Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 671872 (CVE-2018-19518) - <dev-lang/php-{5.6.39,7.0.33,7.1.25,7.2.13,7.3.0}: Shell command injection through imap_open() connection params
Summary: <dev-lang/php-{5.6.39,7.0.33,7.1.25,7.2.13,7.3.0}: Shell command injection th...
Status: RESOLVED FIXED
Alias: CVE-2018-19518
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-25 14:25 UTC by Vlad K.
Modified: 2020-03-26 13:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2018-11-25 14:25:59 UTC
* CVE-2018-19518

  https://www.openwall.com/lists/oss-security/2018/11/22/3
  https://bugs.php.net/bug.php?id=76428
  https://bugs.php.net/bug.php?id=77153

  University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open()
  in PHP and other products, launches an rsh command (by means of the
  imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in
  osdep/unix/tcp_unix.c) without preventing argument injection, which might
  allow remote attackers to execute arbitrary OS commands if the IMAP server
  name is untrusted input (e.g., entered by a user of a web application) and if
  rsh has been replaced by a program with different argument semantics. For
  example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then
  the attack can use an IMAP server name containing a "-oProxyCommand"
  argument. -- CVE listing

--
Gentoo Security Scout
Vladimir Krstulja
Comment 1 Vlad K. 2018-11-25 14:31:19 UTC
Severity B2 because this has the potential of RCE in situations where IMAP server connections are user-configurable (eg. in webmails).
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-26 13:23:13 UTC
Added to an existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-03-26 13:33:01 UTC
This issue was resolved and addressed in
 GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57
by GLSA coordinator Thomas Deutschmann (whissi).