Security Patch SUPEE-10570 - Possible issues?

magento.stackexchange https://magento.stackexchange.com/questions/313231

Question

Magento has released a new security patch for M1, and updates for M1 and M2.

What issues should I look out for when upgrading or applying this patch?

SUPEE-10570

SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues. These releases also include small functional fixes listed in the release notes.

MAGENTO 2.2.3, 2.1.12 AND 2.0.18 SECURITY UPDATE

Magento Commerce and Open Source 2.2.3, 2.1.12 and 2.0.18 contain multiple security enhancements that help close Cross-Site Scripting (XSS), authenticated Admin user remote code execution (RCE) and other vulnerabilities. The releases include additional functional fixes. To find out more about the functional fixes please check Release Notes for Magento Commerce 2.0.18, 2.1.12, 2.2.3 and Magento Open Source 2.0.18, 2.1.12, 2.2.3.

Was it helpful?

Solution

Here is the list of modified files by the SUPEE-10570 patch:

app/Mage.php 
app/code/core/Mage/Admin/Helper/Data.php
app/code/core/Mage/Admin/Model/Block.php 
app/code/core/Mage/Admin/Model/Resource/Block.php 
app/code/core/Mage/Admin/Model/User.php 
app/code/core/Mage/Adminhtml/Block/Catalog/Category/Edit/Form.php 
app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php 
app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php 
app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php 
app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php 
app/code/core/Mage/Adminhtml/Block/System/Store/Edit/Form.php 
app/code/core/Mage/Adminhtml/Block/Tag/Assigned/Grid.php 
app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Store.php 
app/code/core/Mage/Adminhtml/Block/Widget/Tabs.php 
app/code/core/Mage/Adminhtml/Model/Config/Data.php 
app/code/core/Mage/Adminhtml/Model/System/Store.php 
app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php 
app/code/core/Mage/Adminhtml/controllers/CustomerController.php 
app/code/core/Mage/Adminhtml/controllers/System/BackupController.php
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
app/code/core/Mage/Core/Model/Variable.php
app/code/core/Mage/Customer/Helper/Data.php
app/code/core/Mage/Customer/Model/Resource/Customer.php
app/code/core/Mage/Customer/controllers/AccountController.php
app/code/core/Mage/Customer/etc/config.xml
app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.2.0.1.1.1-1.6.2.0.1.1.2.php
app/code/core/Mage/Downloadable/etc/config.xml
app/code/core/Mage/Downloadable/etc/system.xml
app/code/core/Mage/Downloadable/sql/downloadable_setup/upgrade-1.6.0.0.2.1.1-1.6.0.0.2.1.2.php
app/code/core/Mage/ImportExport/Model/Import.php
app/code/core/Mage/ImportExport/Model/Import/Entity/Product.php
app/code/core/Mage/Shipping/Model/Info.php
app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php
app/design/adminhtml/default/default/template/catalog/product/attribute/set/main.phtml
app/design/adminhtml/default/default/template/customer/tab/view.phtml
app/design/adminhtml/default/default/template/customer/tab/view/sales.phtml
app/design/adminhtml/default/default/template/dashboard/store/switcher.phtml
app/design/adminhtml/default/default/template/downloadable/product/composite/fieldset/downloadable.phtml
app/design/adminhtml/default/default/template/downloadable/product/edit/downloadable/links.phtml
app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/creditmemo/name.phtml
app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/invoice/name.phtml
app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/name.phtml
app/design/adminhtml/default/default/template/newsletter/preview/store.phtml
app/design/adminhtml/default/default/template/report/store/switcher.phtml
app/design/adminhtml/default/default/template/sales/order/view/info.phtml
app/design/adminhtml/default/default/template/store/switcher.phtml
app/design/adminhtml/default/default/template/store/switcher/enhanced.phtml
app/design/adminhtml/default/default/template/system/convert/profile/wizard.phtml
app/design/adminhtml/default/default/template/tax/rate/title.phtml
app/design/adminhtml/default/default/template/widget/form/renderer/fieldset.phtml
app/locale/en_US/Mage_Catalog.csv
app/locale/en_US/Mage_ImportExport.csv
lib/Zend/Mail/Transport/Sendmail.php

EDIT

Finally after deploying on my prod website (CE 1.7.0.2), i noticed a critical blocking issue (checkout process blocked).

