php-gettext 1.0.12 is affected by CVE-2016-6175 (link to CVE database redacted).
Upstream development of php-getttext has stalled, so I suggest switching to motranslator instead, which has been developed by phpmyadmin people as replacement. (link to motranslator project redacted)
if this is a local exploit with specially crafted .po files, it sounds like a non-issue. all translation files go through weblate before getting merged into trunk, not sure if you can drag this exploit through that.
oh it’s that. i’m fairly certain that this is a non-issue then. i don’t accept binary translations directly via pull requests.
doesn’t mean that we shouldn’t patch this if possible, of course.
e2: unfortunately the above “patch” involves simply removing ngettext() entirely which is going too far, imo. we’re actually using plurals in translations.
I agree, that the security impact is not very big. So no reason to go into panic mode and do rushed decisions
The motranslator project, that I referenced offers improved speed and is actively maintained - so future problems (e.g. becoming compatible with newer PHP releases) can be solved by simply updating the local copy. Also it shouldn’t be hard to replace php-gettext with that one, since it also offers a way to use it in gettext compatibility style.
if it can be used as an (almost) drop in replacement i’ll be happy to replace php-gettext. i’ll make a note to check this out when i have some time to kill.