Red Hat Bugzilla – Bug 451107
gallery2: multiple security fixes in 2.2.5 (CVE-2008-2720, CVE-2008-2721, CVE-2008-2722, CVE-2008-2723, CVE-2008-2724)
Last modified: 2008-06-20 15:17:50 EDT
New version of Menalto Gallery2 was released, fixing multiple security issues:
Gallery 2.2.5 addresses the following security vulnerabilities:
* XSS through host and path component of request URL - The complete request URL
is now properly sanitized (applying the same input filtering as for all other
inputs). This severe vulnerability affects all modules.
* Information disclosure in album-select module - Fixed exposure of album titles
through the album-select module when a guest would add a new album to a hidden
* Permission escalation through zip archive extraction - No longer creating
sub-albums when adding items from a zip archive if the active user does not have
the necessary permission to do so.
* Information disclosure through embed.php - embed.php is no longer susceptible
to spoofing the remote address and thus no longer discloses the local filesystem
path of the Gallery 2 installation folder.
* View permissions not enforced for password protected items - No longer
offering the option to protect non-album items directly and only offering the
feature for albums since full protection only applies to the items within the album.
embed.php problem is not an issue for Fedora, as installation folder can be
"guessed" from the RPMs anyway...
John, may I also ask about CVE-2008-1066 / bug bug #435810? According to
changelog, embedded smarty was removed in 2.2.4-3:
However, there still seems to be Smarty shipped in gallery2 packages. In spec,
you do: rm -f gallery2/lib/Smarty , but the directory seems to be smarty, not
Debian bug report http://bugs.debian.org/471160 has similar proposed patch for
the embedded smarty issue, removing the smarty directory and replacing it with
symlink to system Smarty installation. The bug also suggests that gallery2 may
not work well with system Smarty and that 2.2.5 has also a patch for the Smarty
(which does not seem to be true, as smarty in 2.2 SVN branch was last modified
14 months ago).
CVE ids assigned to these issues:
Cross-site scripting (XSS) vulnerability in Menalto Gallery before
2.2.5 allows remote attackers to inject arbitrary web script or HTML
via the (1) host and (2) path components of a URL.
Unspecified vulnerability in the album-select module in Menalto
Gallery before 2.2.5 allows remote attackers to obtain titles of
hidden albums by attempting to add a new album to a hidden album.
Menalto Gallery before 2.2.5 allows remote attackers to bypass
permissions for sub-albums via a ZIP archive.
embed.php in Menalto Gallery before 2.2.5 allows remote attackers to
obtain the full path via unknown vectors related to "spoofing the
Menalto Gallery before 2.2.5 does not enforce permissions for
non-album items that have been protected by a password, which might
allow remote attackers to bypass intended access restrictions.
building 2.2.5 upstream for F-8, F-9, -devel
gallery2-2.2.5-1.fc8 has been submitted as an update for Fedora 8
gallery2-2.2.5-1.fc9 has been submitted as an update for Fedora 9
gallery2-2.2.5-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
gallery2-2.2.5-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: