Gallery 1.4.3-pl2 Security Release

Submitted by signe on Tue, 2004-06-01 23:01
Notice: This affects all versions of Gallery from 1.2 to 1.4.3-pl1:

We have discovered a well-hidden but potentially serious security flaw in these versions of Gallery which can allow a hacker to log in to your Gallery as an administrator and perform any actions on your albums. No risk is posed to the webserver-itself or any non-Gallery data. All Gallery users are very strongly urged to upgrade to 1.4.3-pl2 immediately, which fixes this serious problem and will secure your system.

Gallery 1.4.3-pl2 can be downloaded from the Gallery Download Page.

Please use the Discussion Forums for any issues or questions. This topic is now locked to further comments to prevent confusion and to make sure no questions are lost.[10PM PDT] A patch version of the update has been made available on the downloads page. After downloading the patch, you can apply it by running this command on your (UNIX) server: Copy the downloaded file to the location where your Gallery directory exists, but not inside of it. 
gzip -d gallery-1.4.3-pl1_to_pl2.patch.gz
patch -p0 < gallery-1.4.3-pl1_to_pl2.patch
Version 1.4.3-pl2-1 of the Debian gallery package was uploaded on Tuesday, June 1, 2004 and should be available in Debian unstable after the archive run completes in the afternoon (EST) of Wednesday, June 2, 2004. Version 1.2.5-9woody1 of the Debian gallery package for Debian Stable (aka Woody) was sent to the Debian Security Team on Tuesday, June 1, 2004 and should be available in Debian stable shortly.
Submitted by capnhairdo on Wed, 2004-06-02 00:38.

Is it just me, or is 1.4.3-pl2 missing the config.php file? I can't seem to find it in the ZIP file, which makes setting up Gallery somewhat difficult.

Submitted by stevepiercy on Wed, 2004-06-02 01:04.

Where are the directions to install the upgrade?

Collectonian's picture
Submitted by Collectonian on Wed, 2004-06-02 02:43.

I'm rather disappointed with this release. It's marked as a security release, but instead it has MAJOR changes, including the addition of Java stuff. No mention of those major changes are made in the announcement at all...instead I found out after doing the upgrade on both of my gallery installations.

signe's picture
Submitted by signe on Wed, 2004-06-02 03:25.

No, actually, there are two changes in the -pl2 release and nothing more. The major changes were made in 1.4.3 which was released on April 19th.<br />
<br />
http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=116&mode=thread&order=0&thold=1<br />
<br />
-pl1: (May 5th)<br />
<br />
http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=117&mode=thread&order=0&thold=1

signe's picture
Submitted by signe on Wed, 2004-06-02 03:26.

http://gallery.menalto.com/modules.php?op=modload&name=GalleryDocs&file=index&page=gallery1-install.upgrade.php

signe's picture
Submitted by signe on Wed, 2004-06-02 03:27.

config.php is not a file that has ever been included with Gallery. It's a file that you create during the installation process.<br />
<br />
http://gallery.menalto.com/modules.php?op=modload&name=GalleryDocs&file=index&page=gallery1-install.php

Submitted by dragonboat on Wed, 2004-06-02 05:24.

No metadata is included in the gallery main page. i.e. no chartset data. Album pages are fine.<br />
<br />
Is this an expected feature?

Submitted by itcheg on Wed, 2004-06-02 07:45.

Can anyone tell me how to aply the patch with ws_FTP<br />
<br />
Thanks in advance

Submitted by valiant on Wed, 2004-06-02 07:56.

Does this security hole also affect prior versions?<br />
Could you post phpbb-style manual mod for this security fix?<br />
"open file x, line y after blabla insert blabla,<br />
line z, replace blabla by blabla"<br />
it's just that i don't wanna learn reading patch files :)

twalker's picture
Submitted by twalker on Wed, 2004-06-02 10:09.

I am trying to apply the patch but it has asked me for a file to patch. I am sure I have the correct version of gallery for this patch.<br />
<br />
user@host $ patch -p0 < gallery-1.4.3-pl1_to_pl2.patch<br />
Hmm... Looks like a unified diff to me...<br />
The text leading up to this was:<br />
--------------------------<br />
|diff -u -r gallery-1.4.3-pl1/ChangeLog gallery/ChangeLog<br />
|--- gallery-1.4.3-pl1/ChangeLog Wed May 5 15:56:38 2004<br />
|+++ gallery/ChangeLog Tue Jun 1 08:40:42 2004<br />
--------------------------<br />
File to patch:<br />
<br />
As this is the first time I have used patch the man and --help commands have not answer this in my case.

signe's picture
Submitted by signe on Wed, 2004-06-02 15:20.

The patch file can only be run from a UNIX system - if you have to upgrade via FTP, you should download the full release, and tell your ftp client to only upload the changed files.

signe's picture
Submitted by signe on Wed, 2004-06-02 15:21.

