Gallery 3.0.1 security and bugfix release is available!

Gallery 3.0.1 is available! This is a bug and stability fix release, but it also includes an important security fix. We strongly advise that you upgrade to Gallery 3.0.1 as soon as possible. Upgrading is quick and easy — don't put it off! More details to learn what's improved in Gallery 3.0.1 or just download it now!

Security Fix

Vulnerability CVE-2010-4353
Gallery 3.0 (and beta versions) have a security vulnerability where users with upload permissions can bypass file type restrictions and upload files of any type to the remote system. This vulnerability only affects installations where you've granted upload permissions to users you don't fully trust. Those users could then gain remote access to your system. We strongly recommend that you upgrade immediately. However, if you wish to close the hole without upgrading you can replace or patch modules/gallery/models/item.php with a newer version.

  • Method #1: Replace item.php
    1. Download CVE-2010-4353.zip
    2. Unpack the zip file
    3. Replace modules/gallery/models/item.php with the version contained in the zip file
  • Method #2: Patch item.php
    1. Download CVE-2010-4353.patch.txt
    2. Move CVE-2010-4353.patch.txt into your gallery3 directory
    3. Run patch -p0 < CVE-2010-4353.patch.txt
    4. You should see the following output: patching file modules/gallery/models/item.php

We would like to thank Kriss Andsten for responsibly disclosing this security issue. Kriss is a valued member of the Gallery 3 community and he will be receiving a $400 cash reward as part of the Gallery Security Bounty program.

If you discover a security vulnerability in any Gallery product, please email security@gallery.menalto.com with the details and we will fix it as soon as possible and reward your efforts.

What's changed in Gallery 3.0.1?

This new release is primarily a bugfix and stability release. There have been over 277,000 downloads of Gallery 3.0 since we released it in October of 2010 and over 32,000 posts in our forums from active users. While the feedback has been overwhelmingly positive, you've certainly found a lot of bugs and rough edges! We worked through and closed over 95 tickets to make the product faster, more reliable and easier to use. We hope you like the results. Some of the highlights of this release include:

  • Considerable performance improvements to the REST module which is the technology that powers things like the Gallery Android App
  • Huge improvements in performance when tagging lots of photos
  • Compatibility fixes for Internet Explorer 6 and 7
  • Improved system detection to help identify problems when PHP is configured in a way that makes Gallery not work very well or not work at all.
  • Automatic version upgrade detection. Gallery will now alert you if there's a newer version of Gallery available, without sharing any of your Gallery information.
  • Completely rewrote the Organize feature to be fast and stable.
  • Fixed an important stability issue where a race between two users deleting photos and albums could result in database corruption which, while completely recoverable, is a pain to deal with.

Upgrading

Upgrading is really easy! Unpack the new version, move the var/ directory of the old version to the new version's folder and then either browse to: http://your-site.com/gallery3/index.php/upgrader or at a shell prompt: php index.php upgrade For more detailed upgrade instructions, please refer to the Gallery 3 User Guide

Roadmap

Looking forward, we intend to make some major changes in the 3.1 code base. We'd like to get Gallery embedded into content management systems like Drupal, Joomla, etc. We're also thinking about ways that we can overhaul and greatly improve the theme and authentication systems. If we discover issues in the 3.0.1 release that need a quick fix, we will probably spin up a 3.0.2 release for those.

Got feedback?

If you have any overall feedback, please visit the Gallery 3.0.1 Feedback forum topic and let us know! If you have questions, please visit the Gallery 3 Wiki, the home for Gallery 3 documentation.

jan.koprowski's picture

Congratulations! :)
and good luck with Your plans :]

Good :)

Just posted your release info for german gallery3 users.

________________________________________
[G2] Wallpaper | Gallery Blog | G3(dev) Barcelona Fotos

I ran into the 'Something went wrong' error after the upgrade.
As I was using a custom theme (Grey Dragon), the theme has to be copied over to the new folder as well after upgrading.

Thanks for the upgrade.
I had same issue as christofw with an earlier upgrade.
Think I posted that if follow the "really easy" upgrade path, you will be without any extra modules you may have installed - need to copy these over too, making it not so easy. I'd think worth noting in instructions.

Maybe possible to be a bit like Drupal, with modules coming with G3 in one folder, another folder for extra modules, so when upgrading could move the extra modules folder in addition to var/ ?

Done ;)
_________________________________________________
[G3 RC2] [url]www.estradasportuguesas.net[/url]

I'd strongly second the suggestion about storing the contib modules in the var folder if possible so they aren't lost when upgrading.

Also, a question, moving /var is quite a pain for me because it seems to take ages. Could I just symlink it? Is there anything I'd need to watch out for if doing so?

I've been using the 3.0.1 for a week or so since it first appeared and the improvements you've made seem to have had a huge effect, it seems pretty solid and everything is much quicker, well done!

nivekiam's picture
Quote:
Also, a question, moving /var is quite a pain for me because it seems to take ages. Could I just symlink it? Is there anything I'd need to watch out for if doing so?

