Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 238113 (CVE-2008-3662) - www-apps/gallery <1.5.9 <2.2.6 Multiple vulnerabilities (CVE-2008-{3662,4129,4130})
Summary: www-apps/gallery <1.5.9 <2.2.6 Multiple vulnerabilities (CVE-2008-{3662,4129,...
Status: RESOLVED FIXED
Alias: CVE-2008-3662
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://gallery.menalto.com/gallery_2....
Whiteboard: B3 [glsa]
Keywords:
: 238773 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-09-19 14:57 UTC by Robert Buchholz (RETIRED)
Modified: 2008-11-10 17:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 14:57:02 UTC
CVE-2008-3662 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3662):
  Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure
  flag for the session cookie in an https session, which can cause the
  cookie to be sent in http requests and make it easier for remote
  attackers to capture this cookie.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:27:52 UTC
CVE-2008-4129 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4129):
  Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle
  ZIP archives containing symbolic links, which allows remote
  authenticated users to conduct directory traversal attacks and read
  arbitrary files via vectors related to the archive upload (aka zip
  upload) functionality.

CVE-2008-4130 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4130):
  Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6
  allows remote attackers to inject arbitrary web script or HTML via a
  crafted Flash animation, related to the ability of the animation to
  "interact with the embedding page."

Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-26 15:18:16 UTC
*** Bug 238773 has been marked as a duplicate of this bug. ***
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2008-09-29 07:39:39 UTC
Bumped in the tree. Arch teams, please, stabilize.

Target keywords:
gallery-2.2.6: alpha amd64 hppa ppc ppc64 sparc x86
gallery-1.5.9: alpha amd64 hppa ppc sparc x86
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-09-29 09:15:04 UTC
alpha/sparc/x86 stable
Comment 5 Jan Schubert 2008-09-29 11:37:10 UTC
Thx, seem to work fine on my amd64 (intel) platform.
Comment 6 Jeroen Roovers gentoo-dev 2008-09-29 20:00:56 UTC
Both stable for HPPA.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2008-09-30 10:13:54 UTC
ppc64 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-01 17:50:28 UTC
ppc stable
Comment 9 Markus Meier gentoo-dev 2008-10-06 20:18:51 UTC
amd64 stable, all arches done.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-10-09 21:56:54 UTC
time for GLSA decision, I vote yes.
Comment 11 Gunnar Wrobel (RETIRED) gentoo-dev 2008-10-11 19:02:06 UTC
Removed vulnerable versions. webapps done.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-18 20:30:32 UTC
YES too, request filed.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-10 17:55:08 UTC
GLSA 200811-02, thanks everyone, sorry about the delay.