Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603756 - www-apps/joomla: Remote code execution through embedded dev-php/PHPMailer (CVE-2016-10033)
Summary: www-apps/joomla: Remote code execution through embedded dev-php/PHPMailer (CV...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://developer.joomla.org/security...
Whiteboard: ~2 [ebuild+/cve]
Keywords: PMASKED
Depends on:
Blocks: 603752
  Show dependency tree
 
Reported: 2016-12-26 13:21 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-06-17 08:41 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-26 13:21:51 UTC 
It is suspected that this package is vulnerable to a security vulnerability via embedded dev-php/PHPMailer. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 603752.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-26 18:29:53 UTC 
(In reply to Harold Naparst from https://bugs.gentoo.org/show_bug.cgi?id=603752#c1)
> I am the maintainer of joomla.  It is unknown whether joomla has bundled an
> affected version of PHPMailer.  Please remove joomla from portage until
> further notice.

Joomla upstream has already confirmed the problem and is preparing new releases.

The version in Gentoo repository (=www-apps/joomla-3.4.8) ships PHPMailer in v5.2.9, see https://github.com/joomla/joomla-cms/blob/3.4.8/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php#L34.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-17 18:41:20 UTC 
# Thomas Deutschmann <whissi@gentoo.org> (17 May 2017)
# Multiple unpatched security vulnerabilities (see bug #603756, #610696, #612650 ...)
# Removal in 30 days.
www-apps/joomla
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-06-17 08:41:15 UTC 
commit fe7d7445faf698a716e9f542fdc18b771fa42b6a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Sat Jun 17 10:29:26 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Sat Jun 17 10:39:58 2017

    www-apps/joomla: Remove last-rited pkg