Debian Bug report logs -
#851771
php-gettext: CVE-2016-6175
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
:
Bug#851771
; Package src:php-gettext
.
(Wed, 18 Jan 2017 16:24:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
.
(Wed, 18 Jan 2017 16:24:14 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: php-gettext
Version: 1.0.11-1
Severity: grave
Tags: security upstream
Forwarded: https://bugs.launchpad.net/php-gettext/+bug/1606184
Hi,
the following vulnerability was published for php-gettext.
CVE-2016-6175[0]:
Use of eval too unrestrictive
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6175
[1] https://bugs.launchpad.net/php-gettext/+bug/1606184
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
:
Bug#851771
; Package src:php-gettext
.
(Sun, 22 Jan 2017 21:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Ola Lundqvist <ola@inguza.com>
:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
.
(Sun, 22 Jan 2017 21:51:06 GMT) (full text, mbox, link).
Message #10 received at 851771@bugs.debian.org (full text, mbox, reply):
Hi Salvatore
I started checking the CVEs for php-gettext and I'm not sure I follow
the information for CVE-2016-6175.
Maybe you have more data than I do.
The vulnerability is that a malicous user that have permission to
craft .mo files in the target filesystem could execute any php code on
that system.
I find that a quite unlikely attack vector. Based on this I also think
the bug should have a different priority than grave.
Or have I missed anything crucial?
I'm asking as I plan to mark this one as no-dsa for wheezy.
Best regards
// Ola
PS. There is another bug on the same package and that one should
probably have a grave bug filed, but that is another story.
DS.
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Added tag(s) stretch-ignore.
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org
.
(Sat, 04 Feb 2017 10:30:14 GMT) (full text, mbox, link).
Added tag(s) jessie-ignore.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org
.
(Wed, 19 Apr 2017 09:57:04 GMT) (full text, mbox, link).
Added tag(s) wheezy-ignore.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org
.
(Sat, 22 Apr 2017 21:18:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
:
Bug#851771
; Package src:php-gettext
.
(Thu, 13 Sep 2018 20:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ivo De Decker <ivodd@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
.
(Thu, 13 Sep 2018 20:48:03 GMT) (full text, mbox, link).
Message #21 received at 851771@bugs.debian.org (full text, mbox, reply):
Hi,
On Wed, Jan 18, 2017 at 05:23:43PM +0100, Salvatore Bonaccorso wrote:
> the following vulnerability was published for php-gettext.
>
> CVE-2016-6175[0]:
> Use of eval too unrestrictive
The packages using php-gettext in buster are:
cacti: cacti
kopano-webapp: kopano-webapp-common
phpmyadmin: phpmyadmin
tt-rss: tt-rss
Only phpmyadmin is a key package.
For phpmyadmin, php-gettext was replaced by motranslator
(https://github.com/phpmyadmin/motranslator/) in 4.7. Buster currently has
4.6, but a newer version might be uploaded at some point (see
https://bugs.debian.org/879741).
Cheers,
Ivo
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
:
Bug#851771
; Package src:php-gettext
.
(Tue, 12 Mar 2019 21:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ivo De Decker <ivodd@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
.
(Tue, 12 Mar 2019 21:21:03 GMT) (full text, mbox, link).
Message #26 received at 851771@bugs.debian.org (full text, mbox, reply):
control: tags -1 buster-ignore
Hi,
On Sun, Jan 22, 2017 at 10:47:32PM +0100, Ola Lundqvist wrote:
> I started checking the CVEs for php-gettext and I'm not sure I follow
> the information for CVE-2016-6175.
> Maybe you have more data than I do.
>
> The vulnerability is that a malicous user that have permission to
> craft .mo files in the target filesystem could execute any php code on
> that system.
> I find that a quite unlikely attack vector. Based on this I also think
> the bug should have a different priority than grave.
>
> Or have I missed anything crucial?
After a brief discussion on irc, and input from the security team, I'm marking
this buster-ignore, on the understanding that php-gettext won't be in bullseye.
"< jmm_> I'm fine with buster-ignoring it, but it should go away after buster"
Thanks,
Ivo
Added tag(s) buster-ignore.
Request was from Ivo De Decker <ivodd@debian.org>
to 851771-submit@bugs.debian.org
.
(Tue, 12 Mar 2019 21:21:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:06:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.