[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2016-6175 and 851771

Hi Salvatore

I started checking the CVEs for php-gettext and I'm not sure I follow
the information for CVE-2016-6175.
Maybe you have more data than I do.

The vulnerability is that a malicous user that have permission to
craft .mo files in the target filesystem could execute any php code on
that system.
I find that a quite unlikely attack vector. Based on this I also think
the bug should have a different priority than grave.

Or have I missed anything crucial?

I'm asking as I plan to mark this one as no-dsa for wheezy.

Best regards

// Ola

PS. There is another bug on the same package and that one should
probably have a grave bug filed, but that is another story.

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: