Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

php-gettext: CVE-2015-8980

Related Vulnerabilities: CVE-2015-8980  

Source

Debian Bug report logs - #851770
php-gettext: CVE-2015-8980

version graph

Package: src:php-gettext; Maintainer for src:php-gettext is Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 18 Jan 2017 16:24:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in version php-gettext/1.0.11-1

Fixed in version php-gettext/1.0.12-0.1

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#851770; Package src:php-gettext. (Wed, 18 Jan 2017 16:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Wed, 18 Jan 2017 16:24:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php-gettext: CVE-2015-8980
Date: Wed, 18 Jan 2017 17:22:21 +0100
Source: php-gettext
Version: 1.0.11-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for php-gettext.

CVE-2015-8980[0]:
|Arbitrary code execution in select_string, ngettext and npgettext
|count parameter

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8980
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8980
[1] http://seclists.org/fulldisclosure/2016/Aug/76

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#851770; Package src:php-gettext. (Sun, 29 Jan 2017 15:42:05 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Sun, 29 Jan 2017 15:42:06 GMT) (full text, mbox, link).

Message #10 received at 851770@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 851770@bugs.debian.org
Subject: php-gettext: diff for NMU version 1.0.12-0.1
Date: Sun, 29 Jan 2017 15:39:48 +0000
[Message part 1 (text/plain, inline)]
Control: tags 851770 + patch
Control: tags 851770 + pending

Dear maintainer,

I've prepared an NMU for php-gettext (versioned as 1.0.12-0.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51


[php-gettext-1.0.12-0.1-nmu.diff (text/x-diff, attachment)]

Added tag(s) patch. Request was from Jonathan Wiltshire <jmw@debian.org> to 851770-submit@bugs.debian.org. (Sun, 29 Jan 2017 15:42:06 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Jonathan Wiltshire <jmw@debian.org> to 851770-submit@bugs.debian.org. (Sun, 29 Jan 2017 15:42:06 GMT) (full text, mbox, link).

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Tue, 31 Jan 2017 16:09:08 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 31 Jan 2017 16:09:08 GMT) (full text, mbox, link).

Message #19 received at 851770-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 851770-close@bugs.debian.org
Subject: Bug#851770: fixed in php-gettext 1.0.12-0.1
Date: Tue, 31 Jan 2017 16:05:22 +0000
Source: php-gettext
Source-Version: 1.0.12-0.1

We believe that the bug you reported is fixed in the latest version of
php-gettext, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 851770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated php-gettext package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 29 Jan 2017 15:13:07 +0000
Source: php-gettext
Binary: php-php-gettext php-gettext
Architecture: source all
Version: 1.0.12-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description:
 php-gettext - transitional dummy package for php-php-gettext
 php-php-gettext - read gettext MO files directly, without requiring anything other
Closes: 851770
Changes:
 php-gettext (1.0.12-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release:
     - throw an exception when select_string/ngettext
       functions get non-numeric parameter
       Closes: #851770 (CVE-2015-8980)
     - do not assume mbstring functions are always there,
       pass text through if they aren't
     - add 'sign' rule to build system
   * Add missing phpunit build-dependency so that tests
     actually get run
Checksums-Sha1:
 cd2ab34f89bc1130e9869a938e56d9a25ad6b1f4 2024 php-gettext_1.0.12-0.1.dsc
 d93ff3ebefa191a51ccc1bea77838367eefd2483 21282 php-gettext_1.0.12.orig.tar.gz
 32900a27856d61db708bdef5e7916d80c0368ff6 4276 php-gettext_1.0.12-0.1.debian.tar.xz
 ae4bbe9aa43c3287ab47b17317bbe21ab25ffec9 3578 php-gettext_1.0.12-0.1_all.deb
 a04dd4db866a86ce6560d3fd8cbff24a666a78d0 6055 php-gettext_1.0.12-0.1_amd64.buildinfo
 30b1b63fedc6227c6c8d8a28f14862086589c58c 16396 php-php-gettext_1.0.12-0.1_all.deb
Checksums-Sha256:
 bc9bac40f978774298638956bbc32376384e794a03d1767821943dcb462ad357 2024 php-gettext_1.0.12-0.1.dsc
 22bf4aaece5c186c16904ea80cac647f6974917c3046e7f1bf851e03a02cc8f5 21282 php-gettext_1.0.12.orig.tar.gz
 6d0eabf23151734209a8fcc6dddab38c55095fb894a114445983ab733b9975c7 4276 php-gettext_1.0.12-0.1.debian.tar.xz
 8f5bb9cc0fdff97af9b88cf0ea04630aea85dcd4b5db57993593f3301a8703dd 3578 php-gettext_1.0.12-0.1_all.deb
 314b105e4b952a4e905a53f768f7b02f55ece7aef66f2c53a8a3ae28d6b5535f 6055 php-gettext_1.0.12-0.1_amd64.buildinfo
 2599ed3a1d4480c5e6abf8127762eb07ff099b942e440d124c0bca1cb487e872 16396 php-php-gettext_1.0.12-0.1_all.deb
Files:
 51ccc6b364103fedb4bdc04d98a141d1 2024 php optional php-gettext_1.0.12-0.1.dsc
 823abf69c17c7ad662697963430ea961 21282 php optional php-gettext_1.0.12.orig.tar.gz
 0a545b765148d29d3dba4efb0a6ff60b 4276 php optional php-gettext_1.0.12-0.1.debian.tar.xz
 7dab98b0b33dea3fda6664dcd70b46f7 3578 oldlibs extra php-gettext_1.0.12-0.1_all.deb
 b0a9e877845482782a3c09f96c6e950a 6055 php optional php-gettext_1.0.12-0.1_amd64.buildinfo
 331db6076140d8f39058d109e3dcddd1 16396 php optional php-php-gettext_1.0.12-0.1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEADLdyLGMneGYn8dtRNMqtfom+MkFAliODJIACgkQRNMqtfom
+Mk3Hg/+Pa3mzvZQVl3aadBnndLYrkXW9GTRVBjuANAnYtAZRgLlvoR8L3jcvohn
vSwuye9/hSkaDUfqejC8Qr4J2QD7uvHxTQ7AA+4Xq0juW7nSfdnVdCg+jj+0Ft5e
RH6uHTdQL9yx9de8p/TR2CQ11z4KqQkUxzV804lxvoBsbe7BldebslNU6Y2D8ZTi
a5Smp1Pbe1lfa6ODhX8ChzcBERT0noUUXd6/zdYppQWJeBixRiyBQXpADQmOqJoM
dctvJu4nZnT5FA8Ipo6bah4P0DepYdKRDr0Ql17V7lNaFzkKlpk9wyFEXiQjO3fx
6l3U/xvylSos8STNRcam985fL1jbMb3G8uFjw9UKGB3HcECEuqPaMzQP0hvKX/HB
UXnw0r2s6g+AgJQ/WastuaJa1tZ24mKgOhZAL6wlNsY1y+aAAAJBrbHUlrGMIvI0
l5kgErq0sm0GU8eR/390G8c4S03VEhOq82xv04mCrkViOGlK3anzrosuGYE+3GjC
ENUdMqMVePn2KjP24LMinHgUElAlEqQ8hkID/T5rYNND6IdoWEbJI8POTucdyvrk
XoYA2gBUKQhU7NM8CcSKQres7O9wyB91uMaomfQ9hP7QYOb51JeliJBWVKbKnARD
iN1/tvt0AQZT/YYzPg4OhedR+KsqeuBItmpdhFGsdzm0TwMFNk4=
=Ve/J
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Jul 2017 07:48:53 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:27:19 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started