Either move the patch file out one directory (not inside the gallery directory, but inside the one above that), or change your command to "patch -p1". Either should work.

Submitted by NSimkins on Wed, 2004-06-02 15:45.

Sorry if this is elementary, but does Gallery have to be in Configuration Mode to run this patch? Thanks!

signe's picture
Submitted by signe on Wed, 2004-06-02 16:46.

Gallery should always be in configuration mode when you are running an upgrade, however, technically speaking, this particular change does not include any changes to the setup directory so it's not necessary.

Submitted by folke on Wed, 2004-06-02 19:10.

Here is how to patch by hand or using ftp:<br />
<br />
change in init.php line 25 from<br />
<br />
$sensitiveList = array("gallery", "GALLERY_BASEDIR");<br />
<br />
into <br />
<br />
$sensitiveList = array("gallery", "GALLERY_BASEDIR", "GALLERY_EMBEDDED_INSIDE", "GALLERY_EMBEDDED_INSIDE_TYPE");<br />
<br />
<br />
that's all, and you're secured.<br />
<br />
than you have NO REAL 1.4.3pl2 VERSION (but your old version secured), because between 1.4.3pl1 und pl2 there are also some other minor changes, but they have nothing to do with the security issue. <br />
<br />
kind regards<br />
<br />
Folke

Submitted by valiant on Wed, 2004-06-02 20:14.

thanks!

Submitted by phule on Thu, 2004-06-03 13:36.

Is this the only change? The patch looks like it's trying to fix other files than just init.php<br />
<br />
I can't upgrade until they fix the Java-by-default-upload "feature" (or unless they did already and no one mentioned it.)<br />

Submitted by phule on Thu, 2004-06-03 13:45.

Can I assume that the patch won't work if you don't have your gallery directory actually named "gallery" ? <br />
<br />

signe's picture
Submitted by signe on Thu, 2004-06-03 18:10.

If you use the -p1 parameter, and put the patch file inside your directory, it will work normally.<br />
<br />
-p1 tells patch to strip off the first part of the path information

Submitted by phule on Thu, 2004-06-03 18:57.

Thanks!

Submitted by folke on Thu, 2004-06-03 19:15.

no, from pl1 to pl2 there are some other diffs, but they are not security related

Submitted by duel on Thu, 2004-06-03 21:07.

does it matter if that new line of code gets word wrapped around to a new line? or does it have to fit on one long line?

signe's picture
Submitted by signe on Thu, 2004-06-03 22:18.

If you don't want the java applets, all you have to do is delete GalleryRemote*.jar from the java directory. Poof. No more applets.

twalker's picture
Submitted by twalker on Fri, 2004-06-04 11:21.

Thanks signe.

Submitted by valiant on Fri, 2004-06-04 15:30.

doesn't matter. just make sure it's a normal wordwrap and there's no space or enter/newline in between.

Submitted by Cromeium on Fri, 2004-06-04 21:13.

Im usung phpnuke and attemping to patch gallery but im having problems.<br />
<br />
I do to the modules directory just before the gallery directory (where I downloaded the patch) and issued the commands<br />
<br />
gzip -d gallery-1.4.3-pl1_to_pl2.patch.gz<br />
<br />
then<br />
<br />
patch -p0 < gallery-1.4.3-pl1_to_pl2.patch<br />
<br />
I get the following after the last command<br />
<br />
patching file gallery/ChangeLog<br />
Hunk #1 FAILED at 1.<br />
1 out of 1 hunk FAILED -- saving rejects to file gallery/ChangeLog.rej<br />
patching file gallery/Version.php<br />
Hunk #1 FAILED at 17.<br />
Hunk #2 FAILED at 31.<br />
2 out of 2 hunks FAILED -- saving rejects to file gallery/Version.php.rej<br />
patching file gallery/docs/g1package/index.html<br />
Hunk #1 FAILED at 2.<br />
1 out of 1 hunk FAILED -- saving rejects to file gallery/docs/g1package/index.html.rej<br />
patching file gallery/init.php<br />
Hunk #1 FAILED at 17.<br />
1 out of 1 hunk FAILED -- saving rejects to file gallery/init.php.rej<br />
can't find file to patch at input line 83<br />
Perhaps you used the wrong -p or --strip option?<br />
The text leading up to this was:<br />
--------------------------<br />
|diff -u -r gallery-1.4.3-pl1/setup/check.inc gallery/setup/check.inc<br />
|--- gallery-1.4.3-pl1/setup/check.inc Sun Apr 11 15:03:42 2004<br />
|+++ gallery/setup/check.inc Thu May 6 03:05:29 2004<br />
--------------------------<br />
File to patch: <br />
<br />
What am I doing wrong with this?

jwatt's picture
Submitted by jwatt on Fri, 2004-06-04 22:12.

upgraded from 1.4.1 to 1.4.3-pl2 and my highlighted images disappeared. had to roll back to 1.4.1 :(<br />
<br />
also noticing that select box commands don't work in mozilla 1.7b. not sure if they ever did. i'll try mozilla 1.7rc2...

signe's picture
Submitted by signe on Sat, 2004-06-05 22:33.

