On 05/02/21 4:24 pm, Sebastian Reichel wrote: [...] > > I had some pending work from last year doing some of these changes > and some additional things. Back then I stopped when reaching the > gettext part wondering how to be solve it (IIUIC upstream's version > has some security fixes). Anyways your solution is better than doing > nothing, so I merged everything together and just uploaded a new > version.
Just to summarize the situation with php-gettext: the library had a single security issue with use of eval() when parsing plural expressions (#976135). In Debian, it now has a proper fix through the implementation of a plural expression parser instead of using eval(). While there is no response from upstream for the merge request, tt-rss apparently picked up the fix in its vendored copy of gettext library. In Debian, tt-rss uses the Debian package for php-gettext. So, every thing is in good shape for this security issue. Other security issues found and fixed in upstream tt-rss (CVE-2020-25787 CVE-2020-25788 CVE-2020-25789) are unrelated to this. > > Your changes all looked sane and I'm mostly busy in the kernel world > these days and your help is appreciated. If I saw it correctly you are > not a DD, so I just gave you full permissions to the tt-rss repository. > Feel free to work directly in the repository without doing pull requests. Many thanks for permissions to the repository, the recent upload and in general for tt-rss. -- Sunil
OpenPGP_signature
Description: OpenPGP digital signature