Just use git to stay current and it will take care of all code changes :) But, yeah a symlink should be fine. Although how does moving actually take a lot of time? If you can symlink I guess I'm assuming you have command line access so why does mv var ../gallery3/ take all that long?
____________________________________________
Like Gallery? Like the support? Donate now!

inposure's picture

The config file is also buried deep into the installation, in the Applications folder. Could it be moved to a more obvious place so that one doesn't wreck it with every update?

--
http://inposure.se/

bharat's picture

Kohana 2.x requires it to be in that location. In general you shouldn't be changing the config file. If you are, you're kind of on your own. No matter where we move it, we're going to overwrite it with the next update because it's part of the package, so does it really matter where it lives?
---
Problems? Check gallery3/var/logs
file a bug/feature ticket | upgrade to the latest code! | hacking G3? join us on IRC!

inposure's picture

Well, if I want cache turned on, which I do, then I have to go to the config file. There is no other way, as far as I know, to turn it on.

Similar for compression, which I don't want turned on. Etc.

Adding an include statement for a local config file in the root directory would solve that problem. Better still if it could be managed from within the application, as preferences.

--
http://inposure.se/

I have been using G2 for years.. Finally give it a try for 3.0.1. Very good indeed.

However, I have all the photo on my server. Still think that Server Add and the ability to add photo by symbolic link should go in pair. I have seen other user making same comment.

I uploaded a few photos, a bit slow because the photos nowadays are huge (it has to copy the files to /var) ... then remove them from the /var/albums folder... re-creating the symbolic links... equally fast...

Sadly, I have to live on with G2 :-)

c0c0c0's picture

Any idea when issue 404 will be worked on? I am still waiting to migrate from 2 to 3 .

My blog
My flog

glodakan's picture

wow its awesome, I have upgraded my gallery. My Gallery with 3.0.1

bluetickle's picture

Looks like 3.01 is faster and more stable... but 7 out of 10 of the custom modules I was using are broken.... such is life.

floridave's picture

Some modules have been updated. got a list of the 7?

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

I find it funny that you mentioned the Gallery Android App (ReGalAndroid) since it is only barely usable with G3. Can anyone help him get it fixed so we can actually use it (upload, create new albums) with Gallery 3?

Hi Nivekiam,

To be honest I'm not sure why it is slow, I guess it's something to do with a limit imposed by my host as I'm on a shared package. I am moving Gigabytes so I wouldn't expect it to be super quick. What was more of an issue was that I had a lot of problems with my connection being dropped during the process and the mv command not completing which was why I was asking about using a symlink.

Regarding your suggestion about using Git to stay current I understand that I just need to run "git pull" from inside the gallery3 directory to get the lastest code. This means I can skip moving Var right?

Something that had been putting me off was that I haven't understood exactly the results of using Git. If I do a pull, would I be getting experimental code? Has it had a much testing and how stable and secure is it, usually I stick to the numbered official releases? Perhaps the documentation could have a section about this, I don't think I've seen anything yet.

Thanks for your help,

Andrew

nivekiam's picture
Quote:
Regarding your suggestion about using Git to stay current I understand that I just need to run "git pull" from inside the gallery3 directory to get the lastest code. This means I can skip moving Var right?

Yep

Quote:
Something that had been putting me off was that I haven't understood exactly the results of using Git. If I do a pull, would I be getting experimental code?

Yes. If you like only do a pull when there's been a major release.
____________________________________________
Like Gallery? Like the support? Donate now!

danneh3826's picture

hmm, just read the diff for the patch for the "security vulnerability". That's going to make the job of writing a module to upload videos and images with other file extensions more difficult, since we'll now how to overload the item model and override that entire function just to remove them checks for the file extension. What was the exact reason behind that update?

Dan

danneh.org :: Gallery3

nivekiam's picture
Quote:
What was the exact reason behind that update?

Quote:
Gallery 3.0 (and beta versions) have a security vulnerability where users with upload permissions can bypass file type restrictions and upload files of any type to the remote system.

____________________________________________
Like Gallery? Like the support? Donate now!

danneh3826's picture

hmm. can i propose to someone then an improvement to this hard-coded file extension checking? some kind of api that modules can add a list of allowed file types that they'll be extending with? for example, default is to allow movies of flv, mp4 and m4v. but my transcode module is intended to allow you to upload mov, wmv, mpg, etc.. with them hard coded extensions in place, they'll never get past the upload screen without me overriding that function and removing that if statement. if the module is able to "inject" a further list of allowed filetypes, for example something like item::add_allowed_upload_extensions(array("mpg", "wmv", "mov")) so this is extendable without overriding anything critical. the add_allowed_upload_extensions function could also permanently blacklist certain extensions like executables and whatnot.
and a side thought, you could do it by mime type instead/as well.

Dan

danneh.org :: Gallery3

3.0.1 has caused the module albumpassword to stop working. Anyone else notice this? The module actually breaks gallery. If you disable the module, everything is fine. Looks like the module will need updating... I'm not too good with the code yet...but interested in helping if possible to get this up and running again.

OC2PS's picture

Good job guys. Surely seems like you've been working hard.