The context: after step 1 address, i directly create AND log the customer, he should see only the next checkout step.

The problem: after supee-10570, the checkout process is broken after step 1 (in case account creation) and the customer is redirected to homepage (with shopping cart empty + logged out) = impossible to achieve his checkout.

The emergency fix: In case you encounter similar problem with your checkout / customer session, comment the lines 414-430 from app/code/core/Mage/Core/Model/Session/Abstract/Varien.php (the ones added by the patch, see below).

//         if ($this->useValidateSessionPasswordTimestamp()
//             && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
//             && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
//             && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
//             > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
//         ) {
//             return false;
//         }

//         if ($this->useValidateSessionExpire()
//             && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
//             && $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] < time() ) {
//             return false;
//         } else {
//             $this->_data[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]
//                 = $validatorData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP];
//         }

EDIT (2)

I think the following condition will always return false (Mage_Core_Model_Session_Abstract_Varien at lines 414-419, especially lines 417+418).

if ($this->useValidateSessionPasswordTimestamp()
            && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
            && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
            && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
            > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
        ) {
        return false;

VALIDATOR_PASSWORD_CREATE_TIMESTAMP will be always greater than VALIDATOR_SESSION_EXPIRE_TIMESTAMP. The session "expiration" timestamp is redefined at account creation, so inevitably older than session init.

So for instance if you create the customer during checkout, this will return false and the customer will be just kickedout (= end checkout, redirect to homepage & cart empty). Pretty bad.

I've reported this issue to magento team. I'll give feedback here asap.

EDIT (3)

A new patch is wip (on the magento patch download page it's write "SUPEE-10570 for CE 1.7.0.0 - UPDATED PATCH EXPECTED, DO NOT USE (0.06 MB)").

EDIT (4) ~1 month after initial blocking issue reported

Hi! Hope you're all goods (and hope you didn't keep the initial patch state until now, unless your business income had probably seriously decreased^^).

I've noticed the following sentence from official page: "Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue. Note, however, that this new patch no longer protects against two low risk session handling-related security issues that patch SUPEE-10570 protected against." from official supee-10570 page.

On the release page we can finally find the v2 file (PATCH_SUPEE-10570_CE_v1.7.0.2_v2-2018-03-29-08-52-37.sh).

I've investigated the modifications in details. Finally it seems magento team just decided to drop a security part of the patch. Hope this security hole won't cause serious damages (it's low critical according official note).

After revert v1 + apply v2, please take care the following files are reverted as their initial state (before v1 was applied):

app/code/core/Mage/Adminhtml/controllers/CustomerController.php
app/code/core/Mage/Customer/controllers/AccountController.php
app/code/core/Mage/Customer/Helper/Data.php
app/code/core/Mage/Customer/Model/Resource/Customer.php

PS: obviously some other files are also modified, please check accordingly.

OTHER TIPS

(not sure if this was in release notes from beginning)

Known issues

These two known issues are associated with the use of HTML tags within a product’s SKU attribute:

  • If you try to import products that contain HTML tags in the SKU attribute, Magento displays this error at the data validation stage (that is, when you click Check data):
 Invalid value in SKU column. HTML tags are not allowed.
  • If you try to create or edit a product in the Admin panel and the product’s SKU attribute value contains HTML tags, Magento throws this error when you try to save the product: HTML tags are not allowed in SKU attribute.

From patch notes:

If the patch fails to apply while patching lib/Zend/Mail/Transport/Sendmail.php, it might mean your Magento installation was previously patched with SUPEE-9652v1 instead of SUPEE-9652v2. The recommended solution is to revert patch SUPEE-9652v1 and apply SUPEE-9652v2 prior to applying SUPEE-10570.

I had the same issue as @DarkCowboy after applying the patch to Magento CE 1.7.0.2.

After choosing to register as a new customer during the checkout, placing the order creates both the order and the customer, but instead of displaying the order success page I'm redirected to the homepage and logged out.

The solution I have found is to reverse the order of the code blocks in the changes to app/code/core/Mage/Core/Model/Session/Abstract/Varien.php.

