php-gettext code that parses the plural forms header relies on eval() and only filters out some known-bad characters before passing the value from a MO file in directly to eval().
Created php-php-gettext tracking bugs for this issue:
Affects: fedora-all [bug 1414685]
Affects: epel-all [bug 1414686]
Is there any patch available already? The NagVis fork seems to just rip out
the functionality rather really fixing the issue...
(In reply to Robert Scheck from comment #2)
> Is there any patch available already? The NagVis fork seems to just rip out
> the functionality rather really fixing the issue...
There is no upstream patch available yet as far as I was able to find out.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.