Thanks once again to James Bercegay from GulfTech Security Research for tipping us off to a security vulnerability in Gallery 2.0.3 and the 2.1 release candidates. Your installation is only vulnerable if you have the register_globals setting enabled. If you're vulnerable, an attacker can use this exploit to execute a "local inclusion" exploit, or run code that's already on your server. This is especially dangerous if you allow upload privileges to users you don't trust, and your g2data directory is in a predictable location. We have released Gallery 2.0.4 and 2.1-RC-2a to fix this vulnerability, but it's also very easily patched by hand if you don't want to install a complete update. Read on for more details on how to quickly secure your Gallery install.
web-apps, please provide an ebuild.
*** Bug 125826 has been marked as a duplicate of this bug. ***
simply renaming 2.0.3 -> 2.0.4 does the trick, just like 2.0.2 -> 2.0.3 did.
register_globals is evil. I am tempted to close this one as PEBKAC, but since we have 2.0.3 fixes too... rl03, would you be so kind ?
in CVS
arches, the same procedure as every year: please test+stable, thank you
x86 done
Could we have gallery-2.0.4-full.tar.gz on the mirrors too?
hppa done.
sparc stable.
ppc stable
amd64 stable
ready for glsa vote, together with bug #124614. Didnt make up my mind yet
I tend to vote no.
I'm no dev, but I assume the vote means to mention it on GLSA? I would also say no for a few reasons: 1) afaik, gentoo's php does not have register global enabled by default 2) there are not any known exploits 3) register global users deserve it :)
haha, i like point 3 :) voting no, too. as always, feel free to reopen if you disagree.
