--- libphp-phpmailer-5.1.orig/class.smtp.php +++ libphp-phpmailer-5.1/class.smtp.php @@ -469,6 +469,10 @@ return false; } + if (strpos($host, "\n") !== false or strpos($host, "\r") !== false) { + return false; + } + // if hostname for HELO was not specified send default if(empty($host)) { // determine appropriate default to send to server @@ -486,7 +490,7 @@ } /** - * Sends a HELO/EHLO command. + * Sends a HELO/EHLO command. Assumes $hello and $host are validated * @access private * @return bool */ @@ -635,6 +639,10 @@ return false; } + if (strpos($to, "\n") !== false or strpos($to, "\r") !== false) { + return false; + } + fputs($this->smtp_conn,"RCPT TO:<" . $to . ">" . $this->CRLF); $rply = $this->get_lines(); @@ -726,6 +734,10 @@ return false; } + if (strpos($from, "\n") !== false or strpos($from, "\r") !== false) { + return false; + } + fputs($this->smtp_conn,"SAML FROM:" . $from . $this->CRLF); $rply = $this->get_lines(); @@ -811,4 +823,4 @@ } -?> \ No newline at end of file +?> --- libphp-phpmailer-5.1.orig/debian/compat +++ libphp-phpmailer-5.1/debian/compat @@ -0,0 +1 @@ +7 --- libphp-phpmailer-5.1.orig/debian/watch +++ libphp-phpmailer-5.1/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://sf.net/phpmailer/ PHPMailer_(.*)\.tar\.gz --- libphp-phpmailer-5.1.orig/debian/changelog +++ libphp-phpmailer-5.1/debian/changelog @@ -0,0 +1,109 @@ +libphp-phpmailer (5.1-1+deb6u11build0.12.04.1) precise-security; urgency=medium + + * fake sync from Debian + + -- Tyler Hicks Mon, 04 Jan 2016 11:19:23 -0600 + +libphp-phpmailer (5.1-1+deb6u11) squeeze-lts; urgency=high + + * CVE-2015-8476: Reject line breaks in to, from, and HELO calls to avoid + command injection. (Closes: #807265) + + -- Chris Lamb Tue, 08 Dec 2015 20:11:13 +0200 + +libphp-phpmailer (5.1-1) unstable; urgency=low + + * New upstream version. Closes: #559881. + * debian/copyright: + + Included new author Marcus Bointon. and updated + + Updated copyright date for Andy Prevost. + + Updated copyright symbols to be lintian clean. + * Updated debian/watch. + * Removed line in debian/rules and debian/docs regarding Changelog.txt. + + -- Kevin Coyner Thu, 10 Dec 2009 10:27:21 -0500 + +libphp-phpmailer (2.3-2) unstable; urgency=low + + * Change Section from web to php in debian/control. + + -- Kevin Coyner Mon, 19 Oct 2009 07:34:15 -0400 + +libphp-phpmailer (2.3-1) unstable; urgency=low + + * New upstream version. Closes: #524445. + * debian/control: + + Updated Standards-Version to 3.8.3. + + Bumped debhelper version to 7.4~. + * Bumped debian/compat to 7 from 5. + * Removed phpdoc from debian/docs as upstream no longer provides it. Similar + documentation is now found at http://phpmailer.codeworxtech.com. + * debian/rules: + + Changed dh_clean -k to dh_prep in the install stanza. + + Removed reference to phpdoc in the dh_installdocs call. + + -- Kevin Coyner Sun, 18 Oct 2009 22:56:03 -0400 + +libphp-phpmailer (2.1-1) unstable; urgency=low + + * New upstream version. Note that this version is only compatible with php5. + Closes: #490385 + * debian/control: + + Updated Standards-Version to 3.8.0. + + Moved homepage from long description to its own field. + + Removed dependency on dpatch. + + Removed php4 entries from Depends. + * Updated debian/watch. + * Updated debian/copyright. + * Removed patch files no longer needed from earlier version. Also removed + dpatch references in debian/rules. + + -- Kevin Coyner Sat, 04 Oct 2008 15:48:18 -0400 + +libphp-phpmailer (1.73-6) unstable; urgency=low + + * Re-order debian/control Depends: line so php5 dependencies precede php4. + + -- Kevin Coyner Sun, 12 Aug 2007 19:58:40 -0400 + +libphp-phpmailer (1.73-5) unstable; urgency=low + + * Change of maintainer e-mail address in debian/* files. + + -- Kevin Coyner Sun, 12 Aug 2007 14:41:36 -0400 + +libphp-phpmailer (1.73-4) unstable; urgency=high + + * High urgency upload for security bug fix. + * Apply patch to properly validate input to prevent shell command execution + in class.phpmailer.php. See CVE-2007-3215. Closes: #429179. + * Add dpatch as Build-Depends. + + -- Kevin Coyner Sat, 16 Jun 2007 21:02:47 -0400 + +libphp-phpmailer (1.73-3) unstable; urgency=low + + * New maintainer. Closes: #407668. + * debian/control: + + Small formatting changes in