Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234137 (CVE-2008-3600) - www-apps/gallery <1.5.8 Multiple vulnerabilities (CVE-2008-3600)
Summary: www-apps/gallery <1.5.8 Multiple vulnerabilities (CVE-2008-3600)
Alias: CVE-2008-3600
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3? [glsa]
Depends on:
Reported: 2008-08-06 22:30 UTC by Robert Buchholz (RETIRED)
Modified: 2008-11-10 17:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 22:30:11 UTC
Secunia writes:
Some vulnerabilities have been reported in Gallery, which can be
exploited by malicious users to disclose sensitive information,
bypass certain security restrictions, and manipulate data, and by
malicious people to conduct cross-site scripting attacks.

1) An unspecified error can be exploited by malicious users to
disclose potentially sensitive information.

2) Various components do not properly enforce role based access
controls. This can be exploited to bypass access restrictions and
e.g. perform sensitive actions.

3) Various components expose certain functionality which can be
exploited to list directories and e.g. read and delete files or write
to existing files.

4) Certain input is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.

5) Some vulnerabilities are caused due to "Insecure Command
Execution" when e.g. processing archives or watermarks.

The vulnerabilities are reported in versions prior to 1.5.8.

Update to version 1.5.8

The vendor credits Digital Security Research Group and Gotham Digital

Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-07 20:41:53 UTC
Removed gallery-1.5.3, 1.5.7, added 1.5.8.


alpha amd64 hppa ppc sparc x86
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-08 14:46:09 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc sparc x86"
Comment 3 Ferris McCormick (RETIRED) gentoo-dev 2008-09-08 14:57:28 UTC
Is -1.5.8 preferred over -2.2.5 which is already stable on everything?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-09-08 16:01:50 UTC
gallery 1.X and 2.X are maintained independently, and our (previous stable) 1.5.3 ebuild has been removed. If web-apps decides to maintain 1.X (as does upstream), we need to mark the 1.5.8 version stable.
Comment 5 Ferris McCormick (RETIRED) gentoo-dev 2008-09-08 16:36:55 UTC
Seems strange, but OK.  Sparc stable.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-09-09 13:39:07 UTC
alpha/x86 stable
Comment 7 Jeroen Roovers gentoo-dev 2008-09-09 23:21:26 UTC
>>> Install gallery-1.5.8 into /mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/image/ category www-apps
dodoc: AUTHORS does not exist
dodoc: ChangeLog does not exist
dodoc: ChangeLog.archive does not exist
dodoc: README does not exist
cp: cannot stat `./gallery-1.5.8/gallery': No such file or directory
install: cannot stat `/mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/temp/gallery': No such file or directory
 * (info) /keeps/gentoo/portage/www-apps/gallery/files/postinstall-en.txt (lang: en)
>>> Completed installing gallery-1.5.8 into /mnt/alt/portage-tmp/portage/www-apps/gallery-1.5.8/image/

That doesn't seem right...
Comment 8 Jeroen Roovers gentoo-dev 2008-09-10 00:35:47 UTC
Stable for HPPA.
Comment 9 Markus Meier gentoo-dev 2008-09-11 20:12:44 UTC
@web-apps: please fix the thingie in comment #7, so ugly =)
amd64 stable
Comment 10 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-15 12:12:43 UTC
Fixed the installation errors in CVS.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 18:50:18 UTC
ppc stable
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 19:56:45 UTC
time for GLSA decision, I vote YES.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-22 12:42:57 UTC
YES too, request filed.
Comment 14 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-29 06:20:02 UTC
Hrm, removed stable version before we stabilized this one. My mistake. Anyhow, the new version got stabilizied pretty fast and nobody complained so I guess it was okay. webapps done.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-10 17:54:41 UTC
GLSA 200811-02, thanks everyone, sorry about the delay.