Replace php-gettext?

sre · 2019-11-13T12:27:32.321Z

Hi,

php-gettext 1.0.12 is affected by CVE-2016-6175 (link to CVE database redacted).

Upstream development of php-getttext has stalled, so I suggest switching to motranslator instead, which has been developed by phpmyadmin people as replacement. (link to motranslator project redacted)

Thanks for considering,

– Sebastian

fox · 2019-11-13T12:46:04.859Z

sre:

CVE-2016-6175

if this is a local exploit with specially crafted .po files, it sounds like a non-issue. all translation files go through weblate before getting merged into trunk, not sure if you can drag this exploit through that.

anyway, looks like there’s a patch here - Clarified change log on php-gettext 1.0.12 update · NagVis/nagvis@4fe8672 · GitHub

e:

modified .mo files

oh it’s that. i’m fairly certain that this is a non-issue then. i don’t accept binary translations directly via pull requests.

doesn’t mean that we shouldn’t patch this if possible, of course.

e2: unfortunately the above “patch” involves simply removing ngettext() entirely which is going too far, imo. we’re actually using plurals in translations.

sre · 2019-11-13T13:11:52.427Z

I agree, that the security impact is not very big. So no reason to go into panic mode and do rushed decisions

The motranslator project, that I referenced offers improved speed and is actively maintained - so future problems (e.g. becoming compatible with newer PHP releases) can be solved by simply updating the local copy. Also it shouldn’t be hard to replace php-gettext with that one, since it also offers a way to use it in gettext compatibility style.

fox · 2019-11-13T13:17:33.386Z

if it can be used as an (almost) drop in replacement i’ll be happy to replace php-gettext. i’ll make a note to check this out when i have some time to kill.

fox · 2019-11-15T09:16:52.908Z

sre:

motranslator

looks like it depends on symfony which makes it a no-go. i’m not adding that to tt-rss.

packagist.org

phpmyadmin/motranslator - Packagist

Translation API for PHP using Gettext MO files

fox · 2020-09-18T11:32:55.579Z

this should be fixed now thanks to Sunil Mohan Adapa who made a proper patch for php-gettext which removes the usage of eval:

Launchpad

Comment #3 : Bug #1606184 : Bugs : php-gettext

Applications such as Tiny Tiny RSS continue to use the php-gettext library. Due this issue, they are are at risk of not getting included in next release of Debian and FreedomBox. To address this, I have implemented a parser for the plurals...

its strange how he mentions tt-rss but never contacted me directly with this patch, which i would’ve happily merged months ago. ¯_(ツ)_/¯

virgo · 2020-09-18T13:20:24.454Z

Probably, because Debian package of tt-rss uses system php-gettext library.