security hole in 2.0.2/2.0.3

Since this is a security bug, marking major; I *think* this is the right thing, but since the definitions of severity/priority are unlinked, I can't know for sure.

Fixed in Edgy. If you feel that this is severe enough, please file a new bug requesting a backport for Dapper. Thank you.

I don't know what Dapper's security policy is, so I can't be specific, but wouldn't a potential remote exploit pretty much automatically qualify for a backport?

(And isn't the point of all this malone complexity to handle the distinction between dapper and edgy, so that opening another bug is not necessary to get it fixed in two versions?)

> I don't know what Dapper's security policy is, so I can't be specific,
> but wouldn't a potential remote exploit pretty much automatically
> qualify for a backport?

A backport requires that the source package builds without modification
on dapper. If that's not the case, a fixed package will ned to be
uploaded to -security.

> (And isn't the point of all this malone complexity to handle the
> distinction between dapper and edgy, so that opening another bug is not
> necessary to get it fixed in two versions?)

Yes, a dapper-backports task on this bug is enough.

Hrm. Let me clarify the terminology a bit, then:

* dapper-backports: something that I as a dapper user assume is optional to subscribe to, and which if subscribed to, gives me new features, etc.
* dapper-security: something that I as a dapper user assume is effectively mandatory to subscribe to, and which if subscribed to, gives me *all necessary* security fixes.

If I understand these correctly, this hole requires that a fixed version go in dapper-*security*; any upload of a new version to dapper-backports is just a nicety and not mandatory.

So what I should be doing, if I understand the two channels correctly, and if the bug is severe enough, is to add a dapper-security task to this bug. Is that correct?

> So what I should be doing, if I understand the two channels correctly,
> and if the bug is severe enough, is to add a dapper-security task to
> this bug. Is that correct?

Actually, I would not consider this bug 'fix released' without a fix in
all supported distros. But since the package is in universe, Barry is
free to ignore those. Barry: was the fix an easy one? If so, I can
prepare hoary/breezy/dapper updates if applicable.

OK resetting to confirmed. No, it was not an 'easy' fix because Edgy has a much newer release of gallery2. If the rationale for leaving bugs open is 'fixed in all distros' will we ever close most of these bugs? Thanks.

Well, for security issues that are remotely exploitable I'd say yes. If
someone prepares fixed packages or requests backports (just open a
dapper-backports task on this bug) the bug can be closed.

Rejecting from breezy, gallery2 was never in breezy.

Anyone from motu-swat working on the dapper one yet? If so, please make yourself assignee.
If not, I'll look into getting dapper fixed probably this night.

The above debdiff is the minimal code changes needed for the upgrade. However I still need to test the changes (maybe I'll need to recreate the manifest files containing md5sums as well).

Debdiff with updated manifest file as well... btw.: it's not md5sums, but rather crc32.

Security review notified, waiting for approval.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 7 Jan 2007 06:53:48 +0100
Source: gallery2
Binary: gallery2
Architecture: source
Version: 2.0.2-1ubuntu0.1
Distribution: dapper-security
Urgency: low
Maintainer: Michael C. Schultheiss <email address hidden>
Changed-By: Stefan Potyra <email address hidden>
Description:
 gallery2 - web-based photo album written in PHP
Changes:
 gallery2 (2.0.2-1ubuntu0.1) dapper-security; urgency=low
 .
   * SECURITY UPDATE: Fix a PHP local inclusion exploit.
     - add sane initialization of $stepOrder array in both
       install/index.php and upgrade/index.php.
     - Closes: lp#35528.
   * Update MANIFEST file to match checksums of both changed files.
   * References
     http://gallery.menalto.com/2.0.4_and_2.1_rc_2a_update
     CVE-2006-1219
Files:
 007d943c8f8a11608b4e5c9ce03cf508 603 web optional gallery2_2.0.2-1ubuntu0.1.dsc
 2c1cfe8fac793645a3036f3daf61d6a9 11346 web optional gallery2_2.0.2-1ubuntu0.1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFoSFtH/9LqRcGPm0RAiwvAJwM11wN0w896h59QR9FY68Dn8G3/wCghHIW
8bQX56u9UqXodi8JsAYxqiw=
=qL1U
-----END PGP SIGNATURE-----