| <?xml version="1.0" encoding="utf-8"?> |
| <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> |
| |
| <glsa id="200811-02"> |
| <title>Gallery: Multiple vulnerabilities</title> |
| <synopsis> |
| Multiple vulnerabilities in Gallery may lead to execution of arbitrary |
| code, disclosure of local files or theft of user's credentials. |
| </synopsis> |
| <product type="ebuild">gallery</product> |
| <announced>November 09, 2008</announced> |
| <revised>May 28, 2009: 02</revised> |
| <bug>234137</bug> |
| <bug>238113</bug> |
| <access>remote</access> |
| <affected> |
| <package name="www-apps/gallery" auto="yes" arch="*"> |
| <unaffected range="ge">2.2.6</unaffected> |
| <unaffected range="rge">1.5.9</unaffected> |
| <unaffected range="rge">1.5.10</unaffected> |
| <vulnerable range="lt">2.2.6</vulnerable> |
| </package> |
| </affected> |
| <background> |
| <p> |
| Gallery is an open source web based photo album organizer. |
| </p> |
| </background> |
| <description> |
| <p> |
| Multiple vulnerabilities have been discovered in Gallery 1 and 2: |
| </p> |
| <ul> |
| <li> |
| Digital Security Research Group reported a directory traversal |
| vulnerability in contrib/phpBB2/modules.php in Gallery 1, when |
| register_globals is enabled (CVE-2008-3600). |
| </li> |
| <li> |
| Hanno Boeck reported that Gallery 1 and 2 did not set the secure flag |
| for the session cookie in an HTTPS session (CVE-2008-3662). |
| </li> |
| <li> |
| Alex Ustinov reported that Gallery 1 and 2 does not properly handle ZIP |
| archives containing symbolic links (CVE-2008-4129). |
| </li> |
| <li> |
| The vendor reported a Cross-Site Scripting vulnerability in Gallery 2 |
| (CVE-2008-4130). |
| </li> |
| </ul> |
| </description> |
| <impact type="normal"> |
| <p> |
| Remote attackers could send specially crafted requests to a server |
| running Gallery, allowing for the execution of arbitrary code when |
| register_globals is enabled, or read arbitrary files via directory |
| traversals otherwise. Attackers could also entice users to visit |
| crafted links allowing for theft of login credentials. |
| </p> |
| </impact> |
| <workaround> |
| <p> |
| There is no known workaround at this time. |
| </p> |
| </workaround> |
| <resolution> |
| <p> |
| All Gallery 2 users should upgrade to the latest version: |
| </p> |
| <code> |
| # emerge --sync |
| # emerge --ask --oneshot --verbose ">=www-apps/gallery-2.2.6"</code> |
| <p> |
| All Gallery 1 users should upgrade to the latest version: |
| </p> |
| <code> |
| # emerge --sync |
| # emerge --ask --oneshot --verbose ">=www-apps/gallery-1.5.9"</code> |
| </resolution> |
| <references> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3600">CVE-2008-3600</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3662">CVE-2008-3662</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4129">CVE-2008-4129</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4130">CVE-2008-4130</uri> |
| </references> |
| <metadata tag="requester" timestamp="Sat, 18 Oct 2008 20:31:05 +0000"> |
| keytoaster |
| </metadata> |
| <metadata tag="submitter" timestamp="Tue, 21 Oct 2008 20:22:34 +0000"> |
| keytoaster |
| </metadata> |
| <metadata tag="bugReady" timestamp="Fri, 31 Oct 2008 00:12:12 +0000"> |
| rbu |
| </metadata> |
| </glsa> |