Headline
CVE-2018-19935: null pointer dereference in imap_mail
ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.
Sec Bug #77020
null pointer dereference in imap_mail
Submitted:
2018-10-16 08:36 UTC
Modified:
2018-12-10 03:07 UTC
From:
zhangweiye at topsec dot com dot cn
Assigned:
stas (profile)
Status:
Closed
Package:
IMAP related
PHP Version:
7.2.11
OS:
ubuntu
Private report:
No
CVE-ID:
2018-19935
[2018-10-16 08:36 UTC] zhangweiye at topsec dot com dot cn
Description:
in imap_mail if message args is null, in _php_imap_mail no check wheater message can get, so crash.
``` fprintf(sendmail, "\n%s\n", message);
```
/usr/local/php/bin/php ./craxxx.php
Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3 sh: 1: -t: not found Segmentation fault (core dumped)
…/sapi/cli/php ./craxxx.php
Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3 ASAN:SIGSEGV ================================================================= ==23766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7fae925d9cc0 bp 0x7ffcb6b27a10 sp 0x7ffcb6b274a0 T0) sh: 1: -t: not found #0 0x7fae925d9cbf in vfprintf (/lib/x86_64-linux-gnu/libc.so.6+0x4ecbf) #1 0x7fae926a1bc8 in __fprintf_chk (/lib/x86_64-linux-gnu/libc.so.6+0x116bc8) #2 0xa5aeb0 in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:97 #3 0xa5aeb0 in _php_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4065 #4 0xa5b22d in zif_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4112 #5 0x17da703 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:573 #6 0x17da703 in execute_ex /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:59747 #7 0x181b5c3 in zend_execute /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:63776 #8 0x1356ef2 in zend_execute_scripts /home/fan/Desktop/php-7.2.10/Zend/zend.c:1496 #9 0x11c0776 in php_execute_script /home/fan/Desktop/php-7.2.10/main/main.c:2590 #10 0x1823488 in do_cli /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1011 #11 0x18256f4 in main /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1404 #12 0x7fae925ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x440888 in _start (/home/fan/github/php-7.2.10/sapi/cli/php+0x440888)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 vfprintf ==23766==ABORTING
Test script:
<?php imap_mail('1’, 1, NULL);
?>
PatchesCVE-2018-19935 (last revision 2021-04-07 01:04 UTC by 2432857142 at qq dot com)
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2018-10-16 14:52 UTC] [email protected]
-Summary: a null pointer defference in imap_mail +Summary: null pointer dereference in imap_mail -Status: Open +Status: Analyzed -Package: *Mail Related +Package: IMAP related -Assigned To: +Assigned To: stas
[2018-10-18 08:58 UTC] 790358237 at qq dot com
Thanks for your reply. I am very happy to do this.
[2018-11-11 18:05 UTC] [email protected]
Fix makes sense, we can merge it in the next release cycle.
[2018-11-11 18:09 UTC] [email protected]
Added to security repo as 8b1049a7ae96ae9b0315cfe6742e5fb010ffb5d3 (for 5.6, higher versions will be merged up).
[2018-11-21 05:42 UTC] 790358237 at qq dot com
will this get a cve?
[2018-12-03 08:43 UTC] [email protected]
-Status: Analyzed +Status: Closed
[2018-12-07 08:13 UTC] 790358237 at qq dot com
this assign CVE-2018-19935.
[2018-12-07 13:31 UTC] [email protected]
-CVE-ID: +CVE-ID: 2018-19935
[2018-12-07 15:32 UTC] [email protected]
Notice: This issue is fixed in 5.6.39, 7.0.33 and 7.3.0 The fix is missing in 7.1.25 and 7.2.13, will be part of 7.1.26 and 7.2.14
[2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn
-: 790358237 at qq dot com +: zhangweiye at topsec dot com dot cn
[2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn
credit:[email protected]
[2018-12-10 03:07 UTC] zhangweiye at topsec dot com dot cn
credit topsec(zhangweiye)