Gallery 3.0.3 and Gallery 2.3.2 Security Releases are available!

Submitted by ckdake on Tue, 2012-04-03 13:06
Download Gallery 3 Version 3.0.3 (1.8MB) Download Gallery 2

We're releasing both Gallery 3.0.3 and Gallery 2.3.2 as security releases. Several researchers, working independently, discovered possible encryption-related vulnerabilities. Low-risk XSS vulnerabilities limited to the administration area were also reported. We thank the following individuals for reporting these issues: James 'albino' Kettle, George Argyros & Aggelos Kiayias, and Emanuel Bronshtein. They will be receiving bounties for these issues. Read our Bounties page for details and how to submit any security issues you find. The CVE id for these issues is CVE-2012-1113.

We recommend that all users of Gallery 2 and Gallery 3 upgrade as soon as possible.

Gallery 3.0.3 includes a few other small fixes, and Gallery 2.3.3 is strictly a security release.

Upgrading Gallery 3

Upgrading is really easy! Unpack the new version, move the var/ directory of the old version to the new version's folder and then either browse to: http://your-site.com/gallery3/index.php/upgrader or at a shell prompt: php index.php upgrade For more detailed upgrade instructions, please refer to the Gallery 3 User Guide

Upgrading Gallery 2

A very small change is all that is needed. Drop in a new copy of all the files, or just grab the files from that commit and you'll be all set. You can also follow the much more detailed Gallery 2 Upgrading steps.

Got feedback?

If you have any overall feedback, please visit the Gallery 3.0.3 Feedback forum topic and let us know! If you have questions, please visit the Gallery 3 Wiki, the home for Gallery 3 documentation.

Submitted by skunker on Wed, 2012-04-11 16:30.

Thank for the update. Always appreciated.

scaturan's picture
Submitted by scaturan on Wed, 2012-04-11 17:30.

thank you for the security fixes, very much appreciated on behalf of my users at Pixi.me :)

DamienA's picture
Submitted by DamienA on Wed, 2012-04-11 21:46.

I am a gallery 2 user. When I click on "very small change" I get taken to a page that lists four items with changed paths. What are we supposed to do with them?

scaturan's picture
Submitted by scaturan on Wed, 2012-04-11 23:43.

@DamienA: go here instead http://sourceforge.net/projects/gallery/files/gallery2/2.3.2/ and grab that version you need.

I had File integrity issues with those 2.3.1 -> 2.3.2 zip files, so I ended up grabbing the 2.3.2-developer.zip, uncompressed it on my multisite codebase and the Upgrader went smoothly.

mdlueck's picture
Submitted by mdlueck on Thu, 2012-04-12 01:41.

At this page:
http://codex.gallery2.org/Downloads

FYI... The latest 2.x version still shows: "Latest stable release: 2.3.1"

Clicking the link shows the correct 2.3.2, which I will apply shortly. Thanks! :-)

ckdake's picture
Submitted by ckdake on Thu, 2012-04-12 01:51.

@mdlueck: thanks, fixed!

Submitted by samahita on Fri, 2012-04-13 01:02.

I upgraded via Softaculous script.
Now my album looks pretty weird:
http://what-buddha-said.net/gallery/
How can I fix this?

bharat's picture
Submitted by bharat on Fri, 2012-04-13 03:37.

@samahita: Looks like you're using a custom theme - try the fix from http://gallery.menalto.com/gallery_3.0.3_feedback#comment-390009
or see if there's an updated version.
---
Problems? Check gallery3/var/logs
file a bug/feature ticket | upgrade to the latest code! | hacking G3? join us on IRC!

floridave's picture
Submitted by floridave on Fri, 2012-04-13 04:22.

For the Browny_wind theme just replace the views/page.html.php in the browny_wind theme with the one that comes with the wind theme.
That should fix the issue until the author of the theme updates it.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Submitted by mikeydw on Sat, 2012-04-14 09:14.

Thanks for the updates!

Is there any way to get a list of the specific files which were changed in 3.0.3 compared with 3.0.2? I've done quite a bit of hacking to a number of them, and I don't want to overwrite them all by doing an auto-update.

floridave's picture
Submitted by floridave on Sat, 2012-04-14 17:41.

Best bet is to get a copy of http://winmerge.org/ and do a comparison yourself.
I bet there is a way to go a GIT compare and get a list but I will let you do that if winmerge is not your style.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

snackmaster's picture
Submitted by snackmaster on Sun, 2012-04-15 01:47.

Winmerge shows 269 files that are different from 3.0.2 to 3.0.3. The Copyright date of 2012 was the only change in the first 10 files that I checked.
Anyone know how to exclude the copyright line from the compare? Or another method to find changed files?

snackmaster's picture
Submitted by snackmaster on Sun, 2012-04-15 02:22.

