Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 238113 (CVE-2008-3662)

Summary: www-apps/gallery <1.5.9 <2.2.6 Multiple vulnerabilities (CVE-2008-{3662,4129,4130})
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: Jan.Schubert, sgtphou
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://gallery.menalto.com/gallery_2.2.6_released
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 14:57:02 UTC 
CVE-2008-3662 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3662):
  Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure
  flag for the session cookie in an https session, which can cause the
  cookie to be sent in http requests and make it easier for remote
  attackers to capture this cookie.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:27:52 UTC 
CVE-2008-4129 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4129):
  Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle
  ZIP archives containing symbolic links, which allows remote
  authenticated users to conduct directory traversal attacks and read
  arbitrary files via vectors related to the archive upload (aka zip
  upload) functionality.

CVE-2008-4130 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4130):
  Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6
  allows remote attackers to inject arbitrary web script or HTML via a
  crafted Flash animation, related to the ability of the animation to
  "interact with the embedding page."
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-26 15:18:16 UTC 
*** Bug 238773 has been marked as a duplicate of this bug. ***
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2008-09-29 07:39:39 UTC 
Bumped in the tree. Arch teams, please, stabilize.

Target keywords:
gallery-2.2.6: alpha amd64 hppa ppc ppc64 sparc x86
gallery-1.5.9: alpha amd64 hppa ppc sparc x86
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-09-29 09:15:04 UTC 
alpha/sparc/x86 stable
Comment 5 Jan Schubert 2008-09-29 11:37:10 UTC 
Thx, seem to work fine on my amd64 (intel) platform.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-29 20:00:56 UTC 
Both stable for HPPA.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2008-09-30 10:13:54 UTC 
ppc64 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-01 17:50:28 UTC 
ppc stable
Comment 9 Markus Meier gentoo-dev 2008-10-06 20:18:51 UTC 
amd64 stable, all arches done.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-10-09 21:56:54 UTC 
time for GLSA decision, I vote yes.
Comment 11 Gunnar Wrobel (RETIRED) gentoo-dev 2008-10-11 19:02:06 UTC 
Removed vulnerable versions. webapps done.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-18 20:30:32 UTC 
YES too, request filed.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-10 17:55:08 UTC 
GLSA 200811-02, thanks everyone, sorry about the delay.