Comment 17 for bug 202422

This bug was fixed in the package gallery2 - 2.2.4-1ubuntu0.1

---------------
gallery2 (2.2.4-1ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting, information disclosure,
    and restriction bypass vulnerabilities (LP: #242671), and arbitrary code
    execution (LP: #202422)
    - lib/smarty/plugins/modifier.regex_replace.php: Don't look past a NULL in
      the search string. Fixes possible arbitrary code execution. Patch from
      smarty upstream.
    - modules/core/ItemAdd.inc: Flatten the contents of ZIP archives if they
      are being uploaded by a user without subalbum privileges. Patch from
      upstream svn.
    - modules/core/classes/GalleryUrlGenerator.class,
      modules/rewrite/classes/parsers/modrewrite/ModRewriteUrlGenerator:
      Properly remove illegal characters from URLs. Patch from upstream svn.
    - modules/core/classes/Gallery{Embed,PhpVm}.class: More thoroughly verify
      that the remote address isn't being spoofed. Patch from upstream svn.
    - modules/password/PasswordOption.inc: Only allow password protection of
      items already password protected or albums, as single items cannot
      reliably be password protected. Patch from upstream svn.
    - modules/albumselect/Callbacks.inc: Add session permissions to keys for
      the album list cache, to avoid hidden album disclosure. Patch from
      upstream svn.
    - */MANIFEST: Drop modified files to please the browser-based installer.
    - References:
      + CVE-2008-1066
      + CVE-2008-2720
      + CVE-2008-2721
      + CVE-2008-2722
      + CVE-2008-2723
      + CVE-2008-2724

 -- William Grant <email address hidden> Wed, 25 Jun 2008 13:47:58 +1000