
Those Examples refer to version >=6 (packed in cauldron).
For mga6, it is a simple:
require '/usr/share/php/PHPMailer/PHPMailerAutoload.php';
$mail = new PHPMailer();
....

For version >6 you have to write:
require '/usr/share/php/PHPMailer/autoload.php';
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;

//since the autoloader is non-standard added by guillomovitch, I'm not sure if this works this way.
Comment 6 Lewis Smith 2019-01-02 22:28:10 CET
Thanks Marc for the pointers.
 Changed the 'require' line appropriately to:
require '/usr/share/php/PHPMailer/PHPMailerAutoload.php';
 and reverted the slashes in the two 'use' statements:
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;

Re-trying Mageia 6 x64
 $ pwd
 /home/lewis/tmp
 $ ls -l
 ...
 -rw-r--r-- 1 lewis lewis 2069 Ion   2 22:22 mailtest.php

 $ php mailtest.php
PHP Fatal error:  Class 'PHPMailer\PHPMailer\PHPMailer' not found in /home/lewis/tmp/mailtest.php on line 10
 =
$mail = new PHPMailer(true);
----------------------------
These are the 1st 10 lines of mailtest.php now (it made no difference whether the order is require-use-use or use-use-require):
<?php
//Load Composer's autoloader
require '/usr/share/php/PHPMailer/PHPMailerAutoload.php';

// Import PHPMailer classes into the global namespace
// These must be at the top of your script, not inside a function
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;

$mail = new PHPMailer(true);
----------------------------
Lost!
Comment 7 Marc Krämer 2019-01-03 17:00:30 CET
@guillomovitch: you have made changes from fedora (e.g. autoloader, moved dir) to this. You should help here.

CC: (none) => guillomovitch

Comment 8 Guillaume Rousse 2019-01-03 18:10:55 CET
@lewis: you are mixing location of autoloader from version 5.x with namespace changes introduced with version 6.x

phpmailer 5.x, packaged in mageia 6, ships with an upstream autoloader  (/usr/share/php/PHPMailer/PHPMailerAutoload.php), and doesn't use namespaces: the PHPMailer class is PHPMailer. php-phpmailer-5.2.27 should work flawlessy as an update for php-phpmailer-5.2.24.

phpmailer 6.x, packaged in cauldron, use a custom autoloader (usr/share/php/PHPMailer/autoload.php), based on fedora code, because upstream doesn't provide one anymore, and use namespaces: the PHPMailer class is now actually PHPMailer\PHPMailer\PHPMailer. It won't work as an update for php-phpmailer-5.x without a few adaptations.

In both case, using the autoloader is just a shortcut to import all classes at once, insted of importing each required file separatly. See https://github.com/PHPMailer/PHPMailer/blob/master/UPGRADING.md for some explanations.

And if you need test cases, this package ships its own examples in /usr/share/doc/php-phpmailer/examples, that are supposed to be version-consistent.
Comment 9 Lewis Smith 2019-01-03 21:26:17 CET
Testing M6 x64

