Bugzilla – Bug 1020838
VUL-0: CVE-2016-6175: php-php-gettext: $string variable not sufficiently sanitized
Last modified: 2017-01-19 10:11:17 UTC
php-gettext code that parses the plural forms header relies on eval() and only filters out some known-bad characters before passing the value from a MO file in directly to eval(). References: https://kmkz-web-blog.blogspot.de/2016/07/advisory-cve-2016-6175.html https://bugzilla.redhat.com/show_bug.cgi?id=1414684 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6175 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6175.html
This bug relates to the "php-gettext", a gettext emulation in pure PHP code. https://launchpad.net/php-gettext (In SUSE Linux Enterprise and openSUSE, this would take the package name of php*-php-gettext). The binary packages php5-gettext, php53-gettext, php7-gettext, as shipped in SUSE Linux Enterprise and openSUSE, however, contain the native PHP gettext extension built from C sources. By it's nature it does not contain the vulnerable code for this CVE. php*.spec: %package gettext [...] 1225: --with-gettext=shared \ 1647:%files gettext 1649:%{extension_dir}/gettext.so 1650:%config(noreplace) %{php_sysconf}/conf.d/gettext.ini Therefor this bug does not affect our distributions.