New version of Menalto Gallery2 was released, fixing multiple security issues: http://gallery.menalto.com/gallery_2.2.5_released Gallery 2.2.5 addresses the following security vulnerabilities: * XSS through host and path component of request URL - The complete request URL is now properly sanitized (applying the same input filtering as for all other inputs). This severe vulnerability affects all modules. * Information disclosure in album-select module - Fixed exposure of album titles through the album-select module when a guest would add a new album to a hidden album. * Permission escalation through zip archive extraction - No longer creating sub-albums when adding items from a zip archive if the active user does not have the necessary permission to do so. * Information disclosure through embed.php - embed.php is no longer susceptible to spoofing the remote address and thus no longer discloses the local filesystem path of the Gallery 2 installation folder. * View permissions not enforced for password protected items - No longer offering the option to protect non-album items directly and only offering the feature for albums since full protection only applies to the items within the album.
embed.php problem is not an issue for Fedora, as installation folder can be "guessed" from the RPMs anyway... John, may I also ask about CVE-2008-1066 / bug bug #435810? According to changelog, embedded smarty was removed in 2.2.4-3: http://cvs.fedoraproject.org/viewcvs/rpms/gallery2/devel/gallery2.spec?r1=1.14&r2=1.15 However, there still seems to be Smarty shipped in gallery2 packages. In spec, you do: rm -f gallery2/lib/Smarty , but the directory seems to be smarty, not Smarty. Debian bug report http://bugs.debian.org/471160 has similar proposed patch for the embedded smarty issue, removing the smarty directory and replacing it with symlink to system Smarty installation. The bug also suggests that gallery2 may not work well with system Smarty and that 2.2.5 has also a patch for the Smarty (which does not seem to be true, as smarty in 2.2 SVN branch was last modified 14 months ago).
CVE ids assigned to these issues: CVE-2008-2720 Cross-site scripting (XSS) vulnerability in Menalto Gallery before 2.2.5 allows remote attackers to inject arbitrary web script or HTML via the (1) host and (2) path components of a URL. CVE-2008-2721 Unspecified vulnerability in the album-select module in Menalto Gallery before 2.2.5 allows remote attackers to obtain titles of hidden albums by attempting to add a new album to a hidden album. CVE-2008-2722 Menalto Gallery before 2.2.5 allows remote attackers to bypass permissions for sub-albums via a ZIP archive. CVE-2008-2723 embed.php in Menalto Gallery before 2.2.5 allows remote attackers to obtain the full path via unknown vectors related to "spoofing the remote address." CVE-2008-2724 Menalto Gallery before 2.2.5 does not enforce permissions for non-album items that have been protected by a password, which might allow remote attackers to bypass intended access restrictions.
building 2.2.5 upstream for F-8, F-9, -devel
gallery2-2.2.5-1.fc8 has been submitted as an update for Fedora 8
gallery2-2.2.5-1.fc9 has been submitted as an update for Fedora 9
gallery2-2.2.5-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
gallery2-2.2.5-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5479 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5576