Bug 125830 - www-apps/gallery: file inclusion in < 2.0.4
Bug#: 125830 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: dercorny@gentoo.org
Component: Vulnerabilities
URL:  http://gallery.menalto.com/2.0.4_and_2.1_rc_2a_update
Summary: www-apps/gallery: file inclusion in < 2.0.4
Keywords:  
Status Whiteboard: C2? [noglsa] DerCorny
Opened: 2006-03-11 06:32 0000
Description:   Opened: 2006-03-11 06:32 0000 
Thanks once again to James Bercegay from GulfTech Security Research for tipping
us off to a security vulnerability in Gallery 2.0.3 and the 2.1 release
candidates. Your installation is only vulnerable if you have the
register_globals setting enabled. If you're vulnerable, an attacker can use
this exploit to execute a "local inclusion" exploit, or run code that's already
on your server. This is especially dangerous if you allow upload privileges to
users you don't trust, and your g2data directory is in a predictable location.
We have released Gallery 2.0.4 and 2.1-RC-2a to fix this vulnerability, but
it's also very easily patched by hand if you don't want to install a complete
update. Read on for more details on how to quickly secure your Gallery install.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-03-11 06:34:56 0000 ------- 
web-apps, please provide an ebuild.

------- Comment #2 From Carsten Lohrke 2006-03-11 06:44:47 0000 ------- 
*** Bug 125826 has been marked as a duplicate of this bug. ***

------- Comment #3 From donald webster 2006-03-11 19:59:32 0000 ------- 
simply renaming 2.0.3 -> 2.0.4 does the trick, just like 2.0.2 -> 2.0.3 did.

------- Comment #4 From Thierry Carrez (RETIRED) 2006-03-12 03:51:45 0000 ------- 
register_globals is evil.
I am tempted to close this one as PEBKAC, but since we have 2.0.3 fixes too...
rl03, would you be so kind ?

------- Comment #5 From Renat Lumpau 2006-03-15 08:37:17 0000 ------- 
in CVS

------- Comment #6 From Stefan Cornelius (RETIRED) 2006-03-15 08:40:15 0000 ------- 
arches, the same procedure as every year: please test+stable, thank you

------- Comment #7 From Mark Loeser 2006-03-15 14:18:32 0000 ------- 
x86 done

------- Comment #8 From Jeroen Roovers 2006-03-15 16:00:57 0000 ------- 
Could we have gallery-2.0.4-full.tar.gz on the mirrors too?

------- Comment #9 From Jeroen Roovers 2006-03-16 05:32:10 0000 ------- 
hppa done.

------- Comment #10 From Gustavo Zacarias (RETIRED) 2006-03-16 09:31:16 0000 ------- 
sparc stable.

------- Comment #11 From Tobias Scherbaum 2006-03-16 11:21:51 0000 ------- 
ppc stable

------- Comment #12 From Simon Stelling (RETIRED) 2006-03-16 11:32:43 0000 ------- 
amd64 stable

------- Comment #13 From Stefan Cornelius (RETIRED) 2006-03-17 01:56:25 0000 ------- 
ready for glsa vote, together with bug #124614. Didnt make up my mind yet

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-03-17 03:46:24 0000 ------- 
I tend to vote no.

------- Comment #15 From donald webster 2006-03-17 03:54:51 0000 ------- 
I'm no dev, but I assume the vote means to mention it on GLSA?  I would also
say no for a few reasons:
1) afaik, gentoo's php does not have register global enabled by default
2) there are not any known exploits
3) register global users deserve it :)

------- Comment #16 From Stefan Cornelius (RETIRED) 2006-03-17 04:01:16 0000 ------- 
haha, i like point 3 :)

voting no, too. as always, feel free to reopen if you disagree.