Debian Bug report logs -
#557121
php-mail: security: incorrect usage of escapeshellcmd function
Reported by: "Dennis P. NIkolaenko" <dennis@nikolaenko.ru>
Date: Thu, 19 Nov 2009 17:27:05 UTC
Severity: serious
Tags: security
Found in version php-mail/1.1.14-1
Fixed in versions php-mail/1.1.14-2, php-mail/1.1.14-1+lenny1, php-mail/1.1.6-2+etch1
Done: Raphael Geissert <geissert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#557121; Package php-mail.
(Thu, 19 Nov 2009 17:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to "Dennis P. NIkolaenko" <dennis@nikolaenko.ru>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 19 Nov 2009 17:27:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php-mail
Version: 1.1.14-1
Severity: normal
Please see http://pear.php.net/bugs/bug.php?id=16200
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-128.2.1.el5.028stab064.8 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php-mail depends on:
ii php-pear 5.2.6.dfsg.1-1+lenny3 PEAR - PHP Extension and Applicati
Versions of packages php-mail recommends:
ii php-net-smtp 1.3.1-1 PHP PEAR module implementing SMTP
php-mail suggests no packages.
-- no debconf information
Severity set to 'serious' from 'normal'
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Thu, 19 Nov 2009 18:51:05 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Thu, 19 Nov 2009 18:51:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Raphael Geissert <geissert@alioth.debian.org>
to control@bugs.debian.org.
(Thu, 19 Nov 2009 19:21:07 GMT) (full text, mbox, link).
Reply sent
to Raphael Geissert <geissert@debian.org>:
You have taken responsibility.
(Thu, 19 Nov 2009 21:51:26 GMT) (full text, mbox, link).
Notification sent
to "Dennis P. NIkolaenko" <dennis@nikolaenko.ru>:
Bug acknowledged by developer.
(Thu, 19 Nov 2009 21:51:26 GMT) (full text, mbox, link).
Message #16 received at 557121-close@bugs.debian.org (full text, mbox, reply):
Source: php-mail
Source-Version: 1.1.14-2
We believe that the bug you reported is fixed in the latest version of
php-mail, which is due to be installed in the Debian FTP archive:
php-mail_1.1.14-2.diff.gz
to main/p/php-mail/php-mail_1.1.14-2.diff.gz
php-mail_1.1.14-2.dsc
to main/p/php-mail/php-mail_1.1.14-2.dsc
php-mail_1.1.14-2_all.deb
to main/p/php-mail/php-mail_1.1.14-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 557121@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated php-mail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 19 Nov 2009 12:48:44 -0600
Source: php-mail
Binary: php-mail
Architecture: source all
Version: 1.1.14-2
Distribution: unstable
Urgency: high
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description:
php-mail - PHP PEAR module for sending email
Closes: 557121
Changes:
php-mail (1.1.14-2) unstable; urgency=high
.
* Use escapeshellarg instead of escapeshellcmd to escape email addresses
on sendmail.php (Closes: #557121)
- Thanks to Dennis P. NIkolaenko <dennis@nikolaenko.ru> for the report
Checksums-Sha1:
cb3fa3d8cc8d37e70f4a3fb416662604b7a24de8 1237 php-mail_1.1.14-2.dsc
3073562c050226859dff2e370381637f2d85c1b2 4265 php-mail_1.1.14-2.diff.gz
fe435602a38e24c757da550f87af4211de1f069c 22928 php-mail_1.1.14-2_all.deb
Checksums-Sha256:
da178324eb054bcc6ffa4a22178873b3f7d9a81c84a0e3762d3a840e68a1f1d9 1237 php-mail_1.1.14-2.dsc
9de73e4938988b9afae96b2f134db56882a2ae0151166b114141ef777ee591d7 4265 php-mail_1.1.14-2.diff.gz
27ff9ec19280b9a629ad672fd7ffb52c0e013e207b4172c14cca91ff7527ff84 22928 php-mail_1.1.14-2_all.deb
Files:
f6f6f04bbec81f2af8cc6d29bfbb111b 1237 web optional php-mail_1.1.14-2.dsc
be15f97ee3da03cac15d95e19c706d88 4265 web optional php-mail_1.1.14-2.diff.gz
b252ffcfa4104ec5fb98d406489d1e63 22928 web optional php-mail_1.1.14-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksFoT4ACgkQYy49rUbZzlrrhACfSmZ9S03uLBHz6eoXvuj8yVkm
RhMAnjl/grVi2qChAz0u60GYqLM7r6MN
=SjqR
-----END PGP SIGNATURE-----
Reply sent
to Raphael Geissert <geissert@debian.org>:
You have taken responsibility.
(Sat, 05 Dec 2009 21:42:12 GMT) (full text, mbox, link).
Notification sent
to "Dennis P. NIkolaenko" <dennis@nikolaenko.ru>:
Bug acknowledged by developer.
(Sat, 05 Dec 2009 21:42:12 GMT) (full text, mbox, link).
