Re: CVE Request -- gallery3 (3.0.9): Fixing two security flaws

[Bharat Mediratta <bharat () menalto com>]

This is accurate enough. Thanks Jan and sorry for not responding earlier -
I'm traveling with limited access.
On Jul 4, 2013 4:19 AM, "Jan Lieskovsky" <jlieskov () redhat com> wrote:

> Hello Kurt, Steve, vendors,
>
>   Gallery upstream has released 3.0.9 version, correcting two security
> flaws:
>   [1] http://galleryproject.org/gallery_3_0_9
>
> My guess [***] is the two issues are as follows:
>
> * Issue #1 - Improper stripping of URL fragments in flowplayer
> SWF file might lead to reply attacks (a different flaw than CVE-2013-2138):
>
> ----------------------------------------------------------------------------
>
>   A security flaw was found in the way flowplayer SWF file handling
> functionality
>   of Gallery version 3, an open source project with the goal to develop and
>   support leading photo sharing web application solutions, processed
> certain
>   URL fragments passed to this file (certain URL fragments were not
> stripped
>   properly when these files were called via direct URL request(s)). A
> remote
>   attacker could use this flaw to conduct replay attacks.
>
>   A different vulnerability than CVE-2013-2138.
>
>   Upstream ticket:
>   [2] http://sourceforge.net/apps/trac/gallery/ticket/2073
>
>   Relevant upstream patch:
>   [3]
> https://github.com/gallery/gallery3/commit/c5318bb1a2dd266b50317a2adb74d74338593733
>
>   References:
>   [4] https://bugzilla.redhat.com/show_bug.cgi?id=981197
>
> * Issue #2 - gallery3: Multiple information exposure flaws in data rest
> core module
>
> -----------------------------------------------------------------------------------
>
>   Multiple information exposure flaws were found in the way data rest core
> module
>   of Gallery version 3, an open source project with the goal to develop
> and support
>   leading photo sharing web application solutions, used to previously
> restrict access
>   to certain items of the photo album. A remote attacker, valid Gallery 3
> user, could
>   use this flaw to possibly obtain sensitive information (file, resize or
> thumb path
>   of the item in question).
>
>   Upstream ticket:
>   [5] http://sourceforge.net/apps/trac/gallery/ticket/2074
>
>   Relevant upstream patch (against 3.0.x branch):
>   [6]
> https://github.com/gallery/gallery3/commit/cbbcf1b4791762d7da0ea7b6c4f4b551a4d9caed
>
>   References:
>   [7] https://bugzilla.redhat.com/show_bug.cgi?id=981198
>
> Could you allocate CVE identifiers for these?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> [***] Guess because the issues aren't more thoroughly described in
> upstream announcement [1]
>       and former (private) email check with Gallery3 upstream didn't
> provide more details
>       either. Cc-ed them on this post too, they to correct me where
> necessary.