Bug 451107 - (CVE-2008-2720) gallery2: multiple security fixes in 2.2.5 (CVE-2008-2720, CVE-2008-2721, CVE-2008-2722, CVE-2008-2723, CVE-2008-2724)
gallery2: multiple security fixes in 2.2.5 (CVE-2008-2720, CVE-2008-2721, CVE...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=gentoo,reported=20080612,publi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-12 15:42 EDT by Tomas Hoger
Modified: 2008-06-20 15:17 EDT (History)
1 user (show)

See Also:
Fixed In Version: 2.2.5-1.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-20 15:17:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-06-12 15:42:16 EDT
New version of Menalto Gallery2 was released, fixing multiple security issues:

  http://gallery.menalto.com/gallery_2.2.5_released

Gallery 2.2.5 addresses the following security vulnerabilities:

* XSS through host and path component of request URL - The complete request URL
is now properly sanitized (applying the same input filtering as for all other
inputs). This severe vulnerability affects all modules.

* Information disclosure in album-select module - Fixed exposure of album titles
through the album-select module when a guest would add a new album to a hidden
album.

* Permission escalation through zip archive extraction - No longer creating
sub-albums when adding items from a zip archive if the active user does not have
the necessary permission to do so.

* Information disclosure through embed.php - embed.php is no longer susceptible
to spoofing the remote address and thus no longer discloses the local filesystem
path of the Gallery 2 installation folder.

* View permissions not enforced for password protected items - No longer
offering the option to protect non-album items directly and only offering the
feature for albums since full protection only applies to the items within the album.
Comment 1 Tomas Hoger 2008-06-12 15:52:13 EDT
embed.php problem is not an issue for Fedora, as installation folder can be
"guessed" from the RPMs anyway...

John, may I also ask about CVE-2008-1066 / bug bug #435810?  According to
changelog, embedded smarty was removed in 2.2.4-3:

http://cvs.fedoraproject.org/viewcvs/rpms/gallery2/devel/gallery2.spec?r1=1.14&r2=1.15

However, there still seems to be Smarty shipped in gallery2 packages.  In spec,
you do: rm -f gallery2/lib/Smarty , but the directory seems to be smarty, not
Smarty.

Debian bug report http://bugs.debian.org/471160 has similar proposed patch for
the embedded smarty issue, removing the smarty directory and replacing it with
symlink to system Smarty installation.  The bug also suggests that gallery2 may
not work well with system Smarty and that 2.2.5 has also a patch for the Smarty
(which does not seem to be true, as smarty in 2.2 SVN branch was last modified
14 months ago).
Comment 2 Tomas Hoger 2008-06-17 14:45:42 EDT
CVE ids assigned to these issues:

CVE-2008-2720
Cross-site scripting (XSS) vulnerability in Menalto Gallery before
2.2.5 allows remote attackers to inject arbitrary web script or HTML
via the (1) host and (2) path components of a URL.

CVE-2008-2721
Unspecified vulnerability in the album-select module in Menalto
Gallery before 2.2.5 allows remote attackers to obtain titles of
hidden albums by attempting to add a new album to a hidden album.

CVE-2008-2722
Menalto Gallery before 2.2.5 allows remote attackers to bypass
permissions for sub-albums via a ZIP archive.

CVE-2008-2723
embed.php in Menalto Gallery before 2.2.5 allows remote attackers to
obtain the full path via unknown vectors related to "spoofing the
remote address."

CVE-2008-2724
Menalto Gallery before 2.2.5 does not enforce permissions for
non-album items that have been protected by a password, which might
allow remote attackers to bypass intended access restrictions.
Comment 3 John Berninger 2008-06-18 11:37:11 EDT
building 2.2.5 upstream for F-8, F-9, -devel
Comment 4 Fedora Update System 2008-06-18 11:41:37 EDT
gallery2-2.2.5-1.fc8 has been submitted as an update for Fedora 8
Comment 5 Fedora Update System 2008-06-18 11:42:29 EDT
gallery2-2.2.5-1.fc9 has been submitted as an update for Fedora 9
Comment 6 Fedora Update System 2008-06-20 15:07:30 EDT
gallery2-2.2.5-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-06-20 15:15:32 EDT
gallery2-2.2.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Red Hat Product Security 2008-06-20 15:17:50 EDT
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5479
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5576


Note You need to log in before you can comment on or make changes to this bug.