From secunia security advisory at $URL: Description: Multiple vulnerabilities have been reported in Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in versions prior to 2.3.2 and 3.0.3. Solution Update to version 2.3.2 or 3.0.3. CC Daniel because he expressed his interest in proxy-maintain it.
Created attachment 308653 [details] gallery-3.0.3.ebuild updated Gallery 3.0.3 ebuild
Created attachment 308655 [details] files/postinstall-en.txt files/postinstall-en.txt --> to proper display informations when webapp-config runs ...
Atention for all who are using the clean-canvas theme (optional addon). In 3.0.3 clean canvas has some problems, a update doesn't exist at the moment ...
Update via webapp-config from 3.0.2 to 3.0.3 tested, no problems with standard gallery modules so far ...
Update went ok from 3.0.2 to 3.0.3. Can ffmpeg be added as use flag? Movies are relying on this.
Created attachment 309905 [details] gallery-3.0.3.ebuild gallery ebuild with ffmpeg useflag. Question: is it correct to relay on virtual/ffmpeg ?
(In reply to comment #6) > Created attachment 309905 [details] > gallery-3.0.3.ebuild > > gallery ebuild with ffmpeg useflag. > > Question: is it correct to relay on virtual/ffmpeg ? Not sure about this. I've got media-video/ffmpeg installed, but am not sure about the difference with the virtual/ffmpeg package.
Bug 421761 (Gallery 3.0.4) has obsolteted this bug .... hmmm ... bringing a updated ebuild to the portage tree takes more time than develop a new gallery version ... ;-) @Gentoo Dev's: please look at bug 421761 and push the new version to the tree, and mark this bug as obsolet ...
might be good to at least do a bump of gallery to address this very long standing security issue. Even just 2.3.2 would be a start.
From https://secunia.com/advisories/52349/ : Description A security issue and multiple vulnerabilities have been reported in Gallery, which can be exploited by malicious people to disclose certain potentially sensitive information and conduct spoofing, cross-site scripting, and clickjacking attacks. 1) An unspecified error when viewing the login page can be exploited to disclose tag names. 2) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. delete users, modify user privileges, or delete an album by tricking a user or an administrative user into clicking a specially crafted link via clickjacking. 3) Certain input related to flowplayer is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 4) An unspecified error in the password reset functionality can be exploited to conduct spoofing attacks. The vulnerabilities are reported in versions prior to 3.0.5. Solution Update to version 3.0.5.
Please see the new 3.0.5 ebuild at bug 421761
(In reply to comment #11) > Please see the new 3.0.5 ebuild at bug 421761 Look at my comments about the ebuild. Let's try to get it on the tree in the next few days.
gallery-3.0.5 added to the tree.
(In reply to comment #13) > gallery-3.0.5 added to the tree. Anthony, =www-apps/gallery-3.0.5 is ready for stabilization?
(In reply to comment #14) > (In reply to comment #13) > > gallery-3.0.5 added to the tree. > > Anthony, =www-apps/gallery-3.0.5 is ready for stabilization? Yes go ahead and stabilize 3.0.5. KEYWORDS="~amd64 ~x86" I just realized that this bug also affects 2.3.1 which is in the tree, so I bumped that ebuild to 2.3.2. I'm not sure its ready to stablize yet. Also Daniel will keep an eye on these ebuilds. I'll proxy for him.
(In reply to comment #15) > > I just realized that this bug also affects 2.3.1 which is in the tree, so I > bumped that ebuild to 2.3.2. I'm not sure its ready to stablize yet. > Security stabilizing a different major version is not ideal - it just seemed like that was the only option since no one was bumping 2.3.x. :) We can wait until 2.3.2 is ready and stabilize that.
https://secunia.com/advisories/53149/ : Description A vulnerability has been reported in Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via key value pairs is not properly sanitised before being returned to the user on an error page. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in versions prior to 3.0.7. Solution Update to version 3.0.7. Provided and/or discovered by The vendor credits Dhiraj Ranka. Original Advisory http://galleryproject.org/gallery_3_0_7
Tested the new ebuild 3.0.7 which is in the tree. For me, it works pefekt ... thank you...
http://www.openwall.com/lists/oss-security/2013/05/13/2 Please check if the 2.x is affected as well.
(In reply to comment #19) > http://www.openwall.com/lists/oss-security/2013/05/13/2 > > Please check if the 2.x is affected as well. err, this is not needed. Arches, please test and mark stable: =www-apps/gallery-3.0.7 Target keywords : "amd64 hppa ppc ppc64 x86"
(In reply to comment #20) > (In reply to comment #19) > > http://www.openwall.com/lists/oss-security/2013/05/13/2 > > > > Please check if the 2.x is affected as well. > > err, this is not needed. > > Arches, please test and mark stable: > =www-apps/gallery-3.0.7 > Target keywords : "amd64 hppa ppc ppc64 x86" We should also stabilize =www-apps/gallery-2.3.2 since we should remove 2.3.1 from the tree.
(In reply to comment #21) > We should also stabilize =www-apps/gallery-2.3.2 since we should remove > 2.3.1 from the tree. The upstream site says that the series 2 was replaced by the 3. Is strictly needed stabilize the 2.x* ? I'd prefer to stabilize the 3.0.7 version and drop the other
I have just restored the missing ~arch in the 3.* ebuilds. No idea why they were removed.
(In reply to comment #22) > (In reply to comment #21) > > We should also stabilize =www-apps/gallery-2.3.2 since we should remove > > 2.3.1 from the tree. > > The upstream site says that the series 2 was replaced by the 3. Is strictly > needed stabilize the 2.x* ? > I'd prefer to stabilize the 3.0.7 version and drop the other gallery-2 to 3 is a nasty upgrade.
(In reply to comment #24) > gallery-2 to 3 is a nasty upgrade. The vulnerability in comment 17 affects the 2.x series?
(In reply to comment #25) > (In reply to comment #24) > > gallery-2 to 3 is a nasty upgrade. > > The vulnerability in comment 17 affects the 2.x series? They are still distributing the 2.x series. They have 2.3.2 on their download page: http://codex.galleryproject.org/Downloads I assume they are backporting the fixes to 2.x.
(In reply to comment #26) > (In reply to comment #25) > > (In reply to comment #24) > > > gallery-2 to 3 is a nasty upgrade. > > > > The vulnerability in comment 17 affects the 2.x series? > > They are still distributing the 2.x series. They have 2.3.2 on their > download page: > > http://codex.galleryproject.org/Downloads > > I assume they are backporting the fixes to 2.x. ok. Arches, please test and mark stable: =www-apps/gallery-2.3.2 Target keywords : "amd64 hppa ppc ppc64 x86"
amd64 stable
x86 stable
ppc stable
ppc64 stable
hppa stable
Old removed, please vote
Multiple vulnerabilities, but according to CVE - XS only GLSA vote: no
GLSA vote: no. Closing noglsa.
