Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 790728 (CVE-2021-32615) - <www-apps/piwigo-11.5.0: SQL injection in user manager (CVE-2021-32615)
Summary: <www-apps/piwigo-11.5.0: SQL injection in user manager (CVE-2021-32615)
Status: RESOLVED FIXED
Alias: CVE-2021-32615
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://github.com/Piwigo/Piwigo/issu...
Whiteboard: ~4 [noglsa]
Keywords:
: 790449 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-05-17 20:47 UTC by Alexander Bezrukov
Modified: 2021-05-20 21:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bezrukov 2021-05-17 20:47:30 UTC 
SQL injection vulnerability exists in all versions of piwigo prior to 11.5.0.

I see no way of exploiting this vulnerability except as having already been logged in as a user with administrative (to the web gallery) privileges and such a user would probably already have administrative level access to the database.

Upgrading is as easy as renaming the ebuild.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-18 01:51:03 UTC 
Thanks for the report! No need to populate package list, this is an unstable package, and version doesn't go in summary without that version in tree
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-18 01:52:02 UTC 
*** Bug 790449 has been marked as a duplicate of this bug. ***
Comment 3 Bernard Cafarelli gentoo-dev 2021-05-19 08:19:56 UTC 
Thanks for both bug reports, sorry I did not have acccess to my dev box for few days. New version works fine here, bump and cleanup in progress
Comment 4 Larry the Git Cow gentoo-dev 2021-05-19 10:06:31 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cf85216ff23071c8a6714c58ed5d6b5e1c67e70

commit 4cf85216ff23071c8a6714c58ed5d6b5e1c67e70
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-05-19 08:21:45 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-05-19 10:06:01 +0000

    www-apps/piwigo: 11.5.0 version bump
    
    Drop previous version for security bug
    
    Bug: https://bugs.gentoo.org/790728
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/piwigo/Manifest                                       | 2 +-
 www-apps/piwigo/{piwigo-11.4.0.ebuild => piwigo-11.5.0.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-20 21:46:35 UTC 
Thank you! All unstable, all done.