Replace php-gettext?

sre · November 13, 2019, 12:27pm

Hi,

php-gettext 1.0.12 is affected by CVE-2016-6175 (link to CVE database redacted).

Upstream development of php-getttext has stalled, so I suggest switching to motranslator instead, which has been developed by phpmyadmin people as replacement. (link to motranslator project redacted)

Thanks for considering,

– Sebastian

fox · November 13, 2019, 12:46pm

if this is a local exploit with specially crafted .po files, it sounds like a non-issue. all translation files go through weblate before getting merged into trunk, not sure if you can drag this exploit through that.

anyway, looks like there’s a patch here - Clarified change log on php-gettext 1.0.12 update · NagVis/nagvis@4fe8672 · GitHub

e:

modified .mo files

oh it’s that. i’m fairly certain that this is a non-issue then. i don’t accept binary translations directly via pull requests.

doesn’t mean that we shouldn’t patch this if possible, of course.

e2: unfortunately the above “patch” involves simply removing ngettext() entirely which is going too far, imo. we’re actually using plurals in translations.

sre · November 13, 2019, 1:11pm

I agree, that the security impact is not very big. So no reason to go into panic mode and do rushed decisions

The motranslator project, that I referenced offers improved speed and is actively maintained - so future problems (e.g. becoming compatible with newer PHP releases) can be solved by simply updating the local copy. Also it shouldn’t be hard to replace php-gettext with that one, since it also offers a way to use it in gettext compatibility style.

fox · November 13, 2019, 1:17pm

if it can be used as an (almost) drop in replacement i’ll be happy to replace php-gettext. i’ll make a note to check this out when i have some time to kill.

fox · November 15, 2019, 9:16am

looks like it depends on symfony which makes it a no-go. i’m not adding that to tt-rss.

fox · September 18, 2020, 11:32am

this should be fixed now thanks to Sunil Mohan Adapa who made a proper patch for php-gettext which removes the usage of eval:

its strange how he mentions tt-rss but never contacted me directly with this patch, which i would’ve happily merged months ago. ¯_(ツ)_/¯

virgo · September 18, 2020, 1:20pm

Probably, because Debian package of tt-rss uses system php-gettext library.