[pkg-php-pear] Bug#851771: CVE-2016-6175 and 851771
Ola Lundqvist
ola at inguza.com
Sun Jan 22 21:47:32 UTC 2017
Hi Salvatore
I started checking the CVEs for php-gettext and I'm not sure I follow
the information for CVE-2016-6175.
Maybe you have more data than I do.
The vulnerability is that a malicous user that have permission to
craft .mo files in the target filesystem could execute any php code on
that system.
I find that a quite unlikely attack vector. Based on this I also think
the bug should have a different priority than grave.
Or have I missed anything crucial?
I'm asking as I plan to mark this one as no-dsa for wheezy.
Best regards
// Ola
PS. There is another bug on the same package and that one should
probably have a grave bug filed, but that is another story.
DS.
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola at inguza.com Folkebogatan 26 \
| opal at debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
More information about the pkg-php-pear
mailing list