[pkg-php-pear] Bug#851771: php-gettext: CVE-2016-6175

Sunil Mohan Adapa sunil at medhas.org
Thu Jun 18 01:29:57 BST 2020 

tag 851771 + patch
thanks

Hello,

TT-RSS is an important application for FreedomBox and it continues to
use php-gettext library. TT-RSS is currently not available for testing.
It would be nice to have it back.

To address this, I have implemented a parser for the plurals expressions
instead of using the eval() method as discussed in the upstream bug as
solution. This patch is under the same license as php-gettext (GPLv2 or
higher).

- A simple operator-precedence parser that prioritizes simplicity and
readability. Avoid using eval() for evaluating plural expressions.
  - Fixes CVE-2016-6175.
  - Fixes upstream bug https://bugs.launchpad.net/php-gettext/+bug/1606184
  - Fixes Debian bug https://bugs.debian.org/851771

- Grammar for parsing code is same as the grammar for GNU gettext
library:
http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural.y

- Extensive tests for various locales with help from Unicode's plurals
rules. Tests for invalid syntax and expression parsing.

This patch has been submitted upstream at
https://bugs.launchpad.net/php-gettext/+bug/1606184 . Please consider
applying the patch in Debian if the upstream doesn't do so shortly.

Thanks,

-- 
Sunil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2-0001-Iterate-user-table-in-a-sorted-way-fix-tests-with-la.patch
Type: text/x-patch
Size: 4658 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20200617/b049d4ef/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1-0001-Iterate-user-table-in-a-sorted-way-fix-tests-with-la.patch
Type: text/x-patch
Size: 3348 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20200617/b049d4ef/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20200617/b049d4ef/attachment-0001.sig>

More information about the pkg-php-pear mailing list