CVE-2018-19935: null pointer dereference in imap_mail

Sec Bug #77020

null pointer dereference in imap_mail

Submitted:

2018-10-16 08:36 UTC

Modified:

2018-12-10 03:07 UTC

From:

zhangweiye at topsec dot com dot cn

Assigned:

stas (profile)

Status:

Closed

Package:

IMAP related

PHP Version:

7.2.11

OS:

ubuntu

Private report:

No

CVE-ID:

2018-19935

[2018-10-16 08:36 UTC] zhangweiye at topsec dot com dot cn

Description:

in imap_mail if message args is null, in _php_imap_mail no check wheater message can get, so crash.

``` fprintf(sendmail, "\n%s\n", message);

```

/usr/local/php/bin/php ./craxxx.php

Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3 sh: 1: -t: not found Segmentation fault (core dumped)

…/sapi/cli/php ./craxxx.php

Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3 ASAN:SIGSEGV ================================================================= ==23766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7fae925d9cc0 bp 0x7ffcb6b27a10 sp 0x7ffcb6b274a0 T0) sh: 1: -t: not found #0 0x7fae925d9cbf in vfprintf (/lib/x86_64-linux-gnu/libc.so.6+0x4ecbf) #1 0x7fae926a1bc8 in __fprintf_chk (/lib/x86_64-linux-gnu/libc.so.6+0x116bc8) #2 0xa5aeb0 in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:97 #3 0xa5aeb0 in _php_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4065 #4 0xa5b22d in zif_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4112 #5 0x17da703 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:573 #6 0x17da703 in execute_ex /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:59747 #7 0x181b5c3 in zend_execute /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:63776 #8 0x1356ef2 in zend_execute_scripts /home/fan/Desktop/php-7.2.10/Zend/zend.c:1496 #9 0x11c0776 in php_execute_script /home/fan/Desktop/php-7.2.10/main/main.c:2590 #10 0x1823488 in do_cli /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1011 #11 0x18256f4 in main /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1404 #12 0x7fae925ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x440888 in _start (/home/fan/github/php-7.2.10/sapi/cli/php+0x440888)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 vfprintf ==23766==ABORTING

Test script:

<?php imap_mail('1’, 1, NULL);

?>

PatchesCVE-2018-19935 (last revision 2021-04-07 01:04 UTC by 2432857142 at qq dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-10-16 14:52 UTC] [email protected]

-Summary: a null pointer defference in imap_mail +Summary: null pointer dereference in imap_mail -Status: Open +Status: Analyzed -Package: *Mail Related +Package: IMAP related -Assigned To: +Assigned To: stas

[2018-10-18 08:58 UTC] 790358237 at qq dot com

Thanks for your reply. I am very happy to do this.

[2018-11-11 18:05 UTC] [email protected]

Fix makes sense, we can merge it in the next release cycle.

[2018-11-11 18:09 UTC] [email protected]

Added to security repo as 8b1049a7ae96ae9b0315cfe6742e5fb010ffb5d3 (for 5.6, higher versions will be merged up).

[2018-11-21 05:42 UTC] 790358237 at qq dot com

will this get a cve?

[2018-12-03 08:43 UTC] [email protected]

-Status: Analyzed +Status: Closed

[2018-12-07 08:13 UTC] 790358237 at qq dot com

this assign CVE-2018-19935.

[2018-12-07 13:31 UTC] [email protected]

-CVE-ID: +CVE-ID: 2018-19935

[2018-12-07 15:32 UTC] [email protected]

Notice: This issue is fixed in 5.6.39, 7.0.33 and 7.3.0 The fix is missing in 7.1.25 and 7.2.13, will be part of 7.1.26 and 7.2.14

[2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn

-: 790358237 at qq dot com +: zhangweiye at topsec dot com dot cn

[2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn

credit:[email protected]

[2018-12-10 03:07 UTC] zhangweiye at topsec dot com dot cn

credit topsec(zhangweiye)