Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 727584 (CVE-2020-13625) - dev-php/PHPMailer: Output escaping bug (CVE-2020-13625)
Summary: dev-php/PHPMailer: Output escaping bug (CVE-2020-13625)
Status: RESOLVED FIXED
Alias: CVE-2020-13625
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://github.com/PHPMailer/PHPMaile...
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-08 20:59 UTC by GLSAMaker/CVETool Bot
Modified: 2020-07-14 06:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-06-08 20:59:32 UTC
CVE-2020-13625 (https://nvd.nist.gov/vuln/detail/CVE-2020-13625):
  PHPMailer before 6.1.6 contains an output escaping bug when the name of a
  file attachment contains a double quote character. This can result in the
  file type being misinterpreted by the receiver or any mail relay processing
  the message.
Comment 1 Larry the Git Cow gentoo-dev 2020-06-10 13:47:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b30bb859bc507d6baef0d93e1a739c1664ce26a4

commit b30bb859bc507d6baef0d93e1a739c1664ce26a4
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-10 13:36:09 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-10 13:45:39 +0000

    dev-php/PHPMailer: remove old "unused" versions.
    
    This leaves PHPMailer-5.2.28, which was released on 2020-03-09 and is
    the latest release from the 5.x series. No one has said whether or not
    CVE-2020-13625 affects v5.2.28 as well, but the description "insufficient
    output escaping" sounds scarier than it is. This bug isn't known to be
    exploitable; a priori it just gives the attachment the wrong name.
    
    Bug: https://bugs.gentoo.org/727584
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/PHPMailer/Manifest                |  6 ---
 dev-php/PHPMailer/PHPMailer-5.2.27.ebuild | 64 ---------------------------
 dev-php/PHPMailer/PHPMailer-6.0.7.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.2.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.3.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.4.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.5.ebuild  | 73 -------------------------------
 7 files changed, 435 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02e9960b449b8af4440ffa2bb40030962d9dc5a1

commit 02e9960b449b8af4440ffa2bb40030962d9dc5a1
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-10 13:30:43 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-10 13:45:39 +0000

    dev-php/PHPMailer: new version 6.1.6 to fix CVE-2020-13625.
    
    Bug: https://bugs.gentoo.org/727584
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/PHPMailer/Manifest               |  1 +
 dev-php/PHPMailer/PHPMailer-6.1.6.ebuild | 73 ++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-10 14:19:54 UTC
All done. Thanks!