Bug 1118832 – VUL-1: CVE-2018-19935: php5,php7,php53: ext/imap/php_imap.c caused a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to imap_mail

Bug 1118832 - (CVE-2018-19935) VUL-1: CVE-2018-19935: php5,php7,php53: ext/imap/php_imap.c caused a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to imap_mail

(CVE-2018-19935)
Summary:	VUL-1: CVE-2018-19935: php5,php7,php53: ext/imap/php_imap.c caused a denial o...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/220417/
Whiteboard:	CVSSv3:SUSE:CVE-2018-19935:3.3:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-12-07 19:24 UTC by Marcus Meissner
Modified:	2021-09-14 12:47 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
xx.php (36 bytes, application/x-php) 2018-12-07 19:27 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2018-12-07 19:24:48 UTC

CVE-2018-19935

ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote
attackers to cause a denial of service (NULL pointer dereference and
application crash) via an empty string in the message argument to the
imap_mail function.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19935
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19935

Comment 1 Marcus Meissner 2018-12-07 19:25:38 UTC

https://bugs.php.net/bug.php?id=77020

Comment 2 Marcus Meissner 2018-12-07 19:27:28 UTC

Created attachment 792219 [details]
xx.php

QA REPRODUCER:

install php-imap

php xx.php

should not crash

Comment 3 Petr Gajdos 2018-12-10 14:33:10 UTC

12/php7

$ php xx.php
PHP Warning:  imap_mail(): No message string in mail command in /118832/xx.php on line 2
sendmail: fatal: root(0): No recipient addresses found in message header
Segmentation fault (core dumped)
$

12/php5,11sp3/php53

$ valgrind -q php xx.php
PHP Warning:  imap_mail(): No message string in mail command in /118832/xx.php on line 2
postdrop: warning: unable to look up public/pickup: No such file or directory
$

11,10sp3/php5

$ valgrind -q php xx.php
postdrop: warning: unable to look up public/pickup: No such file or directory
$

Comment 4 Petr Gajdos 2018-12-10 16:06:25 UTC

PATCH

http://git.php.net/?p=php-src.git;a=commit;h=7edc639b9ff1c3576773d79d016abbeed1f93846

AFTER

12/php7

$ php xx.php
PHP Warning:  imap_mail(): No message string in mail command in /118832/xx.php on line 2
postdrop: warning: unable to look up public/pickup: No such file or directory
$

Comment 6 Petr Gajdos 2018-12-10 16:07:30 UTC

Will submit for: 12/php7 and 15/php7.

Comment 8 Petr Gajdos 2018-12-11 08:28:46 UTC

I believe all fixed.

Comment 13 Swamp Workflow Management 2019-02-12 17:09:38 UTC

SUSE-SU-2019:0333-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1118832,1123354,1123522
CVE References: CVE-2018-19935,CVE-2019-6977,CVE-2019-6978
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.63.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.63.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.63.1

Comment 14 Swamp Workflow Management 2019-02-19 11:09:39 UTC

openSUSE-SU-2019:0207-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1118832,1123354,1123522
CVE References: CVE-2018-19935,CVE-2019-6977,CVE-2019-6978
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-55.1

Comment 20 Swamp Workflow Management 2019-06-11 22:10:54 UTC

SUSE-SU-2019:1461-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1118832,1119396,1126711,1126713,1126821,1126823,1126827,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032,1132837,1132838,1134322
CVE References: CVE-2018-19935,CVE-2018-20783,CVE-2019-11034,CVE-2019-11035,CVE-2019-11036,CVE-2019-9020,CVE-2019-9021,CVE-2019-9022,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.32.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    php7-7.2.5-4.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    php7-7.2.5-4.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2019-06-18 16:37:22 UTC

openSUSE-SU-2019:1572-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1118832,1119396,1126711,1126713,1126821,1126823,1126827,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032,1132837,1132838,1134322
CVE References: CVE-2018-19935,CVE-2018-20783,CVE-2019-11034,CVE-2019-11035,CVE-2019-11036,CVE-2019-9020,CVE-2019-9021,CVE-2019-9022,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.3.1

Comment 22 Swamp Workflow Management 2019-06-18 16:42:38 UTC

openSUSE-SU-2019:1573-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1118832,1119396,1126711,1126713,1126821,1126823,1126827,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032,1132837,1132838,1134322
CVE References: CVE-2018-19935,CVE-2018-20783,CVE-2019-11034,CVE-2019-11035,CVE-2019-11036,CVE-2019-9020,CVE-2019-9021,CVE-2019-9022,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675
Sources used:
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.19.1

Comment 23 Marcus Meissner 2019-07-04 15:35:41 UTC

released

Comment 26 OBSbugzilla Bot 2020-05-12 08:00:32 UTC

This is an autogenerated message for OBS integration:
This bug (1118832) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7

Comment 27 OBSbugzilla Bot 2020-05-12 14:00:18 UTC

This is an autogenerated message for OBS integration:
This bug (1118832) was mentioned in
https://build.opensuse.org/request/show/802978 Factory / php7

Comment 28 OBSbugzilla Bot 2020-05-13 08:20:15 UTC

This is an autogenerated message for OBS integration:
This bug (1118832) was mentioned in
https://build.opensuse.org/request/show/804946 Factory / php7