CVE-2018-19518

Priority
Description
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open()
in PHP and other products, launches an rsh command (by means of the
imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in
osdep/unix/tcp_unix.c) without preventing argument injection, which might
allow remote attackers to execute arbitrary OS commands if the IMAP server
name is untrusted input (e.g., entered by a user of a web application) and
if rsh has been replaced by a program with different argument semantics.
For example, if rsh is a link to ssh (as seen on Debian and Ubuntu
systems), then the attack can use an IMAP server name containing a
"-oProxyCommand" argument.
References
Bugs
Notes
mdeslaurphp5 in precise and trusty doesn't build imap, it is in a
separate php-imap source package.
msalvatoreuw-imap has been defunct since 2008.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [5.4.6-0ubuntu5.1])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:released (7.0.33)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (7.0.33-0ubuntu0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Upstream:released (7.2.13)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (7.2.15-0ubuntu0.18.04.1)
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Upstream:released (7.3.0)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):not-affected (7.3.4-2)
Ubuntu 20.04 (Focal Fossa):not-affected (7.3.4-2)
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=336d2086a9189006909ae06c7e95902d7d5ff77e
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Upstream:released (8:2007f~dfsg-6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):released (8:2007f~dfsg-4+deb8u1build0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (8:2007f~dfsg-5ubuntu0.18.04.2)
Ubuntu 19.10 (Eoan Ermine):not-affected (8:2007f~dfsg-6)
Ubuntu 20.04 (Focal Fossa):not-affected (8:2007f~dfsg-6)
More Information

Updated: 2020-01-29 18:53:33 UTC (commit 40f18bf14da5fb50662e1f861ea594a462b207fe)