Re: CVE Request -- gallery3 (3.0.9): Fixing two security flaws

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/04/2013 03:19 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> Gallery upstream has released 3.0.9 version, correcting two
> security flaws: [1] http://galleryproject.org/gallery_3_0_9
>
> My guess [***] is the two issues are as follows:
>
> * Issue #1 - Improper stripping of URL fragments in flowplayer SWF
> file might lead to reply attacks (a different flaw than
> CVE-2013-2138): 
> ----------------------------------------------------------------------------
>
>  A security flaw was found in the way flowplayer SWF file handling
> functionality of Gallery version 3, an open source project with the
> goal to develop and support leading photo sharing web application
> solutions, processed certain URL fragments passed to this file
> (certain URL fragments were not stripped properly when these files
> were called via direct URL request(s)). A remote attacker could use
> this flaw to conduct replay attacks.
>
> A different vulnerability than CVE-2013-2138.
>
> Upstream ticket: [2]
> http://sourceforge.net/apps/trac/gallery/ticket/2073
>
> Relevant upstream patch: [3]
> https://github.com/gallery/gallery3/commit/c5318bb1a2dd266b50317a2adb74d74338593733
>
>  References: [4]
> https://bugzilla.redhat.com/show_bug.cgi?id=981197

Please use CVE-2013-2240 for this issue.

> * Issue #2 - gallery3: Multiple information exposure flaws in data
> rest core module 
> -----------------------------------------------------------------------------------
>
>  Multiple information exposure flaws were found in the way data
> rest core module of Gallery version 3, an open source project with
> the goal to develop and support leading photo sharing web
> application solutions, used to previously restrict access to
> certain items of the photo album. A remote attacker, valid Gallery
> 3 user, could use this flaw to possibly obtain sensitive
> information (file, resize or thumb path of the item in question).
>
> Upstream ticket: [5]
> http://sourceforge.net/apps/trac/gallery/ticket/2074
>
> Relevant upstream patch (against 3.0.x branch): [6]
> https://github.com/gallery/gallery3/commit/cbbcf1b4791762d7da0ea7b6c4f4b551a4d9caed
>
>  References: [7]
> https://bugzilla.redhat.com/show_bug.cgi?id=981198

Please use CVE-2013-2241 for this issue.

> Could you allocate CVE identifiers for these?
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
>
> [***] Guess because the issues aren't more thoroughly described in
> upstream announcement [1] and former (private) email check with
> Gallery3 upstream didn't provide more details either. Cc-ed them on
> this post too, they to correct me where necessary.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR1b+JAAoJEBYNRVNeJnmTYFEP/02THfjrSDhAS39jQBSMISJb
dgjL4/SKczghELBBVlzmv/O4b6GnDOpIkFC1ofX/tTkV2eEdEaXUV3aC22EB6Vwq
o71em51Y+rrS184uIH5LMer3GvQsn+thyAWH/Huj80oS4GHZ5kiCvN1GaAvplTov
JEzldVJGYs2+MJ1tOaVMc5tuCNFeBE2oGZYN5Ci+F+0T7TTfKBwaePBK2ExlEpmb
RxcqTj9ONDqcMN2poW3t7f9xtX9aAOk8ebZKHaHuGVGq8nUpD/+XdwGIu6KRKSoA
R6oFRk8Kxix4AJY1fAxAMDkHpiqy/Z3L+/qwPVqRlCg/Ilr/hgaFKUGeDbwyVEqM
ZKAWLGFE+OHPcH0n5p5X2tIWkAvsoaCBlaIwvRJ8S1seb6w90B1Ob7ynO4yohQpu
/bpCQXnU1lQfY/BhMJ/5TMFoZvLyf28DxJTlsTjhic3aV6VqrCcu9Y7WQW8vaMXM
HxPOL+clnkhBTBvya7RXFy9R1ft4ODzDUrD9IxDeewkVl/9YrOHakDTM0AKNI+fL
tlyksHM7vyDjUDVG/gMDooIrLgoroLNUQikFOb2kx8QFFmz+nWTi+3zYEUh5SWe4
LtuBdfTdTChd7XEF/mCVmscUtw99alivUL63nCnLZek6jdlchnHZcJ5Fj2bVA93q
Jxqd4d48c76uFAhOtKSJ
=Aotk
-----END PGP SIGNATURE-----