727584 – (CVE-2020-13625) dev-php/PHPMailer: Output escaping bug (CVE-2020-13625)

Bug 727584 (CVE-2020-13625) - dev-php/PHPMailer: Output escaping bug (CVE-2020-13625)

Summary: dev-php/PHPMailer: Output escaping bug (CVE-2020-13625)

Status:	RESOLVED FIXED

Alias:	CVE-2020-13625

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://github.com/PHPMailer/PHPMaile...
Whiteboard:	~4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-06-08 20:59 UTC by GLSAMaker/CVETool Bot
Modified:	2020-07-14 06:16 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2020-06-08 20:59:32 UTC

CVE-2020-13625 (https://nvd.nist.gov/vuln/detail/CVE-2020-13625):
  PHPMailer before 6.1.6 contains an output escaping bug when the name of a
  file attachment contains a double quote character. This can result in the
  file type being misinterpreted by the receiver or any mail relay processing
  the message.

Comment 1 Larry the Git Cow gentoo-dev

2020-06-10 13:47:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b30bb859bc507d6baef0d93e1a739c1664ce26a4

commit b30bb859bc507d6baef0d93e1a739c1664ce26a4
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-10 13:36:09 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-10 13:45:39 +0000

    dev-php/PHPMailer: remove old "unused" versions.
    
    This leaves PHPMailer-5.2.28, which was released on 2020-03-09 and is
    the latest release from the 5.x series. No one has said whether or not
    CVE-2020-13625 affects v5.2.28 as well, but the description "insufficient
    output escaping" sounds scarier than it is. This bug isn't known to be
    exploitable; a priori it just gives the attachment the wrong name.
    
    Bug: https://bugs.gentoo.org/727584
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/PHPMailer/Manifest                |  6 ---
 dev-php/PHPMailer/PHPMailer-5.2.27.ebuild | 64 ---------------------------
 dev-php/PHPMailer/PHPMailer-6.0.7.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.2.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.3.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.4.ebuild  | 73 -------------------------------
 dev-php/PHPMailer/PHPMailer-6.1.5.ebuild  | 73 -------------------------------
 7 files changed, 435 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02e9960b449b8af4440ffa2bb40030962d9dc5a1

commit 02e9960b449b8af4440ffa2bb40030962d9dc5a1
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-10 13:30:43 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-10 13:45:39 +0000

    dev-php/PHPMailer: new version 6.1.6 to fix CVE-2020-13625.
    
    Bug: https://bugs.gentoo.org/727584
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/PHPMailer/Manifest               |  1 +
 dev-php/PHPMailer/PHPMailer-6.1.6.ebuild | 73 ++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)

Comment 2 Sam James archtester

2020-06-10 14:19:54 UTC

All done. Thanks!