Message #21 received at 557121-close@bugs.debian.org (full text, mbox, reply):
Source: php-mail
Source-Version: 1.1.14-1+lenny1
We believe that the bug you reported is fixed in the latest version of
php-mail, which is due to be installed in the Debian FTP archive:
php-mail_1.1.14-1+lenny1.diff.gz
to main/p/php-mail/php-mail_1.1.14-1+lenny1.diff.gz
php-mail_1.1.14-1+lenny1.dsc
to main/p/php-mail/php-mail_1.1.14-1+lenny1.dsc
php-mail_1.1.14-1+lenny1_all.deb
to main/p/php-mail/php-mail_1.1.14-1+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 557121@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated php-mail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 20 Nov 2009 12:24:42 -0600
Source: php-mail
Binary: php-mail
Architecture: source all
Version: 1.1.14-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description:
php-mail - PHP PEAR module for sending email
Closes: 557121
Changes:
php-mail (1.1.14-1+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix a command injection vulnerability in sendmail.php (Closes: #557121)
Checksums-Sha1:
ab7330f534c5b60f2d0fe69cffddf199a82b2c9b 1258 php-mail_1.1.14-1+lenny1.dsc
6c46636e0df3c0a813df3cbda1fd5afac987069d 17537 php-mail_1.1.14.orig.tar.gz
bc354aa284f98e2d4bf650e0ac652391f1cc3404 4105 php-mail_1.1.14-1+lenny1.diff.gz
7066b8f799d07e66c00b8edfa252ee72c094e0fe 21904 php-mail_1.1.14-1+lenny1_all.deb
Checksums-Sha256:
29c48383e03aca36caa6cb49f1493b00874121cb9790344c770ce001415ec78d 1258 php-mail_1.1.14-1+lenny1.dsc
297bfe8cc7fb12d54e8706977c8ad613292c3f8464d5d8c0cc1a31e38757d213 17537 php-mail_1.1.14.orig.tar.gz
76f5617de5d59d179fb52e98cc3847b135fd200143882114b16c03f41912389a 4105 php-mail_1.1.14-1+lenny1.diff.gz
2595184571b45c3527efe4251e4f9361e9e4ed1502c7450ac8e39eb226d1bbe6 21904 php-mail_1.1.14-1+lenny1_all.deb
Files:
6d361bf9406e9195813b4396bb7d5c13 1258 web optional php-mail_1.1.14-1+lenny1.dsc
e50da58b6b787b3903ce4d07dc791bb2 17537 web optional php-mail_1.1.14.orig.tar.gz
a8154d9e86e98a591dfc9e84210ce163 4105 web optional php-mail_1.1.14-1+lenny1.diff.gz
d5184514df44b348582071748e855c32 21904 web optional php-mail_1.1.14-1+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksHkFsACgkQYy49rUbZzlrrYACfZH5+FCPo444IrNfxdzcXI9CI
MhEAn188Pcpow8eMutEvsZfXj5tFwYIu
=z2oE
-----END PGP SIGNATURE-----
Reply sent
to Raphael Geissert <geissert@debian.org>:
You have taken responsibility.
(Sat, 05 Dec 2009 22:36:12 GMT) (full text, mbox, link).
Notification sent
to "Dennis P. NIkolaenko" <dennis@nikolaenko.ru>:
Bug acknowledged by developer.
(Sat, 05 Dec 2009 22:36:12 GMT) (full text, mbox, link).
Message #26 received at 557121-close@bugs.debian.org (full text, mbox, reply):
Source: php-mail
Source-Version: 1.1.6-2+etch1
We believe that the bug you reported is fixed in the latest version of
php-mail, which is due to be installed in the Debian FTP archive:
php-mail_1.1.6-2+etch1.diff.gz
to main/p/php-mail/php-mail_1.1.6-2+etch1.diff.gz
php-mail_1.1.6-2+etch1.dsc
to main/p/php-mail/php-mail_1.1.6-2+etch1.dsc
php-mail_1.1.6-2+etch1_all.deb
to main/p/php-mail/php-mail_1.1.6-2+etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 557121@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated php-mail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 20 Nov 2009 12:34:29 -0600
Source: php-mail
Binary: php-mail
Architecture: source all
Version: 1.1.6-2+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description:
php-mail - PHP PEAR module for sending email
Closes: 557121
Changes:
php-mail (1.1.6-2+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix a command injection vulnerability in sendmail.php (Closes: #557121)
Files:
93c32b0cb655191ac6edb48013d18921 689 web optional php-mail_1.1.6-2+etch1.dsc
47b38a06acdec73c4d8c01f9d7e5e8e2 13702 web optional php-mail_1.1.6.orig.tar.gz
64425237844fed79a4b71aa34ccb0cee 3310 web optional php-mail_1.1.6-2+etch1.diff.gz
a2abda15da9ddab5f1590198cc852b3f 17884 web optional php-mail_1.1.6-2+etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksHkQkACgkQYy49rUbZzlrDdQCfQ+Fu1vNc+dYMOBLe394lcUra
S+QAn11Zm5Wa/QAJRGuWvC+Ny5xfA+yl
=OCw+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 Jan 2010 07:30:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 02:51:00 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.