The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. References: http://seclists.org/oss-sec/2016/q4/780 http://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
Created php-zendframework-zend-mail tracking bugs for this issue: Affects: fedora-all [bug 1409593]
Created php-ZendFramework2 tracking bugs for this issue: Affects: epel-all [bug 1409594]
Created php-ZendFramework tracking bugs for this issue: Affects: fedora-all [bug 1409592] Affects: epel-all [bug 1409595]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.