description. + + Changed from Build-Depends-Indep: to Build-Depends:. + + Updated Standards-Version: to 3.7.2. + * debian/watch: Updated to version 3, updated link to sourceforge.net. + * debian/rules: Moved dh_* files from binary-arch: to binary-indep:. + + -- Kevin Coyner Sat, 20 Jan 2007 14:07:41 -0500 + +libphp-phpmailer (1.73-2) unstable; urgency=low + + * Added php5 dependencies. + * Updated to Standards-Version: 3.6.2. + * Build-Depends on debhelper >=5 and updated debian/compat. + * Updated FSF address in debian/copyright file. + + -- Jose Carlos Medeiros Mon, 27 Mar 2006 17:45:59 -0300 + +libphp-phpmailer (1.73-1) unstable; urgency=low + + * Initial Release. (closes: #320344) + + -- Jose Carlos Medeiros Thu, 28 Jul 2005 15:47:42 -0300 --- libphp-phpmailer-5.1.orig/debian/rules +++ libphp-phpmailer-5.1/debian/rules @@ -0,0 +1,54 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +package = libphp-phpmailer + +configure: configure-stamp +configure-stamp: + dh_testdir + touch configure-stamp + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + touch build-stamp + + +clean: + dh_testdir + dh_testroot + dh_clean build-stamp configure-stamp + +install: build + dh_testdir + dh_testroot + dh_prep + dh_installdirs + + # Add here commands to install the package into debian/package. + cp -dpR *.php debian/$(package)/usr/share/php/$(package) + cp -dpR language/ debian/$(package)/usr/share/php/$(package) + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installdocs test + dh_installexamples + dh_installchangelogs + dh_compress + dh_fixperms + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- libphp-phpmailer-5.1.orig/debian/docs +++ libphp-phpmailer-5.1/debian/docs @@ -0,0 +1,2 @@ +docs +README --- libphp-phpmailer-5.1.orig/debian/dirs +++ libphp-phpmailer-5.1/debian/dirs @@ -0,0 +1,3 @@ +usr/share/php/libphp-phpmailer +usr/share/doc/libphp-phpmailer/examples +usr/share/doc/libphp-phpmailer/test --- libphp-phpmailer-5.1.orig/debian/copyright +++ libphp-phpmailer-5.1/debian/copyright @@ -0,0 +1,33 @@ +This package was debianized by Jose Carlos Medeiros on +Thu, 28 Jul 2005 15:47:42 -0300 + +The current maintainer is Kevin Coyner . + +It was downloaded from: http://phpmailer.sourceforge.net/ + +Upstream Authors: Brent R. Matzelle, Andy Prevost, Marcus Bointon + +Copyright © 2004-2009, Andy Prevost +Copyright © 2001-2003, Brent R. Matzelle + +License: + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Debian systems, the complete text of the GNU General Public +License, version 2, can be found in /usr/share/common-licenses/GPL-2. + +The Debian packaging is © 2008, Kevin Coyner and +is licensed under the GPL, see above. --- libphp-phpmailer-5.1.orig/debian/libphp-phpmailer.examples +++ libphp-phpmailer-5.1/debian/libphp-phpmailer.examples @@ -0,0 +1 @@ +examples/* --- libphp-phpmailer-5.1.orig/debian/control +++ libphp-phpmailer-5.1/debian/control @@ -0,0 +1,34 @@ +Source: libphp-phpmailer +Section: php +Priority: optional +Maintainer: Kevin Coyner +Build-Depends: debhelper (>= 7.4~) +Standards-Version: 3.8.3 +Homepage: http://phpmailer.sourceforge.net/ + +Package: libphp-phpmailer +Architecture: all +Depends: php5 | php5-cli | php5-cgi | libapache2-mod-php5 +Suggests: mail-transport-agent +Description: full featured email transfer class for PHP + Many PHP developers utilize email in their code. The only PHP function + that supports this is the mail() function. However, it does not expose + any of the popular features that many email clients use nowadays like + HTML-based emails and attachments. There are two proprietary + development tools out there that have all the functionality built into + easy to use classes: AspEmail(tm) and AspMail. Both of these + programs are COM components only available on Windows. + . + PhpMailer implements the same methods (object calls) that the Windows-based + components do. + . + Class Features: + - Send emails with multiple TOs, CCs, BCCs and REPLY-TOs + - Redundant SMTP servers + - Multipart/alternative emails for mail clients that do not read HTML email + - Support for 8bit, base64, binary, and quoted-printable encoding + - Uses the same methods as the very popular AspEmail active server (COM) + component + - SMTP authentication + - Native language support + - Word wrap