At last - Bingo! Thanks Guillaume for the help. I disabled the two 'use' statements, and it worked immediately:
 $ php mailtest.php
2019-01-03 20:03:22	SERVER -> CLIENT: 220 smtp4-g21.free.fr ESMTP Postfix
2019-01-03 20:03:22	CLIENT -> SERVER: EHLO localhost.localdomain
2019-01-03 20:03:22	SERVER -> CLIENT: 250-smtp4-g21.free.fr
etc etc
2019-01-03 20:03:22	CLIENT -> SERVER: STARTTLS
2019-01-03 20:03:22	SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
2019-01-03 20:03:22	CLIENT -> SERVER: EHLO localhost.localdomain
2019-01-03 20:03:22	SERVER -> CLIENT: 250-smtp4-g21.free.fr
etc etc
2019-01-03 20:03:22	CLIENT -> SERVER: MAIL FROM:<xxx@free.fr>
2019-01-03 20:03:22	SERVER -> CLIENT: 250 2.1.0 Ok
2019-01-03 20:03:22	CLIENT -> SERVER: RCPT TO:<xxx@free.fr>
2019-01-03 20:03:22	SERVER -> CLIENT: 250 2.1.5 Ok
2019-01-03 20:03:22	CLIENT -> SERVER: DATA
2019-01-03 20:03:22	SERVER -> CLIENT: 354 End data with <CR><LF>.<CR><LF>
2019-01-03 20:03:22	CLIENT -> SERVER: Date: Thu, 3 Jan 2019 20:03:22 +0000
2019-01-03 20:03:22	CLIENT -> SERVER: To: Joe User <yyy@free.fr>
2019-01-03 20:03:22	CLIENT -> SERVER: From: Mailer <yyy@free.fr>
2019-01-03 20:03:22	CLIENT -> SERVER: Reply-To: Information <xxx@free.fr>
2019-01-03 20:03:22	CLIENT -> SERVER: Subject: Here is the subject
2019-01-03 20:03:22	CLIENT -> SERVER: Message-ID: <f76fda5c4bb1bb4ab1ea318e2bd88ed1@localhost.localdomain>
2019-01-03 20:03:22	CLIENT -> SERVER: X-Mailer: PHPMailer 5.2.27 (https://github.com/PHPMailer/PHPMailer)
2019-01-03 20:03:22	CLIENT -> SERVER: MIME-Version: 1.0
2019-01-03 20:03:22	CLIENT -> SERVER: Content-Type: multipart/alternative;
2019-01-03 20:03:22	CLIENT -> SERVER: 	boundary="b1_f76fda5c4bb1bb4ab1ea318e2bd88ed1"
2019-01-03 20:03:22	CLIENT -> SERVER: Content-Transfer-Encoding: 8bit
2019-01-03 20:03:22	CLIENT -> SERVER:
2019-01-03 20:03:22	CLIENT -> SERVER: This is a multi-part message in MIME format.
2019-01-03 20:03:22	CLIENT -> SERVER:
2019-01-03 20:03:22	CLIENT -> SERVER: --b1_f76fda5c4bb1bb4ab1ea318e2bd88ed1
2019-01-03 20:03:22	CLIENT -> SERVER: Content-Type: text/plain; charset=us-ascii
2019-01-03 20:03:22	CLIENT -> SERVER:
2019-01-03 20:03:22	CLIENT -> SERVER: This is the body in plain text for non-HTML mail clients
...
2019-01-03 20:03:22	CLIENT -> SERVER: --b1_f76fda5c4bb1bb4ab1ea318e2bd88ed1
2019-01-03 20:03:22	CLIENT -> SERVER: Content-Type: text/html; charset=us-ascii
2019-01-03 20:03:22	CLIENT -> SERVER:
2019-01-03 20:03:22	CLIENT -> SERVER: This is the HTML message body <b>in bold!</b>
...
--b1_f76fda5c4bb1bb4ab1ea318e2bd88ed1--
2019-01-03 20:03:22	CLIENT -> SERVER:
2019-01-03 20:03:22	CLIENT -> SERVER: .
2019-01-03 20:03:22	SERVER -> CLIENT: 250 2.0.0 Ok: queued as 3DDFB19F5BD
2019-01-03 20:03:22	CLIENT -> SERVER: QUIT
2019-01-03 20:03:22	SERVER -> CLIENT: 221 2.0.0 Bye
Message has been sent

and I received the e-mail "This is the HTML message body in bold!".
-----------------------------------------------------------------
For future Mageia 6 test reference, here is the start of the PHP test script that worked:
<?php
//Load Composer's autoloader
require '/usr/share/php/PHPMailer/PHPMailerAutoload.php';

$mail = new PHPMailer(true);
 etc etc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OKing, validating, advisory from comments 3 & 2.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2019-01-05 19:31:52 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0010.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.