Comparing the patched version with the same file in Magento CE 1.9.3.8, I found the new blocks to validate the session expiration and password timestamp are in a different order.

Magento CE 1.9.3.8 - Lines 476-491:

    if ($this->useValidateSessionExpire()
        && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
        && $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] < time() ) {
        return false;
    } else {
        $this->_data[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]
            = $validatorData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP];
    }
    if ($this->useValidateSessionPasswordTimestamp()
        && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
        && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
        && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
        > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
    ) {
        return false;
    }

Magento CE 1.7.0.2 - Lines 414-430:

    if ($this->useValidateSessionPasswordTimestamp()
        && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
        && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
        && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
        > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
    ) {
        return false;
    }

    if ($this->useValidateSessionExpire()
        && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
        && $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] < time() ) {
        return false;
    } else {
        $this->_data[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]
            = $validatorData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP];
    }

This results in the value of $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP] being greater than $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime(), meaning the method always returns false and the validation fails.

Changing the code in Magento CE 1.7.0.2 to match the version in Magento CE 1.9.3.8 fixes the issue.

The resulting code for Magento CE 1.7.0.2 - Lines 414-430:

​
    if ($this->useValidateSessionExpire()
        && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
        && $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] < time() ) {
        return false;
    } else {
        $this->_data[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]
            = $validatorData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP];
    }
    if ($this->useValidateSessionPasswordTimestamp()
        && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
        && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
        && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
        > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
    ) {
        return false;
    }

I'd suggest creating your own patch file and applying directly to the core file (this is how I normally approach fixing bugs in the core). This would make it easy to revert if Magento issues a version 2 of the patch.

We saw a blank page at /checkout/cart after applying SUPEE-10570 and compiling. Just to clarify: With deactivated compiler all things went well, with activated compiler we only could see a blank cart page when logged in without any log entries (even after activating all possible logs and developer mode).

The solution was to alter the function getPasswordTimestamp() in app/code/core/Mage/Customer/Helper/Data.php (of course means: app/code/local/Mage/Customer/Helper/Data.php!) and to use Mage::getSingleton('core/resource') instead of Mage::getModel('customer/customer') or Mage::getSingleton('customer/session'). So replace whole function e.g. with these lines of code:

    $resource = Mage::getSingleton('core/resource');
    $readConnection = $resource->getConnection('core_read');
    $query = 'SELECT * FROM ' . $resource->getTableName('customer_entity').' WHERE `entity_id` = '.$customerId;
    $results = $readConnection->fetchAll($query);
    $result=$results[0];
    $date_created = Varien_Date::toTimestamp($result['created_at']);
    return $date_created;

After recompiling problem was gone. Anyone else with this problem?

Explanation in German here.

1.7.0.0

Patch: PATCH_SUPEE-10570_CE_v1.7.0.0_v1-2018-02-23-06-37-58.sh

This error happens if you've not previously applied SUPEE-9652 or SUPEE-9767

patching file lib/Zend/Mail/Transport/Sendmail.php
Hunk #1 FAILED at 119.
Hunk #2 FAILED at 130.

Apply those patches to correct the issue.

First thing you should check, if you are previously applied the correct version of SUPEE-6788 or SUPEE-7405, if not revert the wrong version and then apply the correct version of SUPEE-6788/SUPEE-7405.

Then try again to apply SUPEE-10570.

1.7.0.0

Patch PATCH_SUPEE-10570_CE_v1.7.0.0_v1-2018-02-23-06-37-58.sh File app/code/core/Mage/Core/Model/Session/Abstract/Varien.php

The patch for 1.7.0.0 only adds one constant:

+    const VALIDATOR_PASSWORD_CREATE_TIMESTAMP   = 'password_create_timestamp';

However, it adds the use of two new constants, notably this one:

+        if ($this->useValidateSessionPasswordTimestamp()
+            && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
+            && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
+            && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
+            > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
+        ) {
+            return false;
+        }

This results in the error:

