security hole in 2.0.2/2.0.3

Bug #35528 reported by Luis Villa
262
Affects Status Importance Assigned to Milestone
gallery2 (Ubuntu)
Fix Released
High
StefanPotyra
Breezy
Invalid
Undecided
Unassigned
Dapper
Fix Released
Undecided
StefanPotyra

Bug Description

Gallery 2.0.2 has a security hole:
http://gallery.menalto.com/2.0.4_and_2.1_rc_2a_update

which is unpatched in the universe version of gallery. It has, apparently, been patched in debian unstable:

http://packages.debian.org/changelogs/pool/main/g/gallery2/gallery2_2.0.4-1/changelog

Ubuntu should suck down the new upstream package, or specifically the security fix.

CVE References

Revision history for this message
Luis Villa (luis-villa) wrote :

Since this is a security bug, marking major; I *think* this is the right thing, but since the definitions of severity/priority are unlinked, I can't know for sure.

Changed in gallery2:
status: Unconfirmed → Confirmed
Revision history for this message
Barry deFreese (bddebian) wrote :

Fixed in Edgy. If you feel that this is severe enough, please file a new bug requesting a backport for Dapper. Thank you.

Changed in gallery2:
status: Confirmed → Fix Released
Revision history for this message
Luis Villa (luis-villa) wrote :

I don't know what Dapper's security policy is, so I can't be specific, but wouldn't a potential remote exploit pretty much automatically qualify for a backport?

(And isn't the point of all this malone complexity to handle the distinction between dapper and edgy, so that opening another bug is not necessary to get it fixed in two versions?)

Revision history for this message
Dennis Kaarsemaker (dennis) wrote : Re: [Bug 35528] Re: security hole in 2.0.2/2.0.3

> I don't know what Dapper's security policy is, so I can't be specific,
> but wouldn't a potential remote exploit pretty much automatically
> qualify for a backport?

A backport requires that the source package builds without modification
on dapper. If that's not the case, a fixed package will ned to be
uploaded to -security.

> (And isn't the point of all this malone complexity to handle the
> distinction between dapper and edgy, so that opening another bug is not
> necessary to get it fixed in two versions?)

Yes, a dapper-backports task on this bug is enough.

Revision history for this message
Luis Villa (luis-villa) wrote :

Hrm. Let me clarify the terminology a bit, then:

* dapper-backports: something that I as a dapper user assume is optional to subscribe to, and which if subscribed to, gives me new features, etc.
* dapper-security: something that I as a dapper user assume is effectively mandatory to subscribe to, and which if subscribed to, gives me *all necessary* security fixes.

If I understand these correctly, this hole requires that a fixed version go in dapper-*security*; any upload of a new version to dapper-backports is just a nicety and not mandatory.

So what I should be doing, if I understand the two channels correctly, and if the bug is severe enough, is to add a dapper-security task to this bug. Is that correct?

Revision history for this message
Dennis Kaarsemaker (dennis) wrote :

> So what I should be doing, if I understand the two channels correctly,
> and if the bug is severe enough, is to add a dapper-security task to
> this bug. Is that correct?

Actually, I would not consider this bug 'fix released' without a fix in
all supported distros. But since the package is in universe, Barry is
free to ignore those. Barry: was the fix an easy one? If so, I can
prepare hoary/breezy/dapper updates if applicable.

Revision history for this message
Barry deFreese (bddebian) wrote :

OK resetting to confirmed. No, it was not an 'easy' fix because Edgy has a much newer release of gallery2. If the rationale for leaving bugs open is 'fixed in all distros' will we ever close most of these bugs? Thanks.

Changed in gallery2:
status: Fix Released → Confirmed
Revision history for this message
Dennis Kaarsemaker (dennis) wrote :

Well, for security issues that are remotely exploitable I'd say yes. If
someone prepares fixed packages or requests backports (just open a
dapper-backports task on this bug) the bug can be closed.

Revision history for this message
StefanPotyra (sistpoty) wrote :

Rejecting from breezy, gallery2 was never in breezy.

Changed in gallery2:
status: Unconfirmed → Rejected
Revision history for this message
StefanPotyra (sistpoty) wrote :

Anyone from motu-swat working on the dapper one yet? If so, please make yourself assignee.
If not, I'll look into getting dapper fixed probably this night.

StefanPotyra (sistpoty)
Changed in gallery2:
assignee: nobody → sistpoty
Revision history for this message
StefanPotyra (sistpoty) wrote :
Changed in gallery2:
assignee: nobody → sistpoty
status: Unconfirmed → In Progress
Revision history for this message
StefanPotyra (sistpoty) wrote :

The above debdiff is the minimal code changes needed for the upgrade. However I still need to test the changes (maybe I'll need to recreate the manifest files containing md5sums as well).

Revision history for this message
StefanPotyra (sistpoty) wrote :

Debdiff with updated manifest file as well... btw.: it's not md5sums, but rather crc32.

Revision history for this message
StefanPotyra (sistpoty) wrote :

Security review notified, waiting for approval.

Changed in gallery2:
status: In Progress → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 7 Jan 2007 06:53:48 +0100
Source: gallery2
Binary: gallery2
Architecture: source
Version: 2.0.2-1ubuntu0.1
Distribution: dapper-security
Urgency: low
Maintainer: Michael C. Schultheiss <email address hidden>
Changed-By: Stefan Potyra <email address hidden>
Description:
 gallery2 - web-based photo album written in PHP
Changes:
 gallery2 (2.0.2-1ubuntu0.1) dapper-security; urgency=low
 .
   * SECURITY UPDATE: Fix a PHP local inclusion exploit.
     - add sane initialization of $stepOrder array in both
       install/index.php and upgrade/index.php.
     - Closes: lp#35528.
   * Update MANIFEST file to match checksums of both changed files.
   * References
     http://gallery.menalto.com/2.0.4_and_2.1_rc_2a_update
     CVE-2006-1219
Files:
 007d943c8f8a11608b4e5c9ce03cf508 603 web optional gallery2_2.0.2-1ubuntu0.1.dsc
 2c1cfe8fac793645a3036f3daf61d6a9 11346 web optional gallery2_2.0.2-1ubuntu0.1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFoSFtH/9LqRcGPm0RAiwvAJwM11wN0w896h59QR9FY68Dn8G3/wCghHIW
8bQX56u9UqXodi8JsAYxqiw=
=qL1U
-----END PGP SIGNATURE-----

Changed in gallery2:
status: Confirmed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.