First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 125830
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Stefan Cornelius (RETIRED) <dercorny@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 125830 depends on: Show dependency tree
Bug 125830 blocks: 124614

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-03-11 06:32 0000 
Thanks once again to James Bercegay from GulfTech Security Research for tipping
us off to a security vulnerability in Gallery 2.0.3 and the 2.1 release
candidates. Your installation is only vulnerable if you have the
register_globals setting enabled. If you're vulnerable, an attacker can use
this exploit to execute a "local inclusion" exploit, or run code that's already
on your server. This is especially dangerous if you allow upload privileges to
users you don't trust, and your g2data directory is in a predictable location.
We have released Gallery 2.0.4 and 2.1-RC-2a to fix this vulnerability, but
it's also very easily patched by hand if you don't want to install a complete
update. Read on for more details on how to quickly secure your Gallery install.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-03-11 06:34:56 0000 ------- 
web-apps, please provide an ebuild.

------- Comment #2 From Carsten Lohrke 2006-03-11 06:44:47 0000 ------- 
*** Bug 125826 has been marked as a duplicate of this bug. ***

------- Comment #3 From donald webster 2006-03-11 19:59:32 0000 ------- 
simply renaming 2.0.3 -> 2.0.4 does the trick, just like 2.0.2 -> 2.0.3 did.

------- Comment #4 From Thierry Carrez (RETIRED) 2006-03-12 03:51:45 0000 ------- 
register_globals is evil.
I am tempted to close this one as PEBKAC, but since we have 2.0.3 fixes too...
rl03, would you be so kind ?

------- Comment #5 From Renat Lumpau 2006-03-15 08:37:17 0000 ------- 
in CVS

------- Comment #6 From Stefan Cornelius (RETIRED) 2006-03-15 08:40:15 0000 ------- 
arches, the same procedure as every year: please test+stable, thank you

------- Comment #7 From Mark Loeser 2006-03-15 14:18:32 0000 ------- 
x86 done

------- Comment #8 From Jeroen Roovers 2006-03-15 16:00:57 0000 ------- 
Could we have gallery-2.0.4-full.tar.gz on the mirrors too?

------- Comment #9 From Jeroen Roovers 2006-03-16 05:32:10 0000 ------- 
hppa done.

------- Comment #10 From Gustavo Zacarias (RETIRED) 2006-03-16 09:31:16 0000 ------- 
sparc stable.

------- Comment #11 From Tobias Scherbaum 2006-03-16 11:21:51 0000 ------- 
ppc stable

------- Comment #12 From Simon Stelling (RETIRED) 2006-03-16 11:32:43 0000 ------- 
amd64 stable

------- Comment #13 From Stefan Cornelius (RETIRED) 2006-03-17 01:56:25 0000 ------- 
ready for glsa vote, together with bug #124614. Didnt make up my mind yet

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-03-17 03:46:24 0000 ------- 
I tend to vote no.

------- Comment #15 From donald webster 2006-03-17 03:54:51 0000 ------- 
I'm no dev, but I assume the vote means to mention it on GLSA?  I would also
say no for a few reasons:
1) afaik, gentoo's php does not have register global enabled by default
2) there are not any known exploits
3) register global users deserve it :)

------- Comment #16 From Stefan Cornelius (RETIRED) 2006-03-17 04:01:16 0000 ------- 
haha, i like point 3 :)

voting no, too. as always, feel free to reopen if you disagree.
First Last Prev Next    No search results available      Search page      Enter new bug