oss-sec mailing list archives

CVE request: Gallery multiple XSS vulnerabilities

From: Henri Salo <henri () nerv fi>
Date: Mon, 13 May 2013 10:28:55 +0300

Hello,

Two XSS vulnerabilities have been fixed in gallery 3.0.7.

http://osvdb.org/92691
http://osvdb.org/92740

One CVE-2013-XXXX is enough as these are fixed in the same version and same
issue type.

If I am correct:
http://osvdb.org/92789 should be removed as duplicate of http://osvdb.org/92691
http://osvdb.org/92690 should be removed as duplicate of http://osvdb.org/92740

Please ask if you have questions.

Diff between 3.0.6 - 3.0.7 below:

"""
git diff aa89aa0dc1610931674530169be8fd1edfceafde df9a412c5a18414ec52550e04f9672693f06421f
diff --git a/gallery3/README b/gallery3/README
index 7c58b69..18a2663 100644
--- a/gallery3/README
+++ b/gallery3/README
@@ -1,4 +1,4 @@
-Gallery 3.0.6 (Rive Gauche)
+Gallery 3.0.7 (Rive Droite)
 ===========================
 
 About
diff --git a/gallery3/modules/gallery/controllers/movies.php b/gallery3/modules/gallery/controllers/movies.php
index ca332f6..5607571 100644
--- a/gallery3/modules/gallery/controllers/movies.php
+++ b/gallery3/modules/gallery/controllers/movies.php
@@ -67,7 +67,7 @@ class Movies_Controller extends Items_Controller {
 
       log::success("content", "Updated movie", "<a href=\"{$movie->url()}\">view</a>");
       message::success(
-        t("Saved movie %movie_title", array("movie_title" => $movie->title)));
+        t("Saved movie %movie_title", array("movie_title" => html::purify($movie->title))));
 
       if ($form->from_id->value == $movie->id) {
         // Use the new url; it might have changed.
diff --git a/gallery3/modules/gallery/helpers/gallery.php b/gallery3/modules/gallery/helpers/gallery.php
index f3382fa..81f406d 100644
--- a/gallery3/modules/gallery/helpers/gallery.php
+++ b/gallery3/modules/gallery/helpers/gallery.php
@@ -18,8 +18,8 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class gallery_Core {
-  const VERSION = "3.0.6";
-  const CODE_NAME = "Rive Gauche";
+  const VERSION = "3.0.7";
+  const CODE_NAME = "Rive Droite";
   const RELEASE_CHANNEL = "release";
   const RELEASE_BRANCH = "3.0.x";
 
diff --git a/gallery3/modules/gallery/views/error_admin.html.php b/gallery3/modules/gallery/views/error_admin.html.php
index cd1bd56..036e204 100644
--- a/gallery3/modules/gallery/views/error_admin.html.php
+++ b/gallery3/modules/gallery/views/error_admin.html.php
@@ -289,7 +289,7 @@
               <tr>
                 <td class="key">
                   <code>
-                    <?= $key?>
+                    <?= html::purify($key) ?>
                   </code>
                 </td>
                 <td class="value">
"""

---
Henri Salo

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE request: Gallery multiple XSS vulnerabilities Henri Salo (May 13)
- Re: CVE request: Gallery multiple XSS vulnerabilities Kurt Seifried (May 14)