Bug#914632: uw-imap: CVE-2018-19518

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#914632: uw-imap: CVE-2018-19518

Salvatore Bonaccorso-4
Source: uw-imap
Version: 8:2007f~dfsg-5
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for uw-imap.

CVE-2018-19518[0]:
| University of Washington IMAP Toolkit 2007f on UNIX, as used in
| imap_open() in PHP and other products, launches an rsh command (by
| means of the imap_rimap function in c-client/imap4r1.c and the
| tcp_aopen function in osdep/unix/tcp_unix.c) without preventing
| argument injection, which might allow remote attackers to execute
| arbitrary OS commands if the IMAP server name is untrusted input (e.g.,
| entered by a user of a web application) and if rsh has been replaced by
| a program with different argument semantics. For example, if rsh is a
| link to ssh (as seen on Debian and Ubuntu systems), then the attack can
| use an IMAP server name containing a "-oProxyCommand" argument.

This was originally filled for PHP (cf. #913775 and cloned bugs), but
the issue could possibly be fixed within osdep/unix/tcp_unix.c in the
IMAP Toolkit code. See the security-tracker page for further
references.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19518
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518

Regards,
Salvatore

Reply | Threaded
Open this post in threaded view
|

Bug#914632: uw-imap: CVE-2018-19518

Magnus Holmgren-4
> CVE-2018-19518[0]:
> | University of Washington IMAP Toolkit 2007f on UNIX, as used in
> | imap_open() in PHP and other products, launches an rsh command (by
> | means of the imap_rimap function in c-client/imap4r1.c and the
> | tcp_aopen function in osdep/unix/tcp_unix.c) without preventing
> | argument injection,

I'm wondering if anyone would complain if I'd disable RSH (SSH) connections
altogether.

--
Magnus Holmgren
Debian Developer

Reply | Threaded
Open this post in threaded view
|

Bug#914632: RFC: proposed fix for CVE-2018-19518 in uw-imap

Salvatore Bonaccorso-4
In reply to this post by Salvatore Bonaccorso-4
Hi Roberto,

On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote:

> On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
> > [note: I am not subscribed to debian-security; please keep me or
> > debian-lts addressed on replies]
> >
> > If this seems like a sensible approach, I propose to apply the attached
> > patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid version)
> > to create version 8:2007f~dfsg-6 for upload to sid and eventual
> > inclusion in stretch (perhaps via a point release) and then also in
> > parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie.
> >
> > Please reply with your comments.  In particular, feedback from the
> > security team on the appropriateness of this for a stable point release
> > and my suggested route for the update to take to get there would be very
> > useful.
> >
>
> Hi all,
>
> Since Tomas and Ola have reviewed the patch and we have had some
> discussion which makes it seem like this is the most sensible approach
> to the vulnerability given the constraints, I wonder if the Security
> team could weigh in.
>
> I have forwarded my initial message and the patch to Magnus Holngren
> (the uw-imap maintainer) and also added him as a recipient of this
> message, as he may wish to be the one to upload to unstable and
> coordinate the future point release inclusion.
>
> I ask for some indication now from the security team and/or the
> maintainer since I don't think it makes sense to fix this only in jessie
> and not in stretch/buster/sid.

There is an alternative approach wich was raised by Magnus in the
respective bug: https://bugs.debian.org/914632#12 (and see followup
from Moritz).

Regards,
Salvatore

Reply | Threaded
Open this post in threaded view
|

Bug#914632: RFC: proposed fix for CVE-2018-19518 in uw-imap

Shelby Cruver
Unsubscribe me please

On December 30, 2018 1:38:57 AM MST, Salvatore Bonaccorso <[hidden email]> wrote:
Hi Roberto,

On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote:
On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
[note: I am not subscribed to debian-security; please keep me or
debian-lts addressed on replies]

If this seems like a sensible approach, I propose to apply the attached
patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid version)
to create version 8:2007f~dfsg-6 for upload to sid and eventual
inclusion in stretch (perhaps via a point release) and then also in
parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie.

Please reply with your comments. In particular, feedback from the
security team on the appropriateness of this for a stable point release
and my suggested route for the update to take to get there would be very
useful.


Hi all,

Since Tomas and Ola have reviewed the patch and we have had some
discussion which makes it seem like this is the most sensible approach
to the vulnerability given the constraints, I wonder if the Security
team could weigh in.

I have forwarded my initial message and the patch to Magnus Holngren
(the uw-imap maintainer) and also added him as a recipient of this
message, as he may wish to be the one to upload to unstable and
coordinate the future point release inclusion.

