http://bugzilla.opensuse.org/show_bug.cgi?id=1020489 Bug ID: 1020489 Summary: VUL-0: php-gettext: Arbitrary code execution in select_string, ngettext and npgettext count parameter Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/122 ============================================ From [1]: A code injection vulnerability was found in php-gettext. Evaluating the plural form formula in ngettext family of calls can execute arbitrary code if number is passed unsanitized from the untrusted user. Which in Fedora was addressed by updating to 1.0.12, cf [2]. Original report is found in [3]: CERT ID - VU#520504 (pending since 2015) Product - php-gettext Company - Danilo Segan Name - php-gettext php code execution Versions - <1.0.12 Patched - 11/11/2015 Ref: https://launchpad.net/php-gettext/trunk/1.0.12 Vulnerability - "code injection into the ngettext family of calls: evaluating the plural form formula can execute arbitrary code if number is passed unsanitized from the untrusted user." Description - In 1.0.11 and lower the select_string function appears as the following: /** * Detects which plural form to take * * @access private * @param n count * @return int array index of the right plural form */ function select_string($n) { $string = $this->get_plural_forms(); $string = str_replace('nplurals',"\$total",$string); $string = str_replace("n",$n,$string); $string = str_replace('plural',"\$plural",$string); $total = 0; $plural = 0; eval("$string"); if ($plural >= $total) $plural = $total - 1; return $plural; } The vulnerability here lies in the fact that $string is evaluated as PHP code. If the plural form contains an 'n', and the $n parameter is exposed to a malicious user, PHP code can be added to the value of $string before it is evaluated. For websites, this means that a vulnerable application could allow an attacker to run PHP code on your site and potentially gain control of it. The $n parameter in select_string can also be exposed through ngettext and npgettext as the $number parameter. The new release 1.0.12 was made available shortly after notification in 2015 and resolves the issue by raising an exception during non-numeric input to these parameters. [0] https://launchpad.net/php-gettext/ [1] https://bugzilla.redhat.com/show_bug.cgi?id=1367462 [2] https://lwn.net/Alerts/708838/ [3] http://seclists.org/fulldisclosure/2016/Aug/76 ============================================ https://software.opensuse.org/package/php5-gettext https://software.opensuse.org/package/php7-gettext -- You are receiving this mail because: You are on the CC list for the bug.