Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 52798

Summary: app-misc/gallery: security flaw in Gallery >=1.2 <1.4.3-pl2
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: condordes, ppc, web-apps
Priority: Highest Flags: condordes: Assigned_To? (condordes)
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=123&mode=thread&order=0&thold=0
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-06-02 11:13:00 UTC 
From the Gallery website:
"Notice: The affects all versions of Gallery from 1.2 to this release:
We have discovered a well-hidden but potentially serious security flaw in these versions of Gallery which can allow a hacker to log in to your Gallery as an administrator and perform any actions on your albums. No risk is posed to the webserver-itself or any non-Gallery data. All Gallery users are very strongly urged to upgrade to 1.4.3-pl2 immediately, which fixes this serious problem and will secure your system."

Reproducible: Always
Steps to Reproduce:
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-06-02 11:44:07 UTC 
web-app folks: can you review/patch/bump as appropriate?
Comment 2 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-06-03 13:40:23 UTC 
I will start drafting a GLSA for this.
Comment 3 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-06-03 14:34:24 UTC 
Preliminary GLSA draft is in; just waiting for the ebuild and stabilization.

I don't use Gallery myself, so I unfortunately can't help with bumping it.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-06-07 13:38:09 UTC 
gallery-1.4.3_p2 is in portage...
x86 ppc sparc alpha hppa : please mark stable
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-08 15:59:45 UTC 
Stable on alpha.
Comment 6 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-06-08 16:54:33 UTC 
Updating status whiteboard.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-06-08 19:30:49 UTC 
Stable on sparc.
Comment 8 Guy Martin (RETIRED) gentoo-dev 2004-06-09 11:05:08 UTC 
Stable on hppa.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-06-14 09:30:07 UTC 
x86, ppc : please mark app-misc/gallery-1.4.3_p2 stable.
Comment 10 Olivier Crete (RETIRED) gentoo-dev 2004-06-14 10:24:12 UTC 
stable on x86
Comment 11 Luca Barbato gentoo-dev 2004-06-14 10:57:12 UTC 
Marked ppc
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-06-14 13:38:54 UTC 
Thanks everyone, this is ready for GLSA.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-06-15 12:16:14 UTC 
GLSA 200406-10