Bugzilla – Bug 1020489
VUL-0: CVE-2015-8980: php-gettext: Arbitrary code execution in select_string, ngettext and npgettext count parameter
Last modified: 2017-01-27 08:58:31 UTC
Ref: http://seclists.org/oss-sec/2017/q1/122 ============================================ From [1]: A code injection vulnerability was found in php-gettext. Evaluating the plural form formula in ngettext family of calls can execute arbitrary code if number is passed unsanitized from the untrusted user. Which in Fedora was addressed by updating to 1.0.12, cf [2]. Original report is found in [3]: CERT ID - VU#520504 (pending since 2015) Product - php-gettext Company - Danilo Segan Name - php-gettext php code execution Versions - <1.0.12 Patched - 11/11/2015 Ref: https://launchpad.net/php-gettext/trunk/1.0.12 Vulnerability - "code injection into the ngettext family of calls: evaluating the plural form formula can execute arbitrary code if number is passed unsanitized from the untrusted user." Description - In 1.0.11 and lower the select_string function appears as the following: /** * Detects which plural form to take * * @access private * @param n count * @return int array index of the right plural form */ function select_string($n) { $string = $this->get_plural_forms(); $string = str_replace('nplurals',"\$total",$string); $string = str_replace("n",$n,$string); $string = str_replace('plural',"\$plural",$string); $total = 0; $plural = 0; eval("$string"); if ($plural >= $total) $plural = $total - 1; return $plural; } The vulnerability here lies in the fact that $string is evaluated as PHP code. If the plural form contains an 'n', and the $n parameter is exposed to a malicious user, PHP code can be added to the value of $string before it is evaluated. For websites, this means that a vulnerable application could allow an attacker to run PHP code on your site and potentially gain control of it. The $n parameter in select_string can also be exposed through ngettext and npgettext as the $number parameter. The new release 1.0.12 was made available shortly after notification in 2015 and resolves the issue by raising an exception during non-numeric input to these parameters. [0] https://launchpad.net/php-gettext/ [1] https://bugzilla.redhat.com/show_bug.cgi?id=1367462 [2] https://lwn.net/Alerts/708838/ [3] http://seclists.org/fulldisclosure/2016/Aug/76 ============================================ https://software.opensuse.org/package/php5-gettext https://software.opensuse.org/package/php7-gettext
bugbot adjusting priority
This bug relates to the "php-gettext", a gettext emulation in pure PHP code. https://launchpad.net/php-gettext (In SUSE Linux Enterprise and openSUSE, this would take the package name of php*-php-gettext). The binary packages php5-gettext, php53-gettext, php7-gettext, as shipped in SUSE Linux Enterprise and openSUSE, however, contain the native PHP gettext extension built from C sources. By it's nature it does not contain the vulnerable code for this CVE. php*.spec: %package gettext [...] 1225: --with-gettext=shared \ 1647:%files gettext 1649:%{extension_dir}/gettext.so 1650:%config(noreplace) %{php_sysconf}/conf.d/gettext.ini Therefor this bug does not affect our distributions.
In openSUSE, CVE-2015-8980 affects a forked version of php-gettext. > * PMASA-2017-2 ( CVE-2015-8980, CWE-661) > https://www.phpmyadmin.net/security/PMASA-2017-2/ > - php-gettext code execution Tracked under bug 1021597, submitted here: https://build.opensuse.org/request/show/452819