Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 121977 - www-apps/gallery - minor security issue
Summary: www-apps/gallery - minor security issue
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High normal (vote)
Assignee: Gentoo Security
URL: http://gallery.menalto.com/
Whiteboard: B4? [noglsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-07 06:10 UTC by Renat Lumpau (RETIRED)
Modified: 2006-02-10 11:30 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renat Lumpau (RETIRED) gentoo-dev 2006-02-07 06:10:50 UTC 
- A very major data loss issue with the zip download component. If a zip file is not successfully created, Gallery 1.5.2 and Gallery 1.5.2-pl1 will try and delete many more files than they should.
- A very minor security problem where a user with write access to a server could create a specially formatted file, coerce someone with owner privileges in the Gallery to click on a specially formatted link, which could modify stored album data and possibly lead to local code execution. We thank Tom Saville (seregon at bughunter dot net) and his team from Digital Armaments for reporting this us and giving us time to get a patch out.
Comment 1 Renat Lumpau (RETIRED) gentoo-dev 2006-02-07 06:11:59 UTC 
1.5.2_p2 in CVS
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-07 10:24:15 UTC 
Arches please test and mark stable.
Comment 3 Chris White (RETIRED) gentoo-dev 2006-02-07 21:26:09 UTC 
kthxx86done
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2006-02-08 10:13:36 UTC 
sparc stable.
Comment 5 Simon Stelling (RETIRED) gentoo-dev 2006-02-08 14:13:43 UTC 
amd64 stable
Comment 6 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2006-02-08 18:42:41 UTC 
alpha stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-09 09:28:24 UTC 
ppc stable
Comment 8 René Nussbaumer (RETIRED) gentoo-dev 2006-02-10 00:55:01 UTC 
hppa stable
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-10 05:15:21 UTC 
ready for glsa vote, i tend to NO (if we dont get enough votes in time, you may also count this as full no ;)
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-10 09:49:24 UTC 
I vote NO.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-02-10 11:30:06 UTC 
No and closing.