[pkg-php-pear] Bug#851771: CVE-2016-6175 and 851771
Ivo De Decker
ivodd at debian.org
Tue Mar 12 21:20:02 GMT 2019
control: tags -1 buster-ignore
Hi,
On Sun, Jan 22, 2017 at 10:47:32PM +0100, Ola Lundqvist wrote:
> I started checking the CVEs for php-gettext and I'm not sure I follow
> the information for CVE-2016-6175.
> Maybe you have more data than I do.
>
> The vulnerability is that a malicous user that have permission to
> craft .mo files in the target filesystem could execute any php code on
> that system.
> I find that a quite unlikely attack vector. Based on this I also think
> the bug should have a different priority than grave.
>
> Or have I missed anything crucial?
After a brief discussion on irc, and input from the security team, I'm marking
this buster-ignore, on the understanding that php-gettext won't be in bullseye.
"< jmm_> I'm fine with buster-ignoring it, but it should go away after buster"
Thanks,
Ivo
More information about the pkg-php-pear
mailing list