I updated all the v 3.0.2 files to have the same Copyright Date as 3.0.3 files - after that Winmerge tells me there's 53 files with a difference. This is about as Scientific as Intelligent Design - trust the results at your own risk. http://gfisk.com/images/g303v302.html

Joomla? Not Wordpress or Drupal? Joomla!?!

Submitted by mikeydw on Sun, 2012-04-15 08:10.

Add-on comment: For Mac users (as well as Win and Linux), DiffMerge also works well to find the differences. I used .*Copyright \(C\) as the ruleset regex in the preferences to exclude from comparison those lines which changed the copyright date. Very helpful.

Submitted by mikeydw on Sun, 2012-04-15 12:49.

Here are the 53 changed (and new) files and folders I was able to find for which 3.0.3 differed from 3.0.2 (excluding files with only the copyright notice changed). I hope I found them all:
lib/gallery.common.js
modules/comment/controllers/admin_comments.php
modules/comment/helpers/comment_installer.php
modules/comment/helpers/comment_rss.php
modules/comment/module.info
modules/g2_import/controllers/g2.php
modules/gallery/config/user_agents.php
modules/gallery/controllers/admin.php
modules/gallery/controllers/admin_graphics.php
modules/gallery/controllers/albums.php
modules/gallery/controllers/combined.php
modules/gallery/controllers/movies.php
modules/gallery/controllers/photos.php
modules/gallery/controllers/uploader.php
modules/gallery/helpers/encoding.php
modules/gallery/helpers/gallery_rss.php
modules/gallery/helpers/gallery_task.php
modules/gallery/helpers/gallery.php
modules/gallery/helpers/graphics.php
modules/gallery/helpers/item.php
NEW modules/gallery/helpers/legal_file.php
NEW modules/gallery/helpers/MY_valid.php
modules/gallery/helpers/random.php
modules/gallery/helpers/upgrade_checker.php
modules/gallery/hooks/init_gallery.php
NEW modules/gallery/images/missing_photo.png
NEW modules/gallery/libraries/Breadcrumb.php
modules/gallery/libraries/Form_Uploadify.php
modules/gallery/libraries/Gallery_View.php
modules/gallery/libraries/Theme_View.php
modules/gallery/models/item.php
NEW modules/gallery/vendor/
NEW modules/gallery/vendor/Joomla/
NEW modules/gallery/vendor/Joomla/crypt.php
modules/gallery/views/admin_advanced_settings.html.php
modules/gallery/views/admin_themes.html.php
modules/gallery/views/form_uploadify.html.php
modules/organize/views/organize_frame.html.php
modules/rest/controllers/rest.php
modules/rest/helpers/rest_event.php
modules/search/controllers/search.php
modules/search/helpers/search.php
modules/tag/controllers/tag.php
modules/tag/helpers/tag.php
modules/tag/models/tag.php
modules/user/controllers/users.php
modules/user/libraries/drivers/IdentityProvider/Gallery.php
modules/user/models/group.php
modules/user/models/user.php
modules/user/views/reset_password.html.php
themes/admin_wind/css/screen-rtl.css
themes/wind/css/screen-rtl.css
themes/wind/views/page.html.php

Submitted by emma009 on Fri, 2012-04-27 10:12.

Dave...please i currently upgraded to the latest gallery...i have replaced the var file with the old one but all my uploaded photos only show when i log in with admin...but when i log out...i dont see any photos..

please can u help?

floridave's picture
Submitted by floridave on Fri, 2012-04-27 13:45.

emma009 please start a new thread.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Submitted by emma009 on Thu, 2012-05-03 11:39.

dave...i installed the new gallery...but my admin permission table is not coming up when u click on it...there are no options to change the persmissions...

can u help?

Submitted by r0dSiMpLy on Tue, 2012-05-08 18:08.

hm... i have a problem --> [img]http://info-panel.net/test/upload/2760575670Unbenannt.PNG[/img]
i can't click or ever.. :-/

floridave's picture
Submitted by floridave on Tue, 2012-05-08 20:09.

Best to start a thread in the forums as it is hard to track and issue in a news story.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Submitted by bennykingston on Sat, 2012-07-07 17:43.

Not been around for almost 2 months. Didn't noticed the update. Thank you for the update by the way :)

floridave's picture
Submitted by floridave on Fri, 2012-07-13 13:46.

To be up to date subscribe to the announcements list:
http://codex.gallery2.org/Mailing_Lists

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Submitted by kristene.adams on Mon, 2012-08-06 18:13.

3.0.2 and 3.0.3 compare the specific files that were changed in a way to get a list of do you have? I do quite a lot of hacking their number, and to perform automatic updates, I do not want to overwrite any changes.