PHP Fatal error:  Uncaught Error: Undefined class constant 'VALIDATOR_SESSION_EXPIRE_TIMESTAMP' in 
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php:406
Stack trace:
#0 
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php(358): Mage_Core_Model_Session_Abstract_Varien->_validate()
#1 
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php(176): Mage_Core_Model_Session_Abstract_Varien->validate()
#2 
app/code/core/Mage/Core/Model/Session/Abstract.php(84): Mage_Core_Model_Session_Abstract_Varien->init('core', 'frontend')
#3 
app/code/core/Mage/Core/Model/Session.php(42): Mage_Core_Model_Session_Abstract->init('core', 'frontend')
#4 
app/code/core/Mage/Core/Model/Config.php(1354): Mage_Core_Model_Session->__construct(Array)

The fix:

Add a definition for this second constant above or below the first constant added by this patch.

const VALIDATOR_SESSION_EXPIRE_TIMESTAMP = 'session_expire_timestamp';

So far I haven't seen this issue in any of the 1.9. or 1.14.x patches, because they define the constant correctly.

An issues with 1.7.0.2 I have noticed is as follows:

  1. Add Product to Cart and go to Checkout

  2. Click "Register"

  3. Fill all necessary order information including, payment details, etc.
  4. Click Complete Order.

PROBLEM STARTS HERE

5. Automatically get redirected to HOME PAGE. You don't get to see order number confirmation. But in reality, order is placed and customer account created.

The below files are updated/added after applied patch SUPEE - 10570 in EE

@DarkCowboy provided a lists of files other than that EE files are:

    app/code/core/Enterprise/Cms/Block/Adminhtml/Cms/Hierarchy/Edit/Form.php
    app/code/core/Enterprise/Cms/Block/Adminhtml/Cms/Hierarchy/Widget/Chooser.php
    app/code/core/Enterprise/Cms/Block/Adminhtml/Cms/Page/Edit/Tab/Hierarchy.php
    app/code/core/Enterprise/Cms/Block/Hierarchy/Menu.php
    app/code/core/Enterprise/Customer/Block/Adminhtml/Customer/Attribute/Edit/Tab/Main.php
    app/code/core/Enterprise/GiftRegistry/Model/Observer.php
    app/code/core/Enterprise/Reward/Block/Adminhtml/Customer/Edit/Tab/Reward/Management/Update.php
    app/code/core/Enterprise/Rma/Model/Shipping/Info.php
    app/code/core/Enterprise/Staging/Block/Adminhtml/Backup/Grid.php
    app/code/core/Enterprise/Staging/Block/Adminhtml/Staging/Grid.php
 app/design/adminhtml/default/default/template/enterprise/cms/hierarchy/edit.phtml
    app/design/adminhtml/default/default/template/enterprise/cms/hierarchy/manage.phtml
    app/design/adminhtml/default/default/template/enterprise/cms/hierarchy/scope/switcher.phtml
    app/design/adminhtml/default/default/template/enterprise/cms/hierarchy/widget/radio.phtml
    app/design/adminhtml/default/default/template/enterprise/cms/page/preview/store.phtml
    app/design/adminhtml/default/default/template/enterprise/customer/website/switcher.phtml
    app/design/adminhtml/default/default/template/enterprise/invitation/view/tab/general.phtml
    app/design/adminhtml/default/default/template/enterprise/staging/log/information/create.phtml
    app/design/adminhtml/default/default/template/enterprise/staging/staging/edit/tabs/website.phtml
    app/design/adminhtml/default/default/template/enterprise/staging/staging/edit/tabs/website/store.phtml
    app/design/adminhtml/default/default/template/enterprise/staging/staging/merge/settings/website.phtml
    app/design/adminhtml/default/default/template/enterprise/store/switcher.phtml
    app/design/adminhtml/default/default/template/enterprise/store/switcher/enhanced.phtml
    app/design/adminhtml/default/default/template/merchandiser/new/page/html/top-buttons.phtml
    app/design/frontend/enterprise/default/template/cms/hierarchy/pagination.phtml

Some important notes

password_created_at created in customer attributes table.

app/code/core/Mage/Adminhtml/controllers/CustomerController.php
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
app/code/core/Mage/Customer/Helper/Data.php
app/code/core/Mage/Customer/Model/Resource/Customer.php
app/code/core/Mage/Customer/controllers/AccountController.php
app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.2.0.5.1.1-1.6.2.0.5.1.2.php

These above are files are used for creation and validation. session issue occurs at checkout or user login check, the above any one of files are overwritten in your local pool or Any password_created_at attribute is created in your customer attribute table and the proper value stored in that table.

