From the Gallery home page: Gallery 3.0.4 Security Release Available! After several extensive internal and external security audits which discovered 22 distinct vulnerabilities, we are releasing Gallery 3.0.4 as a security release. All of the issues require that someone with malicious intent either have an account with edit permissions, or trick a user with edit permissions into clicking on a malicious link. In most cases, this can only lead to a possible XSS vulnerability, but in several instances it allows arbitrary PHP code execution. . . . We strongly recommend that all users of Gallery 3 upgrade as soon as possible. Reproducible: Always Steps to Reproduce: 1. Install the latest (non-officially-supported) gallery from bugzilla at https://bugs.gentoo.org/show_bug.cgi?id=411727 2. Visit the official Web site for Gallery at http://gallery.menalto.com 3. Look for a supported or un-supported update. Actual Results: There isn't any yet, because no one with the required skills have had the time to write a new ebuild. Expected Results: Someone might find the time to create a new ebuild. # emerge --info Portage 2.1.10.49 (default/linux/x86/10.0, gcc-4.5.3, glibc-2.14.1-r3, 3.0.18-linode43 i686) ================================================================= System uname: Linux-3.0.18-linode43-i686-Intel-R-_Xeon-R-_CPU_L5520_@_2.27GHz-with-gentoo-2.1 Timestamp of tree: Mon, 18 Jun 2012 09:30:01 +0000 app-shells/bash: 4.2_p20 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/cmake: 2.8.7-r5 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r2 sys-devel/gcc-config: 1.6 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 3.1 (virtual/os-headers) sys-libs/glibc: 2.14.1-r3 Repositories: gentoo x-portage ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer -mno-tls-direct-seg-refs" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -march=i686 -pipe" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -march=i686 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en fr it sv" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl apache2 authdaemond bash-completion berkdb bzip2 clamdtop cli corefonts cracklib cron crypt cups cxx dkim dlz dri emacs extensions fam ffmpeg fortran gd gdbm geoip gif iconv imagemagick imap ipv6 jpeg jpeg2k logrotate mailbox maildir md5sum modules mudflap mysql mysqli ncurses nls nptl openmp pam pcre pdo php png pppd python razor readline sasl session spamassassin spell sqlite sse sse2 ssl suhosin symlink tcpd theora threads truetype unicode unzip urandom vda vhosts vorbis x86 xml xvid zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default auth_digest authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en fr it sv" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Version 3.* isn't even in the tree yet. And there's a 2.3.2 bump for the version 2 branch.
(In reply to comment #1) > Version 3.* isn't even in the tree yet. I'm aware of that. I believe version 3.x was first released about a year ago. Give or take some. On my community Web site we needed some features of the 3.x branch so an upgrade was necessary. It's just that now I'm responsible for a Web site with known vulnerabilities. I see rocks and hard places around me. ;-)
Created attachment 316849 [details] files/postinstall-en.txt
Created attachment 316851 [details] gallery-3.0.4.ebuild
Hello, here my actual gallery 3.0.4 ebuild.
(In reply to comment #1) > Version 3.* isn't even in the tree yet. And there's a 2.3.2 bump for the > version 2 branch. Exactly. The vulnerabilities here do not appear to affect our current or previous www-apps/gallery ebuilds. Passing over to web-apps.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1113 "Multiple cross-site scripting (XSS) vulnerabilities in the administration subsystem in Gallery 2 before 2.3.2" The version in tree: www-apps/gallery 2.3.1 seems to be vulnerable.
CCing security team wrt comment #7
(In reply to comment #5) > Hello, > > here my actual gallery 3.0.4 ebuild. Daniel, I should have told you long time ago. Got caught up in life. Anyway. Your ebuild is perfect, at least for my installation. I chose to do a new installation, parallel to the Gallery 2 installation, and migrate the data from G2 to G3. Everything is running perfectly well. Thanks a lot for the ebuild. Gustav
+ 23 Jan 2013; Sergey Popov <pinkbyte@gentoo.org> gallery-2.3.1.ebuild: + Change homepage, wrt bug #421761
Created attachment 341814 [details] gallery-3.0.5.ebuild
Created attachment 341816 [details] postupgrade-en.txt
Question: How long takes it to push this ebuild to the tree, at least as unstable ?? I submit ebuilds for gallery since a long time but never was one of the ebuilds pushed to the tree. @Gentoo Dev's: please review this simple ebuild and push it to the tree. (or is there a problem with it ?) Thank's Daniel
(In reply to comment #13) > Question: > How long takes it to push this ebuild to the tree, > at least as unstable ?? > > I submit ebuilds for gallery since a long time > but never was one of the ebuilds pushed to the tree. > > @Gentoo Dev's: please review this simple ebuild > and push it to the tree. (or is there a problem with it ?) > > Thank's Daniel Okay let's get it into the tree, but there are a few problems: 1) don't rdepend on dev-db/mysql. Even though gallery needs mysql, it can be run on a different server. You may want to warn about. 2) move the ewarn's to pkg_postinst(), they don't belong in src_install(). 3) gallery-2 could use sqlite, and it had a few other options. were these dropped in gallery-3?
(In reply to comment #14) > 3) gallery-2 could use sqlite, and it had a few other options. were these > dropped in gallery-3? Actually look at http://codex.galleryproject.org/Gallery3:User_guide:Gallery3:Installing_and_upgrading#Before_you_start_.2F_System_requirements You're missing some php dependencies. Also, I would avoid need_httpd_cgi and need_php_httpd. The reason is that those eclass functions use DEPEND when they should use RDEPEND. Its better to use the virtuals. Take a look at what I did for www-apps/moodle. Finally test at EAPI=5 since its approved. Thanks for your contribution!
Created attachment 341868 [details] gallery-3.0.5.ebuild
Created attachment 341870 [details] gallery-3.0.5.ebuild
Created attachment 341872 [details] gallery-3.0.5.ebuild corrected some spell misstakes ;-)
Hello Anthony, First, thank you for your review. I have tried to update the ebuild. > 1) don't rdepend on dev-db/mysql. Even though gallery needs mysql, it can be run on a different server. You may want to warn about. rdepend to dev-db/mysql deleted ;-) >2) move the ewarn's to pkg_postinst(), they don't belong in src_install(). done. >3) gallery-2 could use sqlite, and it had a few other options. were these dropped in gallery-3? Yes, the only supported database at the moment is mysql or its clone mariadb >http://codex.galleryproject.org/Gallery3:User_guide:Gallery3:Installing_and_upgrading#Before_you_start_.2F_System_requirements >You're missing some php dependencies. Checked, only found mbstring, enabled with the useflag unicode (ebuild updated...) pcre,spl,reflection are enbled by php standard, no useflag aviable. >Also, I would avoid need_httpd_cgi and need_php_httpd. >The reason is that those eclass functions use DEPEND when they should use RDEPEND. >Its better to use the virtuals. >Take a look at what I did for www-apps/moodle. done. i have droped depend.php and euils eclass since now i dont use this functions ;-) >Finally test at EAPI=5 since its approved. done Thanks for your Help
Created attachment 341874 [details] gallery-3.0.5.ebuild corrected some spell mistakes
Created attachment 341876 [details] files/postupgrade-en.txt corrected some misspells
Now it's done. If i can make some future corrections or improvements, please let me know. Thank you, Daniel
(In reply to comment #22) > Now it's done. > > If i can make some future corrections > or improvements, please let me know. > > Thank you, Daniel Okay I did some cleanup and added it to the tree.
