CERT ID - VU#520504 (pending since 2015)
Product - php-gettext
Company - Danilo Segan
Name - php-gettext php code execution
Versions - <1.0.12
Patched - 11/11/2015
Ref: https://launchpad.net/php-gettext/trunk/1.0.12
Vulnerability - "code injection into the ngettext family of calls: 
evaluating the plural form formula can execute arbitrary code if number 
is passed unsanitized from the untrusted user."
Description -
In 1.0.11 and lower the select_string function appears as the following:

   /**
    * Detects which plural form to take
    *
    * @access private
    * @param n count
    * @return int array index of the right plural form
    */
   function select_string($n) {
     $string = $this->get_plural_forms();
     $string = str_replace('nplurals',"\$total",$string);
     $string = str_replace("n",$n,$string);
     $string = str_replace('plural',"\$plural",$string);
     $total = 0;
     $plural = 0;
     eval("$string");
     if ($plural >= $total) $plural = $total - 1;
     return $plural;
   }

The vulnerability here lies in the fact that $string is evaluated as PHP 
code.  If the plural form contains an 'n', and the $n parameter is 
exposed to a malicious user, PHP code can be added to the value of 
$string before it is evaluated.  For websites, this means that a 
vulnerable application could allow an attacker to run PHP code on your 
site and potentially gain control of it.

The $n parameter in select_string can also be exposed through ngettext 
and npgettext as the $number parameter.

The new release 1.0.12 was made available shortly after notification in 
2015 and resolves the issue by raising an exception during non-numeric 
input to these parameters.