Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-6175

Source

Debian Bug report logs - #851771
php-gettext: CVE-2016-6175

Package: src:php-gettext; Maintainer for src:php-gettext is Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 18 Jan 2017 16:24:12 UTC

Severity: grave

Tags: buster-ignore, jessie-ignore, security, stretch-ignore, upstream, wheezy-ignore

Found in version php-gettext/1.0.11-1

Forwarded to https://bugs.launchpad.net/php-gettext/+bug/1606184

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#851771; Package src:php-gettext. (Wed, 18 Jan 2017 16:24:14 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Wed, 18 Jan 2017 16:24:14 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: php-gettext
Version: 1.0.11-1
Severity: grave
Tags: security upstream
Forwarded: https://bugs.launchpad.net/php-gettext/+bug/1606184

Hi,

the following vulnerability was published for php-gettext.

CVE-2016-6175[0]:
Use of eval too unrestrictive 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6175
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6175
[1] https://bugs.launchpad.net/php-gettext/+bug/1606184

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#851771; Package src:php-gettext. (Sun, 22 Jan 2017 21:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Ola Lundqvist <ola@inguza.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Sun, 22 Jan 2017 21:51:06 GMT) (full text, mbox, link).

Message #10 received at 851771@bugs.debian.org (full text, mbox, reply):

Hi Salvatore

I started checking the CVEs for php-gettext and I'm not sure I follow
the information for CVE-2016-6175.
Maybe you have more data than I do.

The vulnerability is that a malicous user that have permission to
craft .mo files in the target filesystem could execute any php code on
that system.
I find that a quite unlikely attack vector. Based on this I also think
the bug should have a different priority than grave.

Or have I missed anything crucial?

I'm asking as I plan to mark this one as no-dsa for wheezy.

Best regards

// Ola

PS. There is another bug on the same package and that one should
probably have a grave bug filed, but that is another story.
DS.

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Added tag(s) stretch-ignore. Request was from Niels Thykier <niels@thykier.net> to control@bugs.debian.org. (Sat, 04 Feb 2017 10:30:14 GMT) (full text, mbox, link).

Added tag(s) jessie-ignore. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Wed, 19 Apr 2017 09:57:04 GMT) (full text, mbox, link).

Added tag(s) wheezy-ignore. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sat, 22 Apr 2017 21:18:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#851771; Package src:php-gettext. (Thu, 13 Sep 2018 20:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ivo De Decker <ivodd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Thu, 13 Sep 2018 20:48:03 GMT) (full text, mbox, link).

Message #21 received at 851771@bugs.debian.org (full text, mbox, reply):

Hi,

On Wed, Jan 18, 2017 at 05:23:43PM +0100, Salvatore Bonaccorso wrote:
> the following vulnerability was published for php-gettext.
> 
> CVE-2016-6175[0]:
> Use of eval too unrestrictive 

The packages using php-gettext in buster are:

cacti: cacti
kopano-webapp: kopano-webapp-common
phpmyadmin: phpmyadmin
tt-rss: tt-rss

Only phpmyadmin is a key package.

For phpmyadmin, php-gettext was replaced by motranslator
(https://github.com/phpmyadmin/motranslator/) in 4.7. Buster currently has
4.6, but a newer version might be uploaded at some point (see
https://bugs.debian.org/879741).

Cheers,

Ivo

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#851771; Package src:php-gettext. (Tue, 12 Mar 2019 21:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ivo De Decker <ivodd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Tue, 12 Mar 2019 21:21:03 GMT) (full text, mbox, link).

Message #26 received at 851771@bugs.debian.org (full text, mbox, reply):

control: tags -1 buster-ignore

Hi,

On Sun, Jan 22, 2017 at 10:47:32PM +0100, Ola Lundqvist wrote:
> I started checking the CVEs for php-gettext and I'm not sure I follow
> the information for CVE-2016-6175.
> Maybe you have more data than I do.
> 
> The vulnerability is that a malicous user that have permission to
> craft .mo files in the target filesystem could execute any php code on
> that system.
> I find that a quite unlikely attack vector. Based on this I also think
> the bug should have a different priority than grave.
> 
> Or have I missed anything crucial?

After a brief discussion on irc, and input from the security team, I'm marking
this buster-ignore, on the understanding that php-gettext won't be in bullseye.

"< jmm_> I'm fine with buster-ignoring it, but it should go away after buster"

Thanks,

Ivo

Added tag(s) buster-ignore. Request was from Ivo De Decker <ivodd@debian.org> to 851771-submit@bugs.debian.org. (Tue, 12 Mar 2019 21:21:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:06:42 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

php-gettext: CVE-2016-6175

Debian Bug report logs - #851771
php-gettext: CVE-2016-6175

Vulmon Search

About

Products

Connect

php-gettext: CVE-2016-6175

Debian Bug report logs - #851771 php-gettext: CVE-2016-6175

Vulmon Search

About

Products

Connect

Debian Bug report logs - #851771
php-gettext: CVE-2016-6175