125830 2006-03-11 06:32 0000 www-apps/gallery: file inclusion in < 2.0.4 2006-03-17 04:01:16 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://gallery.menalto.com/2.0.4_and_2.1_rc_2a_update C2? [noglsa] DerCorny P2 normal --- 124614 1 dercorny@gentoo.org security@gentoo.org fryfrog@gmail.com jer@gentoo.org moixa@gmx.ch web-apps@gentoo.org dercorny@gentoo.org 2006-03-11 06:32:29 0000 Thanks once again to James Bercegay from GulfTech Security Research for tipping us off to a security vulnerability in Gallery 2.0.3 and the 2.1 release candidates. Your installation is only vulnerable if you have the register_globals setting enabled. If you're vulnerable, an attacker can use this exploit to execute a "local inclusion" exploit, or run code that's already on your server. This is especially dangerous if you allow upload privileges to users you don't trust, and your g2data directory is in a predictable location. We have released Gallery 2.0.4 and 2.1-RC-2a to fix this vulnerability, but it's also very easily patched by hand if you don't want to install a complete update. Read on for more details on how to quickly secure your Gallery install. dercorny@gentoo.org 2006-03-11 06:34:56 0000 web-apps, please provide an ebuild. carlo@gentoo.org 2006-03-11 06:44:47 0000 *** Bug 125826 has been marked as a duplicate of this bug. *** fryfrog@gmail.com 2006-03-11 19:59:32 0000 simply renaming 2.0.3 -> 2.0.4 does the trick, just like 2.0.2 -> 2.0.3 did. koon@gentoo.org 2006-03-12 03:51:45 0000 register_globals is evil. I am tempted to close this one as PEBKAC, but since we have 2.0.3 fixes too... rl03, would you be so kind ? rl03@gentoo.org 2006-03-15 08:37:17 0000 in CVS dercorny@gentoo.org 2006-03-15 08:40:15 0000 arches, the same procedure as every year: please test+stable, thank you halcy0n@gentoo.org 2006-03-15 14:18:32 0000 x86 done jer@gentoo.org 2006-03-15 16:00:57 0000 Could we have gallery-2.0.4-full.tar.gz on the mirrors too? jer@gentoo.org 2006-03-16 05:32:10 0000 hppa done. gustavoz@gentoo.org 2006-03-16 09:31:16 0000 sparc stable. dertobi123@gentoo.org 2006-03-16 11:21:51 0000 ppc stable blubb@gentoo.org 2006-03-16 11:32:43 0000 amd64 stable dercorny@gentoo.org 2006-03-17 01:56:25 0000 ready for glsa vote, together with bug #124614. Didnt make up my mind yet jaervosz@gentoo.org 2006-03-17 03:46:24 0000 I tend to vote no. fryfrog@gmail.com 2006-03-17 03:54:51 0000 I'm no dev, but I assume the vote means to mention it on GLSA? I would also say no for a few reasons: 1) afaik, gentoo's php does not have register global enabled by default 2) there are not any known exploits 3) register global users deserve it :) dercorny@gentoo.org 2006-03-17 04:01:16 0000 haha, i like point 3 :) voting no, too. as always, feel free to reopen if you disagree.