52798 – app-misc/gallery: security flaw in Gallery >=1.2 <1.4.3-pl2

Bug 52798 - app-misc/gallery: security flaw in Gallery >=1.2 <1.4.3-pl2

Summary: app-misc/gallery: security flaw in Gallery >=1.2 <1.4.3-pl2

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Highest minor (vote)
Assignee:	Gentoo Security

URL:	http://gallery.menalto.com/modules.ph...
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2004-06-02 11:13 UTC by Matthias Geerdsen (RETIRED)
Modified:	2011-10-30 22:38 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Flags:	condordes: Assigned_To? (condordes)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Geerdsen (RETIRED) gentoo-dev

2004-06-02 11:13:00 UTC

From the Gallery website:
"Notice: The affects all versions of Gallery from 1.2 to this release:
We have discovered a well-hidden but potentially serious security flaw in these versions of Gallery which can allow a hacker to log in to your Gallery as an administrator and perform any actions on your albums. No risk is posed to the webserver-itself or any non-Gallery data. All Gallery users are very strongly urged to upgrade to 1.4.3-pl2 immediately, which fixes this serious problem and will secure your system."

Reproducible: Always
Steps to Reproduce:

Comment 1 Kurt Lieber (RETIRED) gentoo-dev

2004-06-02 11:44:07 UTC

web-app folks: can you review/patch/bump as appropriate?

Comment 2 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev

2004-06-03 13:40:23 UTC

I will start drafting a GLSA for this.

Comment 3 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev

2004-06-03 14:34:24 UTC

Preliminary GLSA draft is in; just waiting for the ebuild and stabilization.

I don't use Gallery myself, so I unfortunately can't help with bumping it.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2004-06-07 13:38:09 UTC

gallery-1.4.3_p2 is in portage...
x86 ppc sparc alpha hppa : please mark stable

Comment 5 Bryan Østergaard (RETIRED) gentoo-dev

2004-06-08 15:59:45 UTC

Stable on alpha.

Comment 6 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev

2004-06-08 16:54:33 UTC

Updating status whiteboard.

Comment 7 Jason Wever (RETIRED) gentoo-dev

2004-06-08 19:30:49 UTC

Stable on sparc.

Comment 8 Guy Martin (RETIRED) gentoo-dev

2004-06-09 11:05:08 UTC

Stable on hppa.

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2004-06-14 09:30:07 UTC

x86, ppc : please mark app-misc/gallery-1.4.3_p2 stable.

Comment 10 Olivier Crete (RETIRED) gentoo-dev

2004-06-14 10:24:12 UTC

stable on x86

Comment 11 Luca Barbato gentoo-dev

2004-06-14 10:57:12 UTC

Marked ppc

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2004-06-14 13:38:54 UTC

Thanks everyone, this is ready for GLSA.

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2004-06-15 12:16:14 UTC

GLSA 200406-10