Summary: | <dev-lang/php-{5.6.39,7.0.33,7.1.25,7.2.13,7.3.0}: Shell command injection through imap_open() connection params | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Vlad K. <vk-gentoo-bugs> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | php-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.openwall.com/lists/oss-security/2018/11/22/3 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
Vlad K.
2018-11-25 14:25:59 UTC
Severity B2 because this has the potential of RCE in situations where IMAP server connections are user-configurable (eg. in webmails). Upstream has a patch: * https://github.com/php/php-src/commit/3a144d3f7f6bad308e2bf112ebf16829eb298f20 Also, new releases tagged upstream: * https://github.com/php/php-src/blob/php-7.2.13/NEWS * https://github.com/php/php-src/blob/php-7.1.25/NEWS * https://github.com/php/php-src/blob/php-7.0.33/NEWS * https://github.com/php/php-src/blob/php-5.6.39/NEWS Please note the PHP-7.0 branch is now EOL'd. Added to an existing GLSA request. This issue was resolved and addressed in GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57 by GLSA coordinator Thomas Deutschmann (whissi). |