oss-sec mailing list archives
CVE Request: php-gettext: Arbitrary code execution in select_string, ngettext and npgettext count parameter
From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 17 Jan 2017 19:34:20 +0100
Hi Could you please assign a CVE to the followign php-gettext[0] issue:
From [1]: A code injection vulnerability was found in php-gettext. Evaluating the plural form formula in ngettext family of calls can execute arbitrary code if number is passed unsanitized from the untrusted user.
Which in Fedora was addressed by updating to 1.0.12, cf [2]. Original report is found in [3]:
CERT ID - VU#520504 (pending since 2015) Product - php-gettext Company - Danilo Segan Name - php-gettext php code execution Versions - <1.0.12 Patched - 11/11/2015 Ref: https://launchpad.net/php-gettext/trunk/1.0.12 Vulnerability - "code injection into the ngettext family of calls: evaluating the plural form formula can execute arbitrary code if number is passed unsanitized from the untrusted user." Description - In 1.0.11 and lower the select_string function appears as the following: /** * Detects which plural form to take * * @access private * @param n count * @return int array index of the right plural form */ function select_string($n) { $string = $this->get_plural_forms(); $string = str_replace('nplurals',"\$total",$string); $string = str_replace("n",$n,$string); $string = str_replace('plural',"\$plural",$string); $total = 0; $plural = 0; eval("$string"); if ($plural >= $total) $plural = $total - 1; return $plural; } The vulnerability here lies in the fact that $string is evaluated as PHP code. If the plural form contains an 'n', and the $n parameter is exposed to a malicious user, PHP code can be added to the value of $string before it is evaluated. For websites, this means that a vulnerable application could allow an attacker to run PHP code on your site and potentially gain control of it. The $n parameter in select_string can also be exposed through ngettext and npgettext as the $number parameter. The new release 1.0.12 was made available shortly after notification in 2015 and resolves the issue by raising an exception during non-numeric input to these parameters.
[0] https://launchpad.net/php-gettext/ [1] https://bugzilla.redhat.com/show_bug.cgi?id=1367462 [2] https://lwn.net/Alerts/708838/ [3] http://seclists.org/fulldisclosure/2016/Aug/76 Regards, Salvatore
Current thread:
- CVE Request: php-gettext: Arbitrary code execution in select_string, ngettext and npgettext count parameter Salvatore Bonaccorso (Jan 17)