Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 671872 (CVE-2018-19518)

Summary: <dev-lang/php-{5.6.39,7.0.33,7.1.25,7.2.13,7.3.0}: Shell command injection through imap_open() connection params
Product: Gentoo Security Reporter: Vlad K. <vk-gentoo-bugs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2018/11/22/3
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Vlad K. 2018-11-25 14:25:59 UTC 
* CVE-2018-19518

  https://www.openwall.com/lists/oss-security/2018/11/22/3
  https://bugs.php.net/bug.php?id=76428
  https://bugs.php.net/bug.php?id=77153

  University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open()
  in PHP and other products, launches an rsh command (by means of the
  imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in
  osdep/unix/tcp_unix.c) without preventing argument injection, which might
  allow remote attackers to execute arbitrary OS commands if the IMAP server
  name is untrusted input (e.g., entered by a user of a web application) and if
  rsh has been replaced by a program with different argument semantics. For
  example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then
  the attack can use an IMAP server name containing a "-oProxyCommand"
  argument. -- CVE listing

--
Gentoo Security Scout
Vladimir Krstulja
Comment 1 Vlad K. 2018-11-25 14:31:19 UTC 
Severity B2 because this has the potential of RCE in situations where IMAP server connections are user-configurable (eg. in webmails).
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-26 13:23:13 UTC 
Added to an existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-03-26 13:33:01 UTC 
This issue was resolved and addressed in
 GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57
by GLSA coordinator Thomas Deutschmann (whissi).