Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 121977
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Renat Lumpau <rl03@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 121977 depends on: Show dependency tree
Bug 121977 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-02-07 06:10 0000 
- A very major data loss issue with the zip download component. If a zip file
is not successfully created, Gallery 1.5.2 and Gallery 1.5.2-pl1 will try and
delete many more files than they should.
- A very minor security problem where a user with write access to a server
could create a specially formatted file, coerce someone with owner privileges
in the Gallery to click on a specially formatted link, which could modify
stored album data and possibly lead to local code execution. We thank Tom
Saville (seregon at bughunter dot net) and his team from Digital Armaments for
reporting this us and giving us time to get a patch out.

------- Comment #1 From Renat Lumpau 2006-02-07 06:11:59 0000 ------- 
1.5.2_p2 in CVS

------- Comment #2 From Sune Kloppenborg Jeppesen 2006-02-07 10:24:15 0000 ------- 
Arches please test and mark stable.

------- Comment #3 From Chris White (RETIRED) 2006-02-07 21:26:09 0000 ------- 
kthxx86done

------- Comment #4 From Gustavo Zacarias (RETIRED) 2006-02-08 10:13:36 0000 ------- 
sparc stable.

------- Comment #5 From Simon Stelling (RETIRED) 2006-02-08 14:13:43 0000 ------- 
amd64 stable

------- Comment #6 From Jose Luis Rivero (yoswink) 2006-02-08 18:42:41 0000 ------- 
alpha stable

------- Comment #7 From Tobias Scherbaum 2006-02-09 09:28:24 0000 ------- 
ppc stable

------- Comment #8 From René Nussbaumer 2006-02-10 00:55:01 0000 ------- 
hppa stable

------- Comment #9 From Stefan Cornelius (RETIRED) 2006-02-10 05:15:21 0000 ------- 
ready for glsa vote, i tend to NO (if we dont get enough votes in time, you may
also count this as full no ;)

------- Comment #10 From Sune Kloppenborg Jeppesen 2006-02-10 09:49:24 0000 ------- 
I vote NO.

------- Comment #11 From Thierry Carrez (RETIRED) 2006-02-10 11:30:06 0000 ------- 
No and closing.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug