Bug 204500

Summary: mail/phpmailer: Update to 5.2.14, Take MAINTAINER'ship, Add VuXML entry.
Product: Ports & Packages Reporter: Torsten Zühlsdorff <ports>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: ports-secteam
Priority: Normal Keywords: patch, patch-ready, security
Version: LatestFlags: amdmi3: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch with update to 5.2.14 and maintainer change
koobs: maintainer-approval+
patch with security patches for 5.2.13
koobs: maintainer-approval+
vuxml update none

Description Torsten Zühlsdorff 2015-11-12 14:01:58 UTC 
Created attachment 163055 [details]
patch with update to 5.2.14 and maintainer change

Hello,

attached a patch to update the port to the current version 5.2.14. The update fixes an security issue (which has no CVE). 

While here i:
- corrected the github account to use
- fix the outdated link to the homepage in pkg-desc
- become new maintainer

portlint -C is fine.

poudriere test-builds are fine for:
9.3 amd64 + i386
10.1 amd64 + i386
10.2 amd64 + i386
11-current r290334 amd64 + i386

I did a basic runtime test. I use this lib in my own applications and they send still emails after update. :D

Suggestion for commit message:

Log:
  mail/phpmailer: update 5.2.13 -> 5.2.14

  Changes:
  * 5.2.14 (2015-11-01)
   * Allow addresses with IDN (Internationalized Domain Name) in PHP 5.3+
   * Allow access to POP3 errors
   * Make all POP3 private properties and methods protected
   * SECURITY Fix vulnerability that allowed email addresses with line breaks (valid in RFC5322) to pass to SMTP, permitting message injection at the SMTP level. Mitigated in both the address validator and in the lower-level SMTP class.
   * Updated Brazilian Portuguese translations

   Submitted by: Torsten Zühlsdorff <ports@toco-domains.de> (new maintainer)
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2015-11-12 14:30:28 UTC 
@Tosten, thank you for taking this port under your wing. There's no need for the [tag] prefixes anymore.

If we can separate the security fix into a separate attachment, it will make this easier to merge only that fix to the security branch.
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2015-11-12 14:31:04 UTC 
Comment on attachment 163055 [details]
patch with update to 5.2.14 and maintainer change

Port is not maintained, implicit approval
Comment 3 Torsten Zühlsdorff 2015-11-12 14:42:01 UTC 
(In reply to Kubilay Kocak from comment #1)

> If we can separate the security fix into a separate attachment, 
> it will make this easier to merge only that fix to the security branch.

I scanned roughly through the commit history and found the fix. But i will test this separately. Should i create a new PR for the security branch or should i attach the patch to this PR?
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2015-11-12 15:02:17 UTC 
(In reply to Torsten Zühlsdorff from comment #3)

Here is perfectly fine, just give them obvious filenames/descriptions:

HEAD - Update to 5.2.14
QUARTERLY - Security fix

Or something equivalent

If you want to try your hand at a security/vuxml update, go nuts :)
Comment 5 Torsten Zühlsdorff 2015-11-13 11:30:18 UTC 
Created attachment 163089 [details]
patch with security patches for 5.2.13

I've created patches to fix the security issue just for phpmailer 5.2.13. The diff intentionally excludes a patch for the unit-tests of the software. Currently i do not have enough time to bring the different versions together, so i've just ported the patches for the software itself.
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2015-11-13 11:35:06 UTC 
Comment on attachment 163089 [details]
patch with security patches for 5.2.13

Port is not maintained, implicit approval
Comment 7 Torsten Zühlsdorff 2015-11-13 11:47:28 UTC 
Created attachment 163090 [details]
vuxml update

> If you want to try your hand at a security/vuxml update, go nuts :)

Mh... translated into german this means i would become insane when trying it?

Out of curiosity if my current level of insanity could be raised i did... something... and attached it happily :D I feel no difference till now ;) 

Please let me know what could be improved. :)
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2015-11-13 11:54:54 UTC 
(In reply to Torsten Zühlsdorff from comment #7)

Haha, my Australian slang getting in the way again ;)

"Go insane" is definitely one definition. The other is:

2. (in the imperative) Go ahead; feel free.

    "Can we play in the garden?" "Sure, go nuts." [1]

[1] https://en.wiktionary.org/wiki/go_nuts

Good job on the VuXML. In case it wasn't obvious, you can `make validate` the security/vuxml port to QA syntax correctness.

Ports Security Team (ports-secteam@) should be able to help if any semantic 'correcting' is required.

This issue is now 'perfect' and ready to take.
Comment 9 Torsten Zühlsdorff 2015-11-13 12:02:46 UTC 
I got that you mean "feel free", but the multiple meanings got funny because of the complains i already read about the vuxml-file. :) 

With this in mind the vuxml entry was irritating and fun at the same time. Thanks therefore and the link. :)
Comment 10 Torsten Zühlsdorff 2015-12-03 10:27:57 UTC 
Since this is an security issue: is there anything i can do to help speed up the process of being committed?
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2015-12-03 11:26:36 UTC 
I'm hesitant to assign this directly to ports-secteam, which would preclude another committer from taking it.

Also, I note that the purported 'patch' (attachment 163089 [details]) appears to be svn status (not diff) output.

Can you clarify, and obsolete/update if necessary.
Comment 12 commit-hook freebsd_committer freebsd_triage 2015-12-03 16:23:51 UTC 
A commit references this bug:

Author: amdmi3
Date: Thu Dec  3 16:23:13 UTC 2015
New revision: 402879
URL: https://svnweb.freebsd.org/changeset/ports/402879

Log:
  Document PHPmailer SMTP injection vulnerability

  PR:		204500

Changes:
  head/security/vuxml/vuln.xml
Comment 13 Dmitry Marakasov freebsd_committer freebsd_triage 2015-12-03 16:35:50 UTC 
vuxml entry committed, though I had to fix a few things. Main is that it should've stated <range><lt>5.2.14</lt></range> instead of <range><lt>5.2.13</lt></range> - versions < 5.2.14 are vulnerable.

There's actually no security patch attached to this PR (svn status output instead), but that's no problem - I guess we can just update to 5.2.14 both in head and a branch.
Comment 14 commit-hook freebsd_committer freebsd_triage 2015-12-03 16:40:57 UTC 
A commit references this bug:

Author: amdmi3
Date: Thu Dec  3 16:40:07 UTC 2015
New revision: 402885
URL: https://svnweb.freebsd.org/changeset/ports/402885

Log:
  - Update to 5.2.14
  - Pass maintainership to submitter

  PR:		204500
  Submitted by:	ports@toco-domains.de
  MFH:		2015Q4
  Security:	8a90dc87-89f9-11e5-a408-00248c0c745d

Changes:
  head/mail/phpmailer/Makefile
  head/mail/phpmailer/distinfo
  head/mail/phpmailer/pkg-descr
Comment 15 commit-hook freebsd_committer freebsd_triage 2015-12-03 16:44:59 UTC 
A commit references this bug:

Author: amdmi3
Date: Thu Dec  3 16:44:22 UTC 2015
New revision: 402886
URL: https://svnweb.freebsd.org/changeset/ports/402886

Log:
  MFH: r402885

  - Update to 5.2.14
  - Pass maintainership to submitter

  PR:		204500
  Submitted by:	ports@toco-domains.de
  Security:	8a90dc87-89f9-11e5-a408-00248c0c745d
  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2015Q4/
  branches/2015Q4/mail/phpmailer/Makefile
  branches/2015Q4/mail/phpmailer/distinfo
  branches/2015Q4/mail/phpmailer/pkg-descr