Gallery v1.4.1-pl1 Security Patch Release

Notice if you use Gallery versions 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.4-pl1, 1.4, 1.4-pl1, 1.4-pl2, and 1.4.1 (current release):

We have discovered a well-hidden but potentially serious security flaw in these versions of Gallery which can allow a hacker to remotely exploit your webserver. All Gallery users are strongly urged to upgrade to 1.4.1-pl1 immediately, which fixes this serious problem and will secure your system.

Thanks to Fred (vrotogel) for quickly alerting us to this issue.

Gallery 1.4.1-pl1 can be downloaded from the Gallery Download Page.

If you use version 1.4.1 and would like to patch your existing installation rather than downloading the full updated version, click to read on...

We have provided quick patch packages on the Download page to upgrade existing 1.4.1 versions to 1.4.1-pl1. Simply unzip the package inside your Gallery directory and the necessary files will be updated.

If you would rather edit your files by hand, you need to make changes to two files, which is completely equivalent to downloading the full update:

Note: this patch will only work if you're running Gallery 1.4 or 1.4.1 -- for Gallery 1.3.3 and earlier we suggest that you upgrade to Gallery 1.4.1-pl1 instead.

File: gallery/init.php

Find the following code:

if (!$gallