Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 191587

Summary: www-apps/gallery < 2.2.3 WebDAV and Reupload Module Data Manipulation Vulnerabilities (CVE-2007-4650)
Product: Gentoo Security Reporter: Matt Fleming (RETIRED) <mjf>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/26716/
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Matt Fleming (RETIRED) gentoo-dev 2007-09-07 12:44:05 UTC
Some vulnerabilities have been reported in Gallery, which can be exploited by malicious users to manipulate data.

The vulnerabilities are caused due to unspecified errors within the WebDAV and Reupload modules, which can be exploited to e.g. rename items, change item properties, replace items, or edit item data via WebDAV.

The vulnerabilities are reported in versions prior to 2.2.3.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-09-07 12:45:44 UTC
CC'ing herd and setting whiteboard status.
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2007-09-07 14:43:01 UTC
Gallery-2.2.3 is in the tree.

Since 2.1.2 is apparently vulnerable these are the target archs for stabilization:

alpha amd64 hppa ppc ppc64 sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2007-09-07 15:35:45 UTC
Stable for HPPA.
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-07 17:47:39 UTC
ppc stable
Comment 5 Chris Gianelloni (RETIRED) gentoo-dev 2007-09-07 18:21:39 UTC
amd64/x86 done
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-09-09 15:53:23 UTC
alpha stable
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2007-09-09 16:22:00 UTC
ppc64 stable
Comment 8 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-09-12 08:42:43 UTC
Installs and works fine in sparc.

@Security: we are the last, ready to vote.
Comment 9 Gunnar Wrobel (RETIRED) gentoo-dev 2007-09-12 08:51:03 UTC
Removed the insecure versions from the tree. web-apps is done here.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-12 09:44:07 UTC
I tend to vote YES.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-12 09:45:06 UTC
I vote yes.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-25 09:43:10 UTC
glsa request filed.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-01 23:51:10 UTC
GLSA 200711-03
Comment 14 Marcin Deranek 2007-11-02 10:54:32 UTC
None of the security announcements implicitly mentions gallery-1.x as affected or not. From the announcement we could assume that gallery 1.x is affected as all versions before gallery-2.2.3 are affected, but:
- According to page http://codex.gallery2.org/G1-G2_Comparison gallery-1.x does not support WebDAV and does not support module system (patch required)
- Secunia website (URL provided in this bug) mentions only 'Gallery 2.x' as affected software
This would indicate that gallery-1.x is not affected by this problem, however:

mac ~ # glsa-check -lnc affected
[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

200711-03 [N] Gallery: Multiple vulnerabilities ( www-apps/gallery ) CVE-2007-4650

I do have gallery-1.5.7 installed on the system (some people still prefer gallery-1.x as it doesn't require DB backend)
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-11 14:48:36 UTC
glsa-200711-03.xml finally fixed, thanks for the info.