My #1 request for 3.0.2 is overhaul of the upgrade system...make it like Wordpress....so that upgrades of Gallery itself as well as modules can be done with one click from the admin module.

SoosKriszta
Csillamvilag.com

Bodypainting, Facepainting, Glitter, Henna
Materials, Courses, Resources

nivekiam's picture

I doubt anything major like that is going to happen in a minor release and probably not for 3.1. It took a long time to get downloadable plugins in G2 and many years for WP to be as polished as it appears to be.
____________________________________________
Like Gallery? Like the support? Donate now!

danneh3826's picture

that's actually something both me and dmolavi are working on - a module (perhaps introduced into the core in the future) that pulls a list of modules from gallerymodules.com via an api he's working on, and use this info to provide a one-click install and a one-click batch or selective upgrade process, along with system notifications "one or more of your installed modules have an update" kinda thing, much like what wp has.

Dan

danneh.org :: Gallery3

OC2PS's picture

Awesome, Dan!

SoosKriszta
Csillamvilag.com

Bodypainting, Facepainting, Glitter, Henna
Materials, Courses, Resources

elfinstrider's picture

Huzzah Danneh, we're looking forward to seeing your work on it.

"Gallery requires short_open_tag to be on." ... WTF?

nivekiam's picture

There is nothing WTF about it
FAQ: Why do you use PHP's short open tags?

____________________________________________
Like Gallery? Like the support? Donate now!

danneh3826's picture

it's an odd argument, since short tags are, indeed, a shortcut. personally, i don't like using short tags, and both eclipse and netbeans auto complete for me. in a .php file, i type <? and it drops down "<?php", i hit enter and it autocompletes that and drops down to the next line for me. however, i do like the <?=$var?> syntax as it's really tight and works well in a template. i guess my <?php thing came from using magento a lot, which is obscenely large and uses large tags throughout, and to maintain consistency, i have to use them too.

bottom line is there's no right or wrong way about whether short tags should be enabled or not. my personal opinion; i'd never use them. if i want really tight syntax in templates, i'd use a templating engine like smarty.

each to their own, though :)

Dan

danneh.org :: Gallery3

OC2PS's picture

Hey Dan, Any breakthroughs in the "one click update" area?

SoosKriszta
Csillamvilag.com

Bodypainting, Facepainting, Glitter, Henna
Materials, Courses, Resources

osomanden's picture

Looks like if not selected an image processor (after upgrading php or something else) no warning is due when rebuilding images/thumbs in admin.

Where to dump a bug/feature request ;-)

nivekiam's picture

You can submit bug/feature requests here:
http://sourceforge.net/apps/trac/gallery/

Just login or create an account and login, then click on New Ticket
____________________________________________
Like Gallery? Like the support? Donate now!

Worked like a charm! :D Thanks guys :)

Hi,

I saw that a security patch is available for 3.0.1 for fixing CVE-2010-4353.

I am still using G2 (I am happy with it) however, I suspect someone found a vulnerability allowing him to add a nasty file (executable) inside the /tmp directory. I saw elsewhere that the CVE-2010-4353 vulnerability also affects Gallery 2.3.1 ( http://redoracle.net/index.php?option=com_vuln&task=view&id=45964 ), but I do not find any patch for it. Can you help me ?

Michel

nivekiam's picture

That only applies to 3.0.1. Those references to 2.3.1 are wrong.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4353
____________________________________________
Like Gallery? Like the support? Donate now!

and what about this one: http://packetstormsecurity.org/files/view/84346/gallery23-rfi.txt ? Is it fixed in 2.3.1 ?

bharat's picture

@Mickey: those ones are not flaws -- somebody ran an automated vulnerability detector which found what looked like they might be security issues and reported them blindly without testing them. They're not exploitable.
---
Problems? Check gallery3/var/logs
file a bug/feature ticket | upgrade to the latest code! | hacking G3? join us on IRC!

Thank you for the answer, I hence still need to understand further how on a machine with 2.3 (the only web site on that machine) I got in /tmp under the webserver user ID a file "f" which does a UDP flood :( It is a OS X machine.

If I find something, I will report to the security related email!

Michel

I couldn'resist to post this. I migrated my personal family album from 2.3.1 to 3.0.1 (very small aroun 13K photos) last weekend and everything went great.
I don't post much but pretty much gets my work done by going through forums/codex and so far they both helped me in getting what I want. I want to say my wholehearted THANKS to everyone of you in getting this wonderful piece of software and also sticking with it by patiently replying to all the forum questions/updating codex.. Thank You!!!!..

Installed this update a few days ago and since then haven't been able to log in using IE8 and logging in with Chrome is very slow.

Also it seems to have affected the Shopping Basket user-contributed module - the add to basket function no longer works in IE8 rendering the module (and the purpose of my gallery!) completely useless.

Is there an easy way of reversing the upgrade? I've posted threads for help or advice and as yet no solutions or suggestions, I'm feeling a bit stuck.

In FF4 and IE9 it works brilliantly and loads a lot quicker.

floridave's picture

ash_kh,
You are the first to report this since we released this in January.
I will look at your thread.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team