Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 69904

Summary: www-apps/gallery: XSS vulnerability
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: e.montezinos, m.debruijne, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=141&mode=thread&order=0&thold=0
Whiteboard: B4 [glsa] lewk
Package list:
Runtime testing required: ---
Attachments:
Description Flags
gallery-1.4.4_p3.ebuild none

Description Luke Macken (RETIRED) gentoo-dev 2004-11-02 16:47:36 UTC
Jim Paris discovered a few security problems in Gallery which have been 
addressed in this security release. The primary problem is a cross site 
scripting vulnerability which allows code to be inserted into a Gallery 
by using specially formed URLs. This code then appears to be part of the 
Gallery.

No risk is posed to the webserver-itself or any non-Gallery data, but a 
Gallery install could be compromised using appropriate code.

All Gallery users are very strongly urged to upgrade to 1.4.4-pl3 
immediately, which fixes this serious problem and will secure your system.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-11-02 16:48:59 UTC
web-apps,

please bump to 1.4.4-pl3.
Comment 2 Tom Hosiawa 2004-11-02 17:53:21 UTC
Created attachment 43201 [details]
gallery-1.4.4_p3.ebuild

This is based on the ebuild I did for 2.0_alpha3.

It's pretty much the same as 1.4.4_p2 with the additions of imagemagick use
flag, and better support for virtual hosts.
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-11-03 12:26:24 UTC
EDIT: This release is a replacement for 1.4.4-pl3 which had an issue discovered shortly after release.

Jim Paris discovered a few security problems in Gallery which have been addressed in 1.4.4-pl4. The primary problem is a cross site scripting vulnerability which allows code to be inserted into a Gallery by using specially formed URLs. This code then appears to be part of the Gallery.

No risk is posed to the webserver-itself or any non-Gallery data, but a Gallery install could be compromised using appropriate code.

All Gallery users are very strongly urged to upgrade to 1.4.4-pl4 immediately, which fixes this serious problem and will secure your system.

===============================

web-apps,

please bump to 1.4.4-pl4 ;)
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2004-11-03 12:38:14 UTC
Okay, I'll look at p4 instead ;-)
Comment 5 Stuart Herbert (RETIRED) gentoo-dev 2004-11-04 15:00:16 UTC
Okay, p4 seems to be fine.  Ebuild in CVS, and marked stable on x86.
Comment 6 Luke Macken (RETIRED) gentoo-dev 2004-11-04 16:20:39 UTC
archs, please mark gallery-1.4.4_p4 stable.
Comment 7 Jochen Maes (RETIRED) gentoo-dev 2004-11-05 01:45:41 UTC
stable on ppc
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2004-11-05 09:38:38 UTC
sparc stable.
Comment 9 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-11-05 16:23:11 UTC
Stable on alpha.
Comment 10 Luke Macken (RETIRED) gentoo-dev 2004-11-06 11:11:39 UTC
GLSA 200411-10

hppa, please mark stable to benefit from glsa.