My magento version is ver. 1.9.1.0.

We saw a blank page at /checkout/cart after applying SUPEE-10570 and compiling. Just to clarify: With deactivated compiler all things went well, with activated compiler we only could see a blank cart page when logged in without any log entries (even after activating all possible logs and developer mode).

Cause:

  1. the function getPasswordTimestamp will invoke two times when logged in and visit /checkout/cart.

  2. disabled compiler both invocation work.

  3. enable compiler only the first invocation work, second invocation failed.

can anyone explain and give the good solution?

I met the same issue, Magento 1.9.3.8 added this method into Mage_Customer_Helper_Data class

/**
 * Get customer password creation timestamp or customer account creation timestamp
 *
 * @param $customerId
 * @return int
 */
public function getPasswordTimestamp($customerId)
{
    /** @var $customer Mage_Customer_Model_Customer */
    $customer = Mage::getModel('customer/customer')
        ->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
        ->load((int)$customerId);
    $passwordCreatedAt = $customer->getPasswordCreatedAt();

    return is_null($passwordCreatedAt) ? $customer->getCreatedAtTimestamp() : $passwordCreatedAt;
}

If you overrode this class inside Local folder (not the best practice), we may have errors generated by this class.

This patch has broken some of the CMS hierarchy manager for EE users.

This is because of the following patch line which is responsible for escaping stores/website names and fixing APPSEC-1873/1979/1980.

diff --git app/design/adminhtml/default/default/template/enterprise/cms/hierarchy/manage.phtml app/design/adminhtml/default/default/template/enterprise/cms/hierarchy/manage.phtml
index e45298c..8bee617 100644
--- app/design/adminhtml/default/default/template/enterprise/cms/hierarchy/manage.phtml
+++ app/design/adminhtml/default/default/template/enterprise/cms/hierarchy/manage.phtml
@@ -36,7 +36,7 @@
             <div class="cms-popup-description"></div>
             <div class="fieldset">
                 <div class="cms-hierarchy manage-form">
-                    <?php echo $this->getFormHtml() ?>
+                    <?php echo $this->escapeHtml($this->getFormHtml()); ?>
                 </div>
             </div>
         </div>

It should show the store selector on the left but it instead shows the html on the right. If you really need this functionality you need to make a call of security vs functionality which isn't great.

show broken hierarchy

The patch was changed by Magento silently. Here shown with patch for Magento 1.8.1.0-1.9.0.1. On first download i got file

PATCH_SUPEE-10570_CE_v1.9.0.1_v1-2018-02-23-06-18-06.sh

A few days later i got following file

PATCH_SUPEE-10570_CE_v1.9.0.1_v1-2018-02-28-04-54-29.sh

Diff shows that the former file contains files from Magento Enterprise Edition which contain the wrong license "Magento Enterprise Edition End User License Agreement". This has been corrected to "Open Software License (OSL 3.0)".

Same exact error as Tyler, on Magento 1.9.2.4 Patch PATCH_SUPEE-10570_CE_v1.9.2.4_v1-2018-02-28-04-53-53.sh

checking file lib/Zend/Mail/Transport/Sendmail.php
Hunk #1 FAILED at 119.
Hunk #2 FAILED at 129.
2 out of 2 hunks FAILED

If you have some patch detection tool you probably need to modify the detection of SUPEE-9562 because SUPEE-10570 modifies the same file: 

lib/Zend/Mail/Transport/Sendmail.php

You may get following error

Hunk #3 FAILED at 17 after line

checking file app/code/core/Enterprise/Cms/Block/Adminhtml/Cms/Page/Edit/Tab/Hierarchy.php

It happened for me on Magento 1.10.0.2EE version. It happened because SUPEE-6285 patch was not applied.

You may get an error like

checking file app/locale/en_US/Mage_ImportExport.csv
Hunk #1 FAILED at 19 (different line endings).

Usually this means that the file is edited on a Windows machine. You can convert it back to unix format with the command dos2unix and retry the patch.

In this case:

dos2unix app/locale/en_US/Mage_ImportExport.csv
Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top