po: started research on gettext/po4a security

Signed-off-by: intrigeri <intrigeri@boum.org>

diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn
index ddd0f5870beb191e1902200cf89ae17ccc4c5b4a..39575fb63266d6cc0913999032aa9cd614256955 100644 (file)
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@@ -217,9 +217,28 @@ Security checks
 
 - Can any sort of directives be put in po files that will
   cause mischief (ie, include other files, run commands, crash gettext,
 
 - Can any sort of directives be put in po files that will
   cause mischief (ie, include other files, run commands, crash gettext,

-  whatever).
+  whatever). The [PO file
+  format](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
+  should contain the answer.

 - Any security issues on running po4a on untrusted content?
 
 - Any security issues on running po4a on untrusted content?
 

+### Security history
+
+#### GNU gettext
+- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966)
+  / [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
+  the autopoint and gettextize scripts in the GNU gettext package
+  1.14 and later versions, as used in Trustix Secure Linux 1.5
+  through 2.1 and other operating systems, allows local users to
+  overwrite files via a symlink attack on temporary files.
+
+#### po4a
+-
+  [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
+  lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to
+  overwrite arbitrary files via a symlink attack on the
+  gettextization.failed.po temporary file.
+

 gettext/po4a rough corners
 --------------------------
 
 gettext/po4a rough corners
 --------------------------