Bug 1414684 (CVE-2016-6175) - CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized
Summary: CVE-2016-6175 php-php-gettext: $string variable not sufficiently sanitized
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2016-6175
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1414685 1414686
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-19 09:05 UTC by Andrej Nemec
Modified: 2019-09-29 14:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:05:44 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-01-19 09:05:15 UTC
php-gettext code that parses the plural forms header relies on eval() and only filters out some known-bad characters before passing the value from a MO file in directly to eval().

References:

https://bugs.launchpad.net/php-gettext/+bug/1606184
https://kmkz-web-blog.blogspot.cz/2016/07/advisory-cve-2016-6175.html

Comment 1 Andrej Nemec 2017-01-19 09:05:59 UTC
Created php-php-gettext tracking bugs for this issue:

Affects: fedora-all [bug 1414685]
Affects: epel-all [bug 1414686]

Comment 2 Robert Scheck 2017-01-22 23:56:17 UTC
Is there any patch available already? The NagVis fork seems to just rip out 
the functionality rather really fixing the issue...
https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53

Comment 3 Andrej Nemec 2017-01-23 09:12:36 UTC
(In reply to Robert Scheck from comment #2)
> Is there any patch available already? The NagVis fork seems to just rip out 
> the functionality rather really fixing the issue...
> https://github.com/NagVis/nagvis/commit/
> 4fe8672a5aec3467da72b5852ca6d283c15adb53

There is no upstream patch available yet as far as I was able to find out.

Comment 4 Product Security DevOps Team 2019-06-08 03:05:44 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.