Ubuntu
gallery2 package

CVE-2008-272[0-4]: Lots of varied vulnerabilities

  1. Intrepid (8.10)
  2. Bug #242671
Bug #242671 reported by William Grant
256
Affects Status Importance Assigned to Milestone
gallery2 (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Fix Released
High
William Grant
Intrepid
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: gallery2

Intrepid is fixed, as it has 2.2.5.

~~~~
CVE-2008-2720:
 Cross-site scripting (XSS) vulnerability in Menalto Gallery before 2.2.5
 allows remote attackers to inject arbitrary web script or HTML via the (1)
 host and (2) path components of a URL.

CVE-2008-2721:
 Unspecified vulnerability in the album-select module in Menalto Gallery
 before 2.2.5 allows remote attackers to obtain titles of hidden albums by
 attempting to add a new album to a hidden album.

CVE-2008-2722:
 Menalto Gallery before 2.2.5 allows remote attackers to bypass permissions
 for sub-albums via a ZIP archive.

CVE-2008-2723:
 embed.php in Menalto Gallery before 2.2.5 allows remote attackers to obtain
 the full path via unknown vectors related to "spoofing the remote address."

CVE-2008-2724:
 Menalto Gallery before 2.2.5 does not enforce permissions for non-album
 items that have been protected by a password, which might allow remote
 attackers to bypass intended access restrictions.
~~~~

Revision history for this message
William Grant (wgrant) wrote :

Dapper -> Gutsy are probably affected. Hardy is.

Changed in gallery2:
status: New → Fix Released
importance: Undecided → High
status: New → Triaged
Revision history for this message
William Grant (wgrant) wrote :

CVE-2008-1066 should probably be fixed at the same time.

Revision history for this message
William Grant (wgrant) wrote :

All of these changes are pulled from 2.2.5 (with lots of version change hunks removed). All touched functionality seems to work, but I was unable to devise an exploit for CVE-2008-2723. The rest of the fixes definitely work.

Changed in gallery2:
assignee: nobody → wgrant
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in gallery2:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gallery2 - 2.2.4-1ubuntu0.1

---------------
gallery2 (2.2.4-1ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting, information disclosure,
    and restriction bypass vulnerabilities (LP: #242671), and arbitrary code
    execution (LP: #202422)
    - lib/smarty/plugins/modifier.regex_replace.php: Don't look past a NULL in
      the search string. Fixes possible arbitrary code execution. Patch from
      smarty upstream.
    - modules/core/ItemAdd.inc: Flatten the contents of ZIP archives if they
      are being uploaded by a user without subalbum privileges. Patch from
      upstream svn.
    - modules/core/classes/GalleryUrlGenerator.class,
      modules/rewrite/classes/parsers/modrewrite/ModRewriteUrlGenerator:
      Properly remove illegal characters from URLs. Patch from upstream svn.
    - modules/core/classes/Gallery{Embed,PhpVm}.class: More thoroughly verify
      that the remote address isn't being spoofed. Patch from upstream svn.
    - modules/password/PasswordOption.inc: Only allow password protection of
      items already password protected or albums, as single items cannot
      reliably be password protected. Patch from upstream svn.
    - modules/albumselect/Callbacks.inc: Add session permissions to keys for
      the album list cache, to avoid hidden album disclosure. Patch from
      upstream svn.
    - */MANIFEST: Drop modified files to please the browser-based installer.
    - References:
      + CVE-2008-1066
      + CVE-2008-2720
      + CVE-2008-2721
      + CVE-2008-2722
      + CVE-2008-2723
      + CVE-2008-2724

 -- William Grant <email address hidden> Wed, 25 Jun 2008 13:47:58 +1000

Changed in gallery2:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.