CVE-2018-19518

Priority
Description
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open()
in PHP and other products, launches an rsh command (by means of the
imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in
osdep/unix/tcp_unix.c) without preventing argument injection, which might
allow remote attackers to execute arbitrary OS commands if the IMAP server
name is untrusted input (e.g., entered by a user of a web application) and
if rsh has been replaced by a program with different argument semantics.
For example, if rsh is a link to ssh (as seen on Debian and Ubuntu
systems), then the attack can use an IMAP server name containing a
"-oProxyCommand" argument.
References
Bugs
Notes
mdeslaurphp5 in precise and trusty doesn't build imap, it is in a
separate php-imap source package.
msalvatoreuw-imap has been defunct since 2008.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [5.4.6-0ubuntu5.1])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:released (7.0.33)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (7.0.33-0ubuntu0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Upstream:released (7.2.13)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (7.2.15-0ubuntu0.18.04.1)
Ubuntu 19.04 (Disco Dingo):released (7.2.15-0ubuntu2)
Ubuntu 19.10 (Eoan):DNE
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Upstream:released (7.3.0)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):not-affected (7.3.4-2)
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=336d2086a9189006909ae06c7e95902d7d5ff77e
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Upstream:released (8:2007f~dfsg-6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):not-affected (8:2007f~dfsg-6)
More Information

Updated: 2019-10-09 06:47:04 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)