[pkg-php-pear] Bug#851771: CVE-2016-6175 and 851771

Ivo De Decker ivodd at debian.org
Tue Mar 12 21:20:02 GMT 2019

control: tags -1 buster-ignore


On Sun, Jan 22, 2017 at 10:47:32PM +0100, Ola Lundqvist wrote:
> I started checking the CVEs for php-gettext and I'm not sure I follow
> the information for CVE-2016-6175.
> Maybe you have more data than I do.
> The vulnerability is that a malicous user that have permission to
> craft .mo files in the target filesystem could execute any php code on
> that system.
> I find that a quite unlikely attack vector. Based on this I also think
> the bug should have a different priority than grave.
> Or have I missed anything crucial?

After a brief discussion on irc, and input from the security team, I'm marking
this buster-ignore, on the understanding that php-gettext won't be in bullseye.

"< jmm_> I'm fine with buster-ignoring it, but it should go away after buster"



More information about the pkg-php-pear mailing list