Re: CVE Request -- gallery3 (3.0.9): Fixing two security flaws

[Shad Laws <shad () shadlaws com>]

Hello everyone,

A quick clarification on issue #2: the problem wasn't the item information
or paths, but rather the original-sized image file.

A legitimate user with "view" privileges for an item should be able to:
- get the item info and image file links (e.g.
".../rest/data/123?size=thumb", etc.)
- follow the links and get the "thumb" and "resize" image files themselves.
- guess the "full" image file link without thinking too hard (e.g.
".../rest/data/123?size=full")
- follow the link and get the "full" image file itself **ONLY** if they
have "view_full" access.

The problem was that this last condition wasn't being properly enforced.

Thanks again, and sorry for the delay in response!
Shad


On 4 July 2013 11:19, Jan Lieskovsky <jlieskov () redhat com> wrote:

> Hello Kurt, Steve, vendors,
>
>   Gallery upstream has released 3.0.9 version, correcting two security
> flaws:
>   [1] http://galleryproject.org/gallery_3_0_9
>
> My guess [***] is the two issues are as follows:
>
> * Issue #1 - Improper stripping of URL fragments in flowplayer
> SWF file might lead to reply attacks (a different flaw than CVE-2013-2138):
>
> ----------------------------------------------------------------------------
>
>   A security flaw was found in the way flowplayer SWF file handling
> functionality
>   of Gallery version 3, an open source project with the goal to develop and
>   support leading photo sharing web application solutions, processed
> certain
>   URL fragments passed to this file (certain URL fragments were not
> stripped
>   properly when these files were called via direct URL request(s)). A
> remote
>   attacker could use this flaw to conduct replay attacks.
>
>   A different vulnerability than CVE-2013-2138.
>
>   Upstream ticket:
>   [2] http://sourceforge.net/apps/trac/gallery/ticket/2073
>
>   Relevant upstream patch:
>   [3]
> https://github.com/gallery/gallery3/commit/c5318bb1a2dd266b50317a2adb74d74338593733
>
>   References:
>   [4] https://bugzilla.redhat.com/show_bug.cgi?id=981197
>
> * Issue #2 - gallery3: Multiple information exposure flaws in data rest
> core module
>
> -----------------------------------------------------------------------------------
>
>   Multiple information exposure flaws were found in the way data rest core
> module
>   of Gallery version 3, an open source project with the goal to develop
> and support
>   leading photo sharing web application solutions, used to previously
> restrict access
>   to certain items of the photo album. A remote attacker, valid Gallery 3
> user, could
>   use this flaw to possibly obtain sensitive information (file, resize or
> thumb path
>   of the item in question).
>
>   Upstream ticket:
>   [5] http://sourceforge.net/apps/trac/gallery/ticket/2074
>
>   Relevant upstream patch (against 3.0.x branch):
>   [6]
> https://github.com/gallery/gallery3/commit/cbbcf1b4791762d7da0ea7b6c4f4b551a4d9caed
>
>   References:
>   [7] https://bugzilla.redhat.com/show_bug.cgi?id=981198
>
> Could you allocate CVE identifiers for these?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> [***] Guess because the issues aren't more thoroughly described in
> upstream announcement [1]
>       and former (private) email check with Gallery3 upstream didn't
> provide more details
>       either. Cc-ed them on this post too, they to correct me where
> necessary.