The last error is that you didn't put your Gallery in config mode.<br />
<br />
The others... not sure. What version are you running? The patch will only apply against 1.4.3-pl1.

Submitted by Kulock on Sun, 2004-06-06 15:07.

This happened to me at one point when I upgraded, IIRC, what happened was that my FTP didn't upload all of the new source files over the old, and so something I'd modified regarding the dropshadows around the thumbnails caused a problem with the highlights showing up.<br />
<br />
Try backing up your existing Gallery source files, and then uploading the new versions completely, and see if that fixes the problem with your highlights (and if it does, just replicate your modifications from the previous version). Don't forget about how if you have an html_wrap file being overrided by a version without the .default tag, you won't see the upgraded version in action.

Submitted by leslienord on Tue, 2004-06-08 00:16.

I have tried both ways -p0 (outside the Gallery directory and -p1 inside the Gallery directory after moving the patch there:<br />
<br />
<br />
bash-2.05a$ patch -p0 < gallery-1.4.3-pl1_to_pl2.patch<br />
can't find file to patch at input line 4<br />
Perhaps you used the wrong -p or --strip option?<br />
The text leading up to this was:<br />
--------------------------<br />
|diff -u -r gallery-1.4.3-pl1/ChangeLog gallery/ChangeLog<br />
|--- gallery-1.4.3-pl1/ChangeLog Wed May 5 15:56:38 2004<br />
|+++ gallery/ChangeLog Tue Jun 1 08:40:42 2004<br />
--------------------------<br />
File to patch: patch -p1 < gallery-1.4.3-pl1_to_pl2.patch<br />
patch: No such file or directory<br />
Skip this patch? [y]<br />
<br />
I'm not getting anywhere - what should I try next?<br />

Submitted by leslienord on Tue, 2004-06-08 00:48.

After making some changes for my configuration mode I got this:<br />
<br />
<br />
bash-2.05a$ patch -p1 < gallery-1.4.3-pl1_to_pl2.patch<br />
patching file ChangeLog<br />
Hunk #1 FAILED at 1.<br />
1 out of 1 hunk FAILED -- saving rejects to file ChangeLog.rej<br />
patching file Version.php<br />
Hunk #1 FAILED at 17.<br />
Hunk #2 FAILED at 31.<br />
2 out of 2 hunks FAILED -- saving rejects to file Version.php.rej<br />
patching file docs/g1package/index.html<br />
Hunk #1 FAILED at 2.<br />
1 out of 1 hunk FAILED -- saving rejects to file docs/g1package/index.html.rej<br />
patching file init.php<br />
patching file setup/check.inc<br />
patching file util.php<br />
Hunk #1 FAILED at 17.<br />
Hunk #2 succeeded at 2715 (offset -6 lines).<br />
1 out of 2 hunks FAILED -- saving rejects to file util.php.rej<br />
<br />
<br />
How do I check what version I have - the Gallery displays 1.4.3 but I have no idea what the pl number is.<br />
<br />
Leslie

Not_Public's picture
Submitted by Not_Public on Tue, 2004-06-08 13:12.

note for the less *nix familiar:<br />
<br />
you need to run <br />
sh configure.sh<br />
from your gallery base dir before running patch<br />

floridave's picture
Submitted by floridave on Wed, 2004-06-09 04:51.

unzip the files local.<br />
FTP Init.php, util.php, Version.php and manifest.php. Overwrite exsisting files on the server.<br />
<br />
Dave

signe's picture
Submitted by signe on Wed, 2004-06-09 19:33.

If you're using 1.4.3-pl1, that's what it will say at the bottom of your Gallery. You need to download the full version of Gallery and install over the top. The patch only works for -pl1 to -pl2.

signe's picture
Submitted by signe on Wed, 2004-06-09 19:34.

As the original notice says, all Gallery versions from 1.2 through 1.4.3-pl1 are affected.

Submitted by cassandra on Mon, 2004-06-14 20:19.

I am running 1.4.1-pl1, would like to patch to 1.4.3-pl2. Can I upgrade directly from 1.4.1 or do I need to overwrite the whole program? <br />
<br />
Is there a patch from 1.4.1-1.4.3?<br />
<br />
I am little confused. Thanks for any help.

Submitted by phule on Mon, 2004-06-14 20:31.

I must have missed that part of the install. I'll try that now.<br />

signe's picture
Submitted by signe on Mon, 2004-06-14 20:37.

You need to perform the full upgrade. There is no patch version from 1.4.1

Submitted by phule on Mon, 2004-06-14 20:41.

Is there a way to keep these as options but not make them the default?<br />