Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 191587
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Matt Fleming (RETIRED) <mjf@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 191587 depends on: Show dependency tree
Bug 191587 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-09-07 12:44 0000 
Some vulnerabilities have been reported in Gallery, which can be exploited by
malicious users to manipulate data.

The vulnerabilities are caused due to unspecified errors within the WebDAV and
Reupload modules, which can be exploited to e.g. rename items, change item
properties, replace items, or edit item data via WebDAV.

The vulnerabilities are reported in versions prior to 2.2.3.

------- Comment #1 From Matt Fleming (RETIRED) 2007-09-07 12:45:44 0000 ------- 
CC'ing herd and setting whiteboard status.

------- Comment #2 From Gunnar Wrobel 2007-09-07 14:43:01 0000 ------- 
Gallery-2.2.3 is in the tree.

Since 2.1.2 is apparently vulnerable these are the target archs for
stabilization:

alpha amd64 hppa ppc ppc64 sparc x86

------- Comment #3 From Jeroen Roovers 2007-09-07 15:35:45 0000 ------- 
Stable for HPPA.

------- Comment #4 From Tobias Scherbaum 2007-09-07 17:47:39 0000 ------- 
ppc stable

------- Comment #5 From Chris Gianelloni (RETIRED) 2007-09-07 18:21:39 0000 ------- 
amd64/x86 done

------- Comment #6 From Raúl Porcel 2007-09-09 15:53:23 0000 ------- 
alpha stable

------- Comment #7 From Markus Rothe 2007-09-09 16:22:00 0000 ------- 
ppc64 stable

------- Comment #8 From Jose Luis Rivero (yoswink) 2007-09-12 08:42:43 0000 ------- 
Installs and works fine in sparc.

@Security: we are the last, ready to vote.

------- Comment #9 From Gunnar Wrobel 2007-09-12 08:51:03 0000 ------- 
Removed the insecure versions from the tree. web-apps is done here.

------- Comment #10 From Sune Kloppenborg Jeppesen 2007-09-12 09:44:07 0000 ------- 
I tend to vote YES.

------- Comment #11 From Pierre-Yves Rofes 2007-09-12 09:45:06 0000 ------- 
I vote yes.

------- Comment #12 From Pierre-Yves Rofes 2007-09-25 09:43:10 0000 ------- 
glsa request filed.

------- Comment #13 From Pierre-Yves Rofes 2007-11-01 23:51:10 0000 ------- 
GLSA 200711-03

------- Comment #14 From Marcin Deranek 2007-11-02 10:54:32 0000 ------- 
None of the security announcements implicitly mentions gallery-1.x as affected
or not. From the announcement we could assume that gallery 1.x is affected as
all versions before gallery-2.2.3 are affected, but:
- According to page http://codex.gallery2.org/G1-G2_Comparison gallery-1.x does
not support WebDAV and does not support module system (patch required)
- Secunia website (URL provided in this bug) mentions only 'Gallery 2.x' as
affected software
This would indicate that gallery-1.x is not affected by this problem, however:

mac ~ # glsa-check -lnc affected
[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

200711-03 [N] Gallery: Multiple vulnerabilities ( www-apps/gallery )
CVE-2007-4650

I do have gallery-1.5.7 installed on the system (some people still prefer
gallery-1.x as it doesn't require DB backend)

------- Comment #15 From Pierre-Yves Rofes 2007-11-11 14:48:36 0000 ------- 
glsa-200711-03.xml finally fixed, thanks for the info.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug