From Secunia (http://secunia.com/advisories/37410/):
The sendmail implementation of the "Mail::Send()" method does not properly sanitise the "from" parameter before invoking sendmail, which can be exploited to pass arbitrary arguments to the sendmail command.
Successful exploitation requires that the sendmail implementation is used and that the attacker is able to define the "from" parameter.
The vulnerability is reported in version 1.1.14. Other versions may also be affected.
Raphael Geissert stated on the upstream bug ($URL) that the fix is not complete. This is contrary to Secunia's advisory.
PHP, please wait for a new release or apply a patch as seen in that bug report.
Argument injection vulnerability in the sendmail implementation of
the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14
for PEAR allows remote attackers to read and write arbitrary files
via a crafted $from parameter, a different vector than CVE-2009-4111.
Argument injection vulnerability in Mail/sendmail.php in the Mail
package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows
remote attackers to read and write arbitrary files via a crafted
$recipients parameter, and possibly other parameters, a different
vulnerability than CVE-2009-4023.
I added PEAR-Mail-1.2.0_beta5 to the tree, not sure if it covers the security bug or not. On their tracker, I only saw one instance of a security bug mentioned since the affected version:
PEAR-Mail 1.20 has been released and contains this in the ChangeLog:
Bug #16200 - Security hole allow to read/write Arbitrary File
Release date: 2010-03-01 12:47 UTC
I would call the upstream part done
Ebuild in CVS. Feel free to call stable
(In reply to comment #5)
> Ebuild in CVS. Feel free to call stable
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 done. Thanks Agostino
Stable on alpha.
Stable for HPPA.
stable for ppc64.
ppc stable, last arch done
GLSA request filed.
This issue was resolved and addressed in
GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).