Bug 2277542 - Please try to switch from php-php-gettext to php-gettext (from php-common)
Summary: Please try to switch from php-php-gettext to php-gettext (from php-common)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dl
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Greg Bailey
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-04-27 20:46 UTC by Robert Scheck
Modified: 2024-05-22 01:26 UTC (History)
1 user (show)

Fixed In Version: dl-0.19-1.fc40
Clone Of:
Environment:
Last Closed: 2024-05-22 01:26:49 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Robert Scheck 2024-04-27 20:46:04 UTC
Description of problem:
As of writing, the dl package depends on php-php-gettext, which can be considered as dead or unmaintained software for 8+ years, because at least CVE-2016-6175 got never fixed upstream (see bug #1414684 for details) and there also exists no real bugfix in general.

I am the package maintainer of php-php-gettext in Fedora and I would like to get rid of this package due to the issue described above. From my point of view it should be possible to switch from php-php-gettext to php-gettext (from php-common), because php-php-gettext is supposed to be a drop-in replacement for php-gettext. At the same time, dl is the only remaining package in Fedora depending on php-php-gettext.

Given you are the package maintainer of dl, I wonder if you could test if my simple approach works properly:

--- 8< ---
find . -name '*.php' -exec sed \
  -e 's/T_(/_(/g' \
  -e 's/T_\(bindtextdomain\|setlocale\|textdomain\)(/\1(/g' \
  -e '/require_once("gettext\/gettext\.inc");/d' -i {} \;
--- 8< ---

If it works, this command even could be included into the %prep or %build section of the spec file.

Version-Release number of selected component (if applicable):
dl-0.17.1-18.fc40
php-php-gettext-1.0.12-17.fc40

Actual results:
dl depends on php-php-gettext

Expected results:
dl depends on php-gettext (from php-common)

Comment 1 Robert Scheck 2024-05-11 18:59:23 UTC
Greg, may I kindly ask you to respond here?

Comment 2 Greg Bailey 2024-05-12 13:05:43 UTC
Looks like the version needs to be updated anyway as the current one doesn't work with later PHP versions. I'll try your suggestion to use php-common or just remove the unbundling logic if this is the only package using php-php-gettext.

Comment 3 Fedora Update System 2024-05-13 22:19:48 UTC
FEDORA-2024-ca01a6d8b0 (dl-0.19-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-ca01a6d8b0

Comment 4 Robert Scheck 2024-05-13 22:44:39 UTC
Is there a specific reason why you decided to bundle the (security-wise vulnerable) php-php-gettext drop-in replacement instead of using the native php-gettext (which is even faster)?

Comment 5 Greg Bailey 2024-05-14 00:03:26 UTC
(In reply to Robert Scheck from comment #4)
> Is there a specific reason why you decided to bundle the (security-wise
> vulnerable) php-php-gettext drop-in replacement instead of using the native
> php-gettext (which is even faster)?

There's a few (and I should preface with the disclaimer that I'm not a PHP programmer):

1. I needed to upgrade from dl 0.17.1 to a newer version (0.19) because 0.17.1 won't run on recent php versions, and I didn't want to change multiple things at once.
2. The provided sed script didn't seem to catch all the substitutions that were required (I modified the paths to account for DL 0.19 locations), but things like "T_bind_textdomain_codeset" were still present (and perhaps others?)
3. Even when I hand-edited the .php files to fix the T_bind_textdomain_codeset reference, the admin page did not render the various locales correctly; when I reverted to my 0.19-1 update, it worked as expected.

Are you suggesting that this should be reported as a security issue to the upstream repo?

Comment 6 Fedora Update System 2024-05-14 03:16:39 UTC
FEDORA-2024-ca01a6d8b0 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-ca01a6d8b0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-ca01a6d8b0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2024-05-22 01:26:49 UTC
FEDORA-2024-ca01a6d8b0 (dl-0.19-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.