I ask for some indication now from the security team and/or the
maintainer since I don't think it makes sense to fix this only in jessie
and not in stretch/buster/sid.

There is an alternative approach wich was raised by Magnus in the
respective bug: https://bugs.debian.org/914632#12 (and see followup
from Moritz).

Regards,
Salvatore


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Bug#914632: RFC: proposed fix for CVE-2018-19518 in uw-imap

Roberto C. Sánchez-2
In reply to this post by Salvatore Bonaccorso-4
Hi Salvatore,

On Sun, Dec 30, 2018 at 09:38:57AM +0100, Salvatore Bonaccorso wrote:
>
> There is an alternative approach wich was raised by Magnus in the
> respective bug: https://bugs.debian.org/914632#12 (and see followup
> from Moritz).
>

I suppose I should have looked more carefully at the bugs associatd with
CVE-2018-19518 and subscribed to this one.  Thank you for pointing it
out to me.

The suggestion from Magnus is certainly less likely than mine to allow
for a future exploit of the same mechanism via different means.

Magnus,

Would you prefer to handle the jessie update?  If not, I will wait until
you have patch ready and I can build/upload for jessie and release the
corresponding advisory.

Regards,

-Roberto

--
Roberto C. Sánchez

Reply | Threaded
Open this post in threaded view
|

Bug#914632: uw-imap: CVE-2018-19518

Magnus Holmgren-4
In reply to this post by Salvatore Bonaccorso-4
söndag 13 januari 2019 kl. 08:31:28 CET skrev  Salvatore Bonaccorso:
> On Fri, Dec 28, 2018 at 10:22:53AM +0100, Moritz Mühlenhoff wrote:
> > On Wed, Dec 26, 2018 at 05:20:40PM +0100, Magnus Holmgren wrote:
> > > I'm wondering if anyone would complain if I'd disable RSH (SSH)
> > > connections
> > > altogether.
> >
> > Full ack, that seems like the most sensible fix.
>
> Any news on this approach, or did you spot any problem with that way?

Here's my plan. Removing the RSHPATH define should disable the insecure code,
I reckon. I just haven't been able to make gbp use my long PGP key id...

--
Magnus Holmgren        [hidden email]
Debian Developer

2013_disable_rsh.patch (506 bytes) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#914632: uw-imap: CVE-2018-19518

Thorsten Glaser
In reply to this post by Salvatore Bonaccorso-4
Hi Magnus,

>Perhaps wanting to run imapd via remote shell is so rare that there's
>no need to write a NEWS.Debian entry?

in case of doubt just write one, it does not hurt.

Are you going to upload within the next five days or so, or
do you need help? (We’re at a BSP and currently fixing stuff…)

Thanks,
//mirabilos
--
> Wish I had pine to hand :-( I'll give lynx a try, thanks.

Michael Schmitz on nntp://news.gmane.org/gmane.linux.debian.ports.68k
a.k.a. {news.gmane.org/nntp}#news.gmane.linux.debian.ports.68k in pine

Reply | Threaded
Open this post in threaded view
|

Bug#914632: uw-imap: CVE-2018-19518

Moritz Mühlenhoff-2
In reply to this post by Salvatore Bonaccorso-4
On Sun, Feb 24, 2019 at 02:53:41PM +0100, Magnus Holmgren wrote:
> Perhaps wanting to run imapd via remote shell is so rare that there's no need
> to write a NEWS.Debian entry?

I agree, I don't think this needs a NEWS.Debian.

Cheers,
        Moritz

Reply | Threaded
Open this post in threaded view
|

Bug#914632: RFC: proposed fix for CVE-2018-19518 in uw-imap

Magnus Holmgren-4
In reply to this post by Salvatore Bonaccorso-4
söndag 30 december 2018 kl. 09:38:57 CET skrev  Salvatore Bonaccorso:
> There is an alternative approach wich was raised by Magnus in the
> respective bug: https://bugs.debian.org/914632#12 (and see followup
> from Moritz).

So, is it OK to upload this (assuming there's no code out there that actually
uses SET_RSHPATH or SET_SSHPATH)?

(By no longer defining RSHPATH, rshpath doesn't get set by the following code
and tcp_aopen() will return NIL without doing anything.

#ifdef RSHPATH /* rsh path defined yet? */
  if (!rshpath) rshpath = cpystr (RSHPATH);
#endif

)

--
Magnus Holmgren        [hidden email]
Debian Developer

CVE-2018-19518.debdiff (1K) Download Attachment
signature.asc (849 bytes) Download Attachment