CVE-2018-19518

Priority
Description
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open()
in PHP and other products, launches an rsh command (by means of the
imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in
osdep/unix/tcp_unix.c) without preventing argument injection, which might
allow remote attackers to execute arbitrary OS commands if the IMAP server
name is untrusted input (e.g., entered by a user of a web application) and
if rsh has been replaced by a program with different argument semantics.
For example, if rsh is a link to ssh (as seen on Debian and Ubuntu
systems), then the attack can use an IMAP server name containing a
"-oProxyCommand" argument.
Notes
 mdeslaur> php5 in precise and trusty doesn't build imap, it is in a
 mdeslaur> separate php-imap source package.
 msalvatore> uw-imap has been defunct since 2008.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (5.4.6-0ubuntu5.1)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:released (7.0.33)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (7.0.33-0ubuntu0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:released (7.2.13)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (7.2.15-0ubuntu0.18.04.1)
Ubuntu 18.10 (Cosmic Cuttlefish):released (7.2.15-0ubuntu0.18.20.1)
Ubuntu 19.04 (Disco Dingo):needed
Package
Upstream:released (7.3.0)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):not-affected (7.3.0-2)
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=336d2086a9189006909ae06c7e95902d7d5ff77e
Package
Upstream:needed
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):deferred (2019-05-12)
Ubuntu 16.04 LTS (Xenial Xerus):deferred (2019-05-12)
Ubuntu 18.04 LTS (Bionic Beaver):deferred (2019-05-12)
Ubuntu 18.10 (Cosmic Cuttlefish):deferred (2019-05-12)
Ubuntu 19.04 (Disco Dingo):deferred (2019-05-12)
More Information

Updated: 2019-02-12 20:14:31 UTC (commit 9d30be97cb55abed5979e1371c86c51efd76f72b)