Some vulnerabilities have been reported in Gallery, which can be
exploited by malicious users to disclose sensitive information,
bypass certain security restrictions, and manipulate data, and by
malicious people to conduct cross-site scripting attacks.
1) An unspecified error can be exploited by malicious users to
disclose potentially sensitive information.
2) Various components do not properly enforce role based access
controls. This can be exploited to bypass access restrictions and
e.g. perform sensitive actions.
3) Various components expose certain functionality which can be
exploited to list directories and e.g. read and delete files or write
to existing files.
4) Certain input is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
5) Some vulnerabilities are caused due to "Insecure Command
Execution" when e.g. processing archives or watermarks.
The vulnerabilities are reported in versions prior to 1.5.8.
Update to version 1.5.8
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Digital Security Research Group and Gotham Digital
Removed gallery-1.5.3, 1.5.7, added 1.5.8.
alpha amd64 hppa ppc sparc x86
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc sparc x86"
Is -1.5.8 preferred over -2.2.5 which is already stable on everything?
gallery 1.X and 2.X are maintained independently, and our (previous stable) 1.5.3 ebuild has been removed. If web-apps decides to maintain 1.X (as does upstream), we need to mark the 1.5.8 version stable.
Seems strange, but OK. Sparc stable.
>>> Install gallery-1.5.8 into /mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/image/ category www-apps
dodoc: AUTHORS does not exist
dodoc: ChangeLog does not exist
dodoc: ChangeLog.archive does not exist
dodoc: README does not exist
cp: cannot stat `./gallery-1.5.8/gallery': No such file or directory
install: cannot stat `/mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/temp/gallery': No such file or directory
* (info) /keeps/gentoo/portage/www-apps/gallery/files/postinstall-en.txt (lang: en)
>>> Completed installing gallery-1.5.8 into /mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/image/
That doesn't seem right...
Stable for HPPA.
@web-apps: please fix the thingie in comment #7, so ugly =)
Fixed the installation errors in CVS.
time for GLSA decision, I vote YES.
YES too, request filed.
Hrm, removed stable version before we stabilized this one. My mistake. Anyhow, the new version got stabilizied pretty fast and nobody complained so I guess it was okay. webapps done.
GLSA 200811-02, thanks everyone, sorry about the delay.