Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1860314397.33806243.1372929561739.JavaMail.root@redhat.com>
Date: Thu, 4 Jul 2013 05:19:21 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Gallery3 Security Team <security@...leryproject.org>
Subject: CVE Request -- gallery3 (3.0.9): Fixing two security flaws

Hello Kurt, Steve, vendors,

  Gallery upstream has released 3.0.9 version, correcting two security flaws:
  [1] http://galleryproject.org/gallery_3_0_9

My guess [***] is the two issues are as follows:

* Issue #1 - Improper stripping of URL fragments in flowplayer
SWF file might lead to reply attacks (a different flaw than CVE-2013-2138):
----------------------------------------------------------------------------

  A security flaw was found in the way flowplayer SWF file handling functionality
  of Gallery version 3, an open source project with the goal to develop and
  support leading photo sharing web application solutions, processed certain
  URL fragments passed to this file (certain URL fragments were not stripped
  properly when these files were called via direct URL request(s)). A remote
  attacker could use this flaw to conduct replay attacks.

  A different vulnerability than CVE-2013-2138.

  Upstream ticket:
  [2] http://sourceforge.net/apps/trac/gallery/ticket/2073

  Relevant upstream patch:
  [3] https://github.com/gallery/gallery3/commit/c5318bb1a2dd266b50317a2adb74d74338593733

  References:
  [4] https://bugzilla.redhat.com/show_bug.cgi?id=981197

* Issue #2 - gallery3: Multiple information exposure flaws in data rest core module
-----------------------------------------------------------------------------------

  Multiple information exposure flaws were found in the way data rest core module
  of Gallery version 3, an open source project with the goal to develop and support
  leading photo sharing web application solutions, used to previously restrict access
  to certain items of the photo album. A remote attacker, valid Gallery 3 user, could
  use this flaw to possibly obtain sensitive information (file, resize or thumb path
  of the item in question).

  Upstream ticket:
  [5] http://sourceforge.net/apps/trac/gallery/ticket/2074

  Relevant upstream patch (against 3.0.x branch):
  [6] https://github.com/gallery/gallery3/commit/cbbcf1b4791762d7da0ea7b6c4f4b551a4d9caed

  References:
  [7] https://bugzilla.redhat.com/show_bug.cgi?id=981198

Could you allocate CVE identifiers for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

[***] Guess because the issues aren't more thoroughly described in upstream announcement [1]
      and former (private) email check with Gallery3 upstream didn't provide more details
      either. Cc-ed them on this post too, they to correct me where necessary.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.