Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 203217 - www-apps/gallery < 2.2.4 Multiple vulnerabilities (CVE-2007-{6685,6686,6687,6688,6689,6690,6691,6692,6693})
Summary: www-apps/gallery < 2.2.4 Multiple vulnerabilities (CVE-2007-{6685,6686,6687,6...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
: 204244 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-12-24 11:09 UTC by Georg Weiss
Modified: 2008-02-12 00:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
gallery 2.2.4 ebuild (gallery-2.2.4.ebuild,2.16 KB, text/plain)
2008-01-04 08:07 UTC, Frank Breedijk
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Georg Weiss 2007-12-24 11:09:23 UTC
hi

from <gallery-announce@lists.sourceforge.net>
--8<--
Just in time for the holidays, Gallery 2.2.4 is now available for download.
This release fixes critical security issues, no new features have been
added. Due to the severity of these issues users of all previous Gallery 2
versions are strongly encouraged to upgrade to version 2.2.4 as soon as
possible! All issues addressed in this release were discovered through an
extensive internal security audit.

Since 2.2.4 is a security release, it shares the same installation
requirements as 2.2.3. If you haven't upgraded to 2.2.x yet, please review
the Gallery 2.2 release notes for highlights of changes and the
requirements. Read on for more details and upgrade instructions. 

Details:
http://gallery.menalto.com/gallery_2.2.4_released

Download:
http://codex.gallery2.org/Gallery2:Download#Packages
--8<--
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-12-24 11:24:05 UTC
Thanks for reporting this to us.

web-apps, please bump.
Comment 2 donald webster 2008-01-03 04:32:20 UTC
Hi, I am with the Gallery team and was wondering if there would be a good person to email about the Gallery ebuild.  Perhaps the web-apps@gentoo.org or something?
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-03 08:10:20 UTC
(In reply to comment #2)
> Hi, I am with the Gallery team and was wondering if there would be a good
> person to email about the Gallery ebuild.  Perhaps the web-apps@gentoo.org or
> something?
> 

Yes, mailing web-apps is probably the best way to go. But if you already have a working ebuild for 2.2.4, feel free to attach it here.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-04 06:46:08 UTC
*** Bug 204244 has been marked as a duplicate of this bug. ***
Comment 5 Frank Breedijk 2008-01-04 08:07:28 UTC
Created attachment 140022 [details]
gallery 2.2.4 ebuild

Here is my local patched gallery 2.2.4 ebuild. Tested on amd64.
Comment 6 Gunnar Wrobel (RETIRED) gentoo-dev 2008-01-17 08:36:31 UTC
2.2.4 is in the tree.

Target archs:

alpha amd64 hppa ppc ppc64 sparc x86

@donald webster:

We also offer ebuilds for gallery-1.5.3 (stable) and gallery-1.5.5 (unstable). Are these versions affected and should they be removed?
Comment 7 Markus Meier gentoo-dev 2008-01-17 10:51:16 UTC
x86 stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-01-17 13:52:37 UTC
alpha/sparc stable
Comment 9 Jeroen Roovers gentoo-dev 2008-01-17 15:18:18 UTC
Stable for HPPA.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2008-01-17 17:04:22 UTC
ppc64 done
Comment 11 Jonas Pedersen 2008-01-17 17:48:54 UTC
www-apps/gallery-2.2.4  USE="ffmpeg gd -imagemagick -mysql -netpbm -postgres -raw -unzip -vhosts -zip"

1. Emerges on AMD64. 
2. No collisions etc. 
3. Works. Executed setup from scratch and added album with some pictures. Was able to view album as well. 

Portage 2.1.3.19 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r3 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Fri, 11 Jan 2008 22:46:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/portage/local/layman/mozilla /usr/portage/local/layman/kde /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 12 Frank Breedijk 2008-01-17 18:08:28 UTC
Just upgraded from the portage tree withou any problems on a running isntallation AMD64.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-18 20:24:14 UTC
ppc stable
Comment 14 Steve Dibb (RETIRED) gentoo-dev 2008-01-23 16:02:36 UTC
amd64 stable
Comment 15 Gunnar Wrobel (RETIRED) gentoo-dev 2008-01-23 16:52:01 UTC
gallery-1.5.* is unaffected but I upgraded that branch to 1.5.7.

Removed insecure 2.2.3. webapps done.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2008-01-23 19:59:45 UTC
Is it just me or should this be B0? Local file inclusion + unauthorized file upload?

GLSA request filed anyways.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2008-01-23 22:03:32 UTC
Ok B1 then?
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-02-11 22:18:49 UTC
CVE-2007-6685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6685):
  Unspecified vulnerability in the Publish XP module Menalto Gallery before
  2.2.4 allows attackers to create albums and upload files via unknown vectors.

CVE-2007-6686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6686):
  The URL rewrite module in Menalto Gallery before 2.2.4 allows attackers to
  include and execute arbitrary local files via unknown vectors related to the
  admin controller.

CVE-2007-6687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6687):
  Multiple cross-site scripting (XSS) vulnerabilities in Menalto Gallery before
  2.2.4 allow remote attackers to inject arbitrary web script or HTML via
  crafted filenames to the (1) Core or (2) add-item modules; or via (3) HTTP
  PROPPATCH in the WebDAV module.

CVE-2007-6688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6688):
  Unspecified vulnerability in the Installation application in Menalto Gallery
  before 2.2.4 has unknown impact and attack vectors related to
  "web-accessibility protection of the storage folder."

CVE-2007-6689 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6689):
  Menalto Gallery before 2.2.4 does not properly check for malicious file
  extensions during file uploads, which allows attackers to execute arbitrary
  code via the (1) Core application or (2) MIME module.

CVE-2007-6690 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6690):
  The Gallery Remote module in Menalto Gallery before 2.2.4 does not check
  permissions for unspecified GR commands, which has unknown impact and attack
  vectors.

CVE-2007-6691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6691):
  Multiple unspecified vulnerabilities in Menalto Gallery before 2.2.4 have
  unknown impact, related to (1) "hotlink protection" in the URL rewrite
  module, (2) a WebDAV view in the WebDAV module, (3) a comment view in the
  Comment module, (4) unspecified "item information disclosure attacks" in the
  Core module Gallery application, (5) the slideshow in the Slideshow module,
  and (6) multiple Print modules.

CVE-2007-6692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6692):
  Open redirect vulnerability in Menalto Gallery before 2.2.4 allows remote
  attackers to redirect users to arbitrary web sites and conduct phishing
  attacks via a URL in the (1) Core and (2) print modules.

CVE-2007-6693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6693):
  Unspecified vulnerability in the WebCam module in Menalto Gallery before
  2.2.4 has unknown impact and attack vectors related to a "proxied request."
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 00:05:02 UTC
GLSA 200802-04.