Hi, In one of my environment a regression surfaced. If using specifically the isSendmail() method and the default php.ini sendmail settings, you would get an error.
This was fixed upstream but the backport lacked that specific commit. I've made another NMU to rectify that. Cheers, Thijs
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog libphp-phpmailer-5.2.14+dfsg/debian/changelog
--- libphp-phpmailer-5.2.14+dfsg/debian/changelog 2016-12-30 12:22:28.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/changelog 2017-01-02 15:21:27.000000000 +0100
@@ -1,3 +1,11 @@
+libphp-phpmailer (5.2.14+dfsg-2.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix regression in previous update: remove check for
+ Sendmail binary, upstream commit ed4e7ce8.
+
+ -- Thijs Kinkhorst <th...@debian.org> Mon, 02 Jan 2017 14:21:27 +0000
+
libphp-phpmailer (5.2.14+dfsg-2.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch 2016-12-30 12:22:28.000000000 +0100
+++ libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch 2017-01-02 15:21:25.000000000 +0100
@@ -1,22 +1,11 @@
diff -Nur libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php
--- libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php 2015-11-01 10:15:28.000000000 +0000
-+++ libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php 2016-12-30 11:20:08.368756474 +0000
-@@ -164,6 +164,7 @@
-
- /**
- * The path to the sendmail program.
-+ * Must contain only a path to an executable, with no parameters or switches
- * @var string
- */
- public $Sendmail = '/usr/sbin/sendmail';
-@@ -1329,19 +1330,27 @@
++++ libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php 2017-01-02 14:20:47.484824213 +0000
+@@ -1329,19 +1329,24 @@
*/
protected function sendmailSend($header, $body)
{
- if ($this->Sender != '') {
-+ if (!(is_file($this->Sendmail) and is_executable($this->Sendmail))) {
-+ throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
-+ }
+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+ if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
if ($this->Mailer == 'qmail') {
@@ -42,7 +31,7 @@
if ($this->SingleTo) {
foreach ($this->SingleToArray as $toAddr) {
if (!@$mail = popen($sendmail, 'w')) {
-@@ -1388,6 +1397,38 @@
+@@ -1388,6 +1393,38 @@
}
/**
@@ -81,7 +70,7 @@
* Send mail using the PHP mail() function.
* @param string $header The message headers
* @param string $body The message body
-@@ -1404,12 +1445,14 @@
+@@ -1404,12 +1441,14 @@
}
$to = implode(', ', $toArr);
@@ -101,7 +90,7 @@
$old_from = ini_get('sendmail_from');
ini_set('sendmail_from', $this->Sender);
}
-@@ -1463,10 +1506,10 @@
+@@ -1463,10 +1502,10 @@
if (!$this->smtpConnect($this->SMTPOptions)) {
throw new phpmailerException($this->lang('smtp_connect_failed'), self::STOP_CRITICAL);
}
signature.asc
Description: OpenPGP digital signature
