Tiny Tiny RSS: Community

Replace php-gettext?


php-gettext 1.0.12 is affected by CVE-2016-6175 (link to CVE database redacted).

Upstream development of php-getttext has stalled, so I suggest switching to motranslator instead, which has been developed by phpmyadmin people as replacement. (link to motranslator project redacted)

Thanks for considering,

– Sebastian

if this is a local exploit with specially crafted .po files, it sounds like a non-issue. all translation files go through weblate before getting merged into trunk, not sure if you can drag this exploit through that.

anyway, looks like there’s a patch here - https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53


modified .mo files

oh it’s that. i’m fairly certain that this is a non-issue then. i don’t accept binary translations directly via pull requests.

doesn’t mean that we shouldn’t patch this if possible, of course.

e2: unfortunately the above “patch” involves simply removing ngettext() entirely which is going too far, imo. we’re actually using plurals in translations.

I agree, that the security impact is not very big. So no reason to go into panic mode and do rushed decisions :slight_smile:

The motranslator project, that I referenced offers improved speed and is actively maintained - so future problems (e.g. becoming compatible with newer PHP releases) can be solved by simply updating the local copy. Also it shouldn’t be hard to replace php-gettext with that one, since it also offers a way to use it in gettext compatibility style.

if it can be used as an (almost) drop in replacement i’ll be happy to replace php-gettext. i’ll make a note to check this out when i have some time to kill.

looks like it depends on symfony which makes it a no-go. i’m not adding that to tt-rss.