Fedora Account System
Red Hat Associate
Red Hat Customer
Description of problem: As of writing, the dl package depends on php-php-gettext, which can be considered as dead or unmaintained software for 8+ years, because at least CVE-2016-6175 got never fixed upstream (see bug #1414684 for details) and there also exists no real bugfix in general. I am the package maintainer of php-php-gettext in Fedora and I would like to get rid of this package due to the issue described above. From my point of view it should be possible to switch from php-php-gettext to php-gettext (from php-common), because php-php-gettext is supposed to be a drop-in replacement for php-gettext. At the same time, dl is the only remaining package in Fedora depending on php-php-gettext. Given you are the package maintainer of dl, I wonder if you could test if my simple approach works properly: --- 8< --- find . -name '*.php' -exec sed \ -e 's/T_(/_(/g' \ -e 's/T_\(bindtextdomain\|setlocale\|textdomain\)(/\1(/g' \ -e '/require_once("gettext\/gettext\.inc");/d' -i {} \; --- 8< --- If it works, this command even could be included into the %prep or %build section of the spec file. Version-Release number of selected component (if applicable): dl-0.17.1-18.fc40 php-php-gettext-1.0.12-17.fc40 Actual results: dl depends on php-php-gettext Expected results: dl depends on php-gettext (from php-common)
Greg, may I kindly ask you to respond here?
Looks like the version needs to be updated anyway as the current one doesn't work with later PHP versions. I'll try your suggestion to use php-common or just remove the unbundling logic if this is the only package using php-php-gettext.
FEDORA-2024-ca01a6d8b0 (dl-0.19-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-ca01a6d8b0
Is there a specific reason why you decided to bundle the (security-wise vulnerable) php-php-gettext drop-in replacement instead of using the native php-gettext (which is even faster)?
(In reply to Robert Scheck from comment #4) > Is there a specific reason why you decided to bundle the (security-wise > vulnerable) php-php-gettext drop-in replacement instead of using the native > php-gettext (which is even faster)? There's a few (and I should preface with the disclaimer that I'm not a PHP programmer): 1. I needed to upgrade from dl 0.17.1 to a newer version (0.19) because 0.17.1 won't run on recent php versions, and I didn't want to change multiple things at once. 2. The provided sed script didn't seem to catch all the substitutions that were required (I modified the paths to account for DL 0.19 locations), but things like "T_bind_textdomain_codeset" were still present (and perhaps others?) 3. Even when I hand-edited the .php files to fix the T_bind_textdomain_codeset reference, the admin page did not render the various locales correctly; when I reverted to my 0.19-1 update, it worked as expected. Are you suggesting that this should be reported as a security issue to the upstream repo?
FEDORA-2024-ca01a6d8b0 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-ca01a6d8b0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-ca01a6d8b0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-ca01a6d8b0 (dl-0.19-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.