CVE-2015-8980
Description
The plural form formula in ngettext family of calls in php-gettext before 1.0.12 allows remote attackers to execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
php-gettext before 1.0.12 allows remote code execution via unsanitized count parameter in ngettext family calls.
Vulnerability
The php-gettext library before version 1.0.12 contains a code injection vulnerability in the ngettext, npgettext, and select_string functions. The plural form formula is evaluated using eval() or similar, and if the count parameter is passed unsanitized from an untrusted user, arbitrary PHP code can be injected [1][2][3]. Affected versions are all prior to 1.0.12.
Exploitation
An attacker can exploit this by providing a malicious count value to any application that uses the ngettext family of calls with user-supplied input. No authentication is required if the application exposes this functionality to unauthenticated users. The attacker crafts a string that, when evaluated as part of the plural formula, executes arbitrary PHP code [1][3].
Impact
Successful exploitation allows remote attackers to execute arbitrary PHP code on the server, leading to full compromise of the application and potentially the underlying system. This includes data theft, modification, or denial of service [1][2][3].
Mitigation
The vulnerability is fixed in php-gettext version 1.0.12, released on 2016-12-09 [2][4]. Users should upgrade to this version or later. The fix throws an exception if the count parameter is not a number, preventing code injection [2]. No workaround is available other than upgrading. The issue is tracked in Red Hat Bugzilla [3] and Fedora updates [4].
- security - Re: CVE Request: php-gettext: Arbitrary code execution in select_string, ngettext and npgettext count parameter
- 1.0.12 : Series trunk : php-gettext
- Arbitrary code execution in select_string, ngettext and npgettext count parameter
- Fedora alert FEDORA-2016-2460f713a1 (php-php-gettext) [LWN.net]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- php-gettext/php-gettextdescription
- Range: <1.0.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.opensuse.org/opensuse-updates/2017-02/msg00015.htmlmitrevendor-advisoryx_refsource_SUSE
- seclists.org/fulldisclosure/2016/Aug/76mitremailing-listx_refsource_MLIST
- www.openwall.com/lists/oss-security/2017/01/18/4mitremailing-listx_refsource_MLIST
- www.securityfocus.com/bid/95754mitrevdb-entryx_refsource_BID
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
- launchpad.net/php-gettext/trunk/1.0.12mitrex_refsource_CONFIRM
- lwn.net/Alerts/708838/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.