Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 294256 - <dev-php/PEAR-Mail-1.2.0: Argument Injection (CVE-2009-{4023,4111})
Summary: <dev-php/PEAR-Mail-1.2.0: Argument Injection (CVE-2009-{4023,4111})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://pear.php.net/bugs/bug.php?id=1...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 349318
Blocks:
  Show dependency tree
 
Reported: 2009-11-23 18:26 UTC by Alex Legler (RETIRED)
Modified: 2014-12-12 00:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-23 18:26:29 UTC
From Secunia (http://secunia.com/advisories/37410/):
The sendmail implementation of the "Mail::Send()" method does not properly sanitise the "from" parameter before invoking sendmail, which can be exploited to pass arbitrary arguments to the sendmail command.

Successful exploitation requires that the sendmail implementation is used and that the attacker is able to define the "from" parameter.

The vulnerability is reported in version 1.1.14. Other versions may also be affected.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-23 18:28:39 UTC
Raphael Geissert stated on the upstream bug ($URL) that the fix is not complete. This is contrary to Secunia's advisory.

PHP, please wait for a new release or apply a patch as seen in that bug report.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-30 18:57:42 UTC
CVE-2009-4023 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023):
  Argument injection vulnerability in the sendmail implementation of
  the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14
  for PEAR allows remote attackers to read and write arbitrary files
  via a crafted $from parameter, a different vector than CVE-2009-4111.

CVE-2009-4111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111):
  Argument injection vulnerability in Mail/sendmail.php in the Mail
  package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows
  remote attackers to read and write arbitrary files via a crafted
  $recipients parameter, and possibly other parameters, a different
  vulnerability than CVE-2009-4023.

Comment 3 Steve Dibb (RETIRED) gentoo-dev 2010-02-15 01:36:26 UTC
I added PEAR-Mail-1.2.0_beta5 to the tree, not sure if it covers the security bug or not.  On their tracker, I only saw one instance of a security bug mentioned since the affected version:

http://pear.php.net/bugs/bug.php?id=16200
Comment 4 Brian Evans (RETIRED) gentoo-dev 2010-04-23 19:33:32 UTC
PEAR-Mail 1.20 has been released and contains this in the ChangeLog:

Bug #16200 - Security hole allow to read/write Arbitrary File

Release date: 2010-03-01 12:47 UTC

I would call the upstream part done
Comment 5 Matti Bickel (RETIRED) gentoo-dev 2010-12-19 16:05:40 UTC
Ebuild in CVS. Feel free to call stable
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2010-12-19 16:44:29 UTC
(In reply to comment #5)
> Ebuild in CVS. Feel free to call stable
> 

Thank you.

Arches, please test and mark stable:
=dev-php/PEAR-Mail-1.2.0
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Agostino Sarubbo gentoo-dev 2010-12-19 19:07:14 UTC
amd64 ok
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2010-12-20 01:22:49 UTC
amd64 done. Thanks Agostino
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-12-20 07:22:58 UTC
x86 stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2010-12-20 14:37:19 UTC
Stable on alpha.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-12-25 16:24:16 UTC
arm/ia64/s390/sh/sparc stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-25 17:46:27 UTC
Stable for HPPA.
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-06 20:03:08 UTC
stable for ppc64.
Comment 14 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-10 18:29:05 UTC
ppc stable, last arch done
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-01-10 18:40:47 UTC
GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:35:51 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).