Ubuntu
php-gettext package

php-gettext: CVE-2016-6175

Bug #1863891 reported by Graham Inggs on 2020-02-19

10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	icingaweb2-module-nagvis (Debian)	Fix Released	Unknown	debbugs #952435
	icingaweb2-module-nagvis (Ubuntu)	Fix Released	Undecided	Unassigned
	nagvis (Ubuntu)	Fix Released	Undecided	Unassigned
	php-gettext (Debian)	Fix Released	Unknown	debbugs #851771
	php-gettext (Ubuntu)	Fix Released	Undecided	Unassigned
	tt-rss (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Straight from the Debian bug:

the following vulnerability was published for php-gettext.

CVE-2016-6175[0]:
Use of eval too unrestrictive

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6175
[1] https://bugs.launchpad.net/php-gettext/+bug/1606184

Please remove php-getttext from the archive

CVE References

2016-6175

Revision history for this message

Graham Inggs (ginggs) wrote on 2020-02-19:

#1

reverse-depends -r unstable src:php-gettext
Reverse-Depends
* nagvis (for php-php-gettext)
* tt-rss (for php-php-gettext)

Revision history for this message

Graham Inggs (ginggs) wrote on 2020-02-19:

#2

cacti also had a reverse dependency on php-php-gettext, but that is fixed in 1.2.9+ds1-1ubuntu1

Bug Watch Updater (bug-watch-updater) on 2020-02-19

Changed in php-gettext (Debian):
status:	Unknown → Confirmed

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-02-21:

#3

nagvis has icingaweb2-module-nagvis as a new reverse-dependency in focal. What should be done with this?

Changed in nagvis (Ubuntu):
status:	New → Incomplete

Revision history for this message

Graham Inggs (ginggs) wrote on 2020-02-21:

#4

icingaweb2-module-nagvis is stuck, unable to migrate in Debian.
I recommend removing it too.

Bug Watch Updater (bug-watch-updater) on 2020-02-24

Changed in icingaweb2-module-nagvis (Debian):
status:	Unknown → New

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-03-05:

#5

Removing packages from focal:
icingaweb2-module-nagvis 1.1.1-1 in focal
  icingaweb2-module-nagvis 1.1.1-1 in focal amd64
  icingaweb2-module-nagvis 1.1.1-1 in focal arm64
  icingaweb2-module-nagvis 1.1.1-1 in focal armhf
  icingaweb2-module-nagvis 1.1.1-1 in focal i386
  icingaweb2-module-nagvis 1.1.1-1 in focal ppc64el
  icingaweb2-module-nagvis 1.1.1-1 in focal s390x
Comment: indirectly depends on buggy php-gettext, not in Debian testing; LP: #1863891, Debian bug #952435
1 package successfully removed.

Changed in icingaweb2-module-nagvis (Ubuntu):
status:	New → Fix Released

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-03-05:

#6

Removing packages from focal:
nagvis 1:1.9.11-1 in focal
  nagvis 1:1.9.11-1 in focal amd64
  nagvis 1:1.9.11-1 in focal arm64
  nagvis 1:1.9.11-1 in focal armhf
  nagvis 1:1.9.11-1 in focal i386
  nagvis 1:1.9.11-1 in focal ppc64el
  nagvis 1:1.9.11-1 in focal s390x
  nagvis-demos 1:1.9.11-1 in focal amd64
  nagvis-demos 1:1.9.11-1 in focal arm64
  nagvis-demos 1:1.9.11-1 in focal armhf
  nagvis-demos 1:1.9.11-1 in focal i386
  nagvis-demos 1:1.9.11-1 in focal ppc64el
  nagvis-demos 1:1.9.11-1 in focal s390x
Comment: depends on buggy php-gettext, not in Debian testing; Debian bug #851771
1 package successfully removed.

Changed in nagvis (Ubuntu):
status:	Incomplete → Fix Released

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-03-05:

#7

Removing packages from focal:
tt-rss 19.8+dfsg-1ubuntu1 in focal
  tt-rss 19.8+dfsg-1ubuntu1 in focal amd64
  tt-rss 19.8+dfsg-1ubuntu1 in focal arm64
  tt-rss 19.8+dfsg-1ubuntu1 in focal armhf
  tt-rss 19.8+dfsg-1ubuntu1 in focal i386
  tt-rss 19.8+dfsg-1ubuntu1 in focal ppc64el
  tt-rss 19.8+dfsg-1ubuntu1 in focal s390x
Comment: depends on buggy php-gettext, not in Debian testing; Debian bug #851771
1 package successfully removed.

Changed in tt-rss (Ubuntu):
status:	New → Fix Released

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-03-05:

#8

Removing packages from focal:
php-gettext 1.0.12-0.1 in focal
  php-gettext 1.0.12-0.1 in focal amd64
  php-gettext 1.0.12-0.1 in focal arm64
  php-gettext 1.0.12-0.1 in focal armhf
  php-gettext 1.0.12-0.1 in focal i386
  php-gettext 1.0.12-0.1 in focal ppc64el
  php-gettext 1.0.12-0.1 in focal s390x
  php-php-gettext 1.0.12-0.1 in focal amd64
  php-php-gettext 1.0.12-0.1 in focal arm64
  php-php-gettext 1.0.12-0.1 in focal armhf
  php-php-gettext 1.0.12-0.1 in focal i386
  php-php-gettext 1.0.12-0.1 in focal ppc64el
  php-php-gettext 1.0.12-0.1 in focal s390x
Comment: severe security issues, not in Debian testing; Debian bug #851771
1 package successfully removed.

Changed in php-gettext (Ubuntu):
status:	New → Fix Released

Bug Watch Updater (bug-watch-updater) on 2021-02-25

Changed in icingaweb2-module-nagvis (Debian):
status:	New → Fix Released

Bug Watch Updater (bug-watch-updater) on 2021-02-26

Changed in php-gettext (Debian):
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #851771
[done grave jessie-ignore buster-ignore security stretch-ignore patch wheezy-ignore upstream] Edit
debbugs #952435
[done serious] Edit

Bug watches keep track of this bug in other bug trackers.