Comment 3 for bug 1606184

Applications such as Tiny Tiny RSS continue to use the php-gettext library. Due this issue, they are are at risk of not getting included in next release of Debian and FreedomBox.

To address this, I have implemented a parser for the plurals expressions instead of using the eval() method as discussed in this bug as solution. This patch is under the same license as php-gettext (GPLv2 or higher).

- A simple operator-precedence parser that prioritizes simplicity and readability. Avoid using eval() for evaluating plural expressions.
  - Fixes CVE-2016-6175.
  - Fixes upstream bug https://bugs.launchpad.net/php-gettext/+bug/1606184
  - Fixes Debian bug https://bugs.debian.org/851771

- Grammar for parsing code is same as the grammar for GNU gettext library: http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural.y

- Extensive tests for various locales with help from Unicode's plurals rules. Tests for invalid syntax and expression parsing.

Please consider applying the patch and making a new release of php-gettext. Many thanks to the authors for the original implementation.