Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 39638

Summary: gallery < 1.4.1-pl1 remote exploit
Product: Gentoo Linux Reporter: Rajiv Aaron Manglani (RETIRED) <rajiv>
Component: New packagesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: web-apps
Priority: High Keywords: SECURITY
Version: 1.4   
Hardware: All   
OS: All   
URL: http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=107&sid=107
Whiteboard:
Package list:
Runtime testing required: ---

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-01-27 23:05:30 UTC
from <http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=107&sid=107>:

Notice if you use Gallery versions 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 (current release):

We have discovered a well-hidden but potentially serious security flaw in these versions of Gallery which can allow a hacker to remotely exploit your webserver. All Gallery users are strongly urged to upgrade to 1.4.1-pl1 immediately, which fixes this serious problem and will secure your system.

Thanks to Fred (vrotogel) for quickly alerting us to this issue.

Gallery 1.4.1-pl1 can be downloaded from the Gallery Download Page.

If you use version 1.4.1 and would like to patch your existing installation rather than downloading the full updated version, click to read on...


see also <http://www.securityfocus.com/archive/1/351449>

new version in portage, marked stable. glsa to be sent.
Comment 1 solar (RETIRED) gentoo-dev 2004-01-27 23:41:10 UTC
This is the 3rd time I think I've seen this program has become exploitable.
shame on the coders!
Comment 2 SpanKY gentoo-dev 2004-02-10 22:16:44 UTC
this was version bumped into stable 25 Jan 2004 by mholzer

GLSA can be sent out as soon as one is made
Comment 3 Tim Yamin (RETIRED) gentoo-dev 2004-02-11 13:25:08 UTC
GLSA is out: http://article.gmane.org/gmane.linux.gentoo.announce/287

Thanks!