summaryrefslogtreecommitdiff
path: root/doc/plugins
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2008-11-08 00:08:44 +0100
committerintrigeri <intrigeri@boum.org>2008-11-08 00:08:44 +0100
commit3c6c129100ba7b721fa57a56bba2b7a36739f4fc (patch)
tree69a925825faf76f896a6f109ddda8e7d6ddf690e /doc/plugins
parentf8fee76f99bdf550dab6b0e3f699441577254e84 (diff)
po: started research on gettext/po4a security
Signed-off-by: intrigeri <intrigeri@boum.org>
Diffstat (limited to 'doc/plugins')
-rw-r--r--doc/plugins/po.mdwn21
1 files changed, 20 insertions, 1 deletions
diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn
index ddd0f5870..39575fb63 100644
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@@ -217,9 +217,28 @@ Security checks
- Can any sort of directives be put in po files that will
cause mischief (ie, include other files, run commands, crash gettext,
- whatever).
+ whatever). The [PO file
+ format](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
+ should contain the answer.
- Any security issues on running po4a on untrusted content?
+### Security history
+
+#### GNU gettext
+- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966)
+ / [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
+ the autopoint and gettextize scripts in the GNU gettext package
+ 1.14 and later versions, as used in Trustix Secure Linux 1.5
+ through 2.1 and other operating systems, allows local users to
+ overwrite files via a symlink attack on temporary files.
+
+#### po4a
+-
+ [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
+ lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to
+ overwrite arbitrary files via a symlink attack on the
+ gettextization.failed.po temporary file.
+
gettext/po4a rough corners
--------------------------