Bug 727584 (CVE-2020-13625)

Summary:	dev-php/PHPMailer: Output escaping bug (CVE-2020-13625)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	mjo, php-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj
Whiteboard:	~4 [noglsa cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2020-06-08 20:59:32 UTC

CVE-2020-13625 (https://nvd.nist.gov/vuln/detail/CVE-2020-13625):
  PHPMailer before 6.1.6 contains an output escaping bug when the name of a
  file attachment contains a double quote character. This can result in the
  file type being misinterpreted by the receiver or any mail relay processing
  the message.

Comment 1 Larry the Git Cow gentoo-dev

2020-06-10 13:47:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b30bb859bc507d6baef0d93e1a739c1664ce26a4

commit b30bb859bc507d6baef0d93e1a739c1664ce26a4
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-10 13:36:09 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-10 13:45:39 +0000

    dev-php/PHPMailer: remove old "unused" versions.
    
    This leaves PHPMailer-5.2.28, which was released on 2020-03-09 and is
    the latest release from the 5.x series. No one has said whether or not
    CVE-2020-13625 affects v5.2.28 as well, but the description "insufficient
    output escaping" sounds scarier than it is. This bug isn't known to be
    exploitable; a priori it just gives the attachment the wrong name.
    
    Bug: https://bugs.gentoo.org/727584
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/PHPMailer/Manifest                |  6 ---
 dev-php/PHPMailer/PHPMailer-5.2.27.ebuild | 64 ---------------------------
 dev-php/PHPMailer/PHPMailer-6.0.7.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.2.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.3.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.4.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.5.ebuild  | 73 -------------------------------
 7 files changed, 435 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02e9960b449b8af4440ffa2bb40030962d9dc5a1

commit 02e9960b449b8af4440ffa2bb40030962d9dc5a1
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-10 13:30:43 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-10 13:45:39 +0000

    dev-php/PHPMailer: new version 6.1.6 to fix CVE-2020-13625.
    
    Bug: https://bugs.gentoo.org/727584
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/PHPMailer/Manifest               |  1 +
 dev-php/PHPMailer/PHPMailer-6.1.6.ebuild | 73 ++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)

Comment 2 Sam James archtester

2020-06-10 14:19:54 UTC

All done. Thanks!