From Secunia (http://secunia.com/advisories/37410/): The sendmail implementation of the "Mail::Send()" method does not properly sanitise the "from" parameter before invoking sendmail, which can be exploited to pass arbitrary arguments to the sendmail command. Successful exploitation requires that the sendmail implementation is used and that the attacker is able to define the "from" parameter. The vulnerability is reported in version 1.1.14. Other versions may also be affected.
Raphael Geissert stated on the upstream bug ($URL) that the fix is not complete. This is contrary to Secunia's advisory. PHP, please wait for a new release or apply a patch as seen in that bug report.
CVE-2009-4023 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023): Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111. CVE-2009-4111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111): Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023.
I added PEAR-Mail-1.2.0_beta5 to the tree, not sure if it covers the security bug or not. On their tracker, I only saw one instance of a security bug mentioned since the affected version: http://pear.php.net/bugs/bug.php?id=16200
PEAR-Mail 1.20 has been released and contains this in the ChangeLog: Bug #16200 - Security hole allow to read/write Arbitrary File Release date: 2010-03-01 12:47 UTC I would call the upstream part done
Ebuild in CVS. Feel free to call stable
(In reply to comment #5) > Ebuild in CVS. Feel free to call stable > Thank you. Arches, please test and mark stable: =dev-php/PEAR-Mail-1.2.0 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 ok
amd64 done. Thanks Agostino
x86 stable
Stable on alpha.
arm/ia64/s390/sh/sparc stable
Stable for HPPA.
stable for ppc64.
ppc stable, last arch done
GLSA request filed.
This issue was resolved and addressed in GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml by GLSA coordinator Sean Amoss (ackle).