[gentoo-announce] [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability
Date:	Tue, 15 Jun 2004 19:16:23
Message-Id:	`40CF4A8C.40507@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200406-10

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Gallery: Privilege escalation vulnerability

12

      Date: June 15, 2004

13

      Bugs: #52798

14

        ID: 200406-10

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

There is a vulnerability in the Gallery photo album software which may

22

allow an attacker to gain administrator privileges within Gallery.

23

24

Background

25

==========

26

27

Gallery is a web application written in PHP which is used to organize

28

and publish photo albums. It allows multiple users to build and

29

maintain their own albums. It also supports the mirroring of images on

30

other servers.

31

32

Affected packages

33

=================

34

35

    -------------------------------------------------------------------

36

     Package           /   Vulnerable   /                   Unaffected

37

    -------------------------------------------------------------------

38

  1  app-misc/gallery      <= 1.4.3_p1                     >= 1.4.3_p2

39

40

Description

41

===========

42

43

There is a vulnerability in the Gallery photo album software which may

44

allow an attacker to gain administrator privileges within Gallery. A

45

Gallery administrator has full access to all albums and photos on the

46

server, thus attackers may add or delete photos at will.

47

48

Impact

49

======

50

51

Attackers may gain full access to all Gallery albums. There is no risk

52

to the webserver itself, or the server on which it runs.

53

54

Workaround

55

==========

56

57

There is no known workaround at this time. All users are encouraged to

58

upgrade to the latest available version.

59

60

Resolution

61

==========

62

63

All users should upgrade to the latest available version of Gallery.

64

65

    # emerge sync

66

67

    # emerge -pv ">=app-misc/gallery-1.4.3_p2"

68

    # emerge ">=app-misc/gallery-1.4.3_p2"

69

70

References

71

==========

72

73

  [ 1 ] Gallery Announcement

74

75

http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=123&mode=thread&order=0&thold=0

76

77

Availability

78

============

79

80

This GLSA and any updates to it are available for viewing at

81

the Gentoo Security Website:

82

83

     http://security.gentoo.org/glsa/glsa-200406-10.xml

84

85

Concerns?

86

=========

87

88

Security is a primary focus of Gentoo Linux and ensuring the

89

confidentiality and security of our users machines is of utmost

90

importance to us. Any security concerns should be addressed to

91

security@g.o or alternatively, you may file a bug at

92

http://bugs.gentoo.org.

93

94

License

95

=======

96

97

Copyright 2004 Gentoo Technologies, Inc; referenced text

98

belongs to its owner(s).

99

100

The contents of this document are licensed under the

101

Creative Commons - Attribution / Share Alike license.

102

103

http://creativecommons.org/licenses/by-sa/1.0

104

105

-----BEGIN PGP SIGNATURE-----

106

Version: GnuPG v1.2.4 (GNU/Linux)

107

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

108

109

iD8DBQFAz0qMvcL1obalX08RAmuoAKCKcyWXNtt+mdgtX26R9l96V8yE4QCfVFQG

110

9s9GiyiY83X/VHcx2Kc+mQQ=

111

=+z9+

112

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200406-10
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Gallery: Privilege escalation vulnerability
12	Date: June 15, 2004
13	Bugs: #52798
14	ID: 200406-10
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	There is a vulnerability in the Gallery photo album software which may
22	allow an attacker to gain administrator privileges within Gallery.
23
24	Background
25	==========
26
27	Gallery is a web application written in PHP which is used to organize
28	and publish photo albums. It allows multiple users to build and
29	maintain their own albums. It also supports the mirroring of images on
30	other servers.
31
32	Affected packages
33	=================
34
35	-------------------------------------------------------------------
36	Package / Vulnerable / Unaffected
37	-------------------------------------------------------------------
38	1 app-misc/gallery <= 1.4.3_p1 >= 1.4.3_p2
39
40	Description
41	===========
42
43	There is a vulnerability in the Gallery photo album software which may
44	allow an attacker to gain administrator privileges within Gallery. A
45	Gallery administrator has full access to all albums and photos on the
46	server, thus attackers may add or delete photos at will.
47
48	Impact
49	======
50
51	Attackers may gain full access to all Gallery albums. There is no risk
52	to the webserver itself, or the server on which it runs.
53
54	Workaround
55	==========
56
57	There is no known workaround at this time. All users are encouraged to
58	upgrade to the latest available version.
59
60	Resolution
61	==========
62
63	All users should upgrade to the latest available version of Gallery.
64
65	# emerge sync
66
67	# emerge -pv ">=app-misc/gallery-1.4.3_p2"
68	# emerge ">=app-misc/gallery-1.4.3_p2"
69
70	References
71	==========
72
73	[ 1 ] Gallery Announcement
74
75	http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=123&mode=thread&order=0&thold=0
76
77	Availability
78	============
79
80	This GLSA and any updates to it are available for viewing at
81	the Gentoo Security Website:
82
83	http://security.gentoo.org/glsa/glsa-200406-10.xml
84
85	Concerns?
86	=========
87
88	Security is a primary focus of Gentoo Linux and ensuring the
89	confidentiality and security of our users machines is of utmost
90	importance to us. Any security concerns should be addressed to
91	security@g.o or alternatively, you may file a bug at
92	http://bugs.gentoo.org.
93
94	License
95	=======
96
97	Copyright 2004 Gentoo Technologies, Inc; referenced text
98	belongs to its owner(s).
99
100	The contents of this document are licensed under the
101	Creative Commons - Attribution / Share Alike license.
102
103	http://creativecommons.org/licenses/by-sa/1.0
104
105	-----BEGIN PGP SIGNATURE-----
106	Version: GnuPG v1.2.4 (GNU/Linux)
107	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
108
109	iD8DBQFAz0qMvcL1obalX08RAmuoAKCKcyWXNtt+mdgtX26R9l96V8yE4QCfVFQG
110	9s9GiyiY83X/VHcx2Kc+mQQ=
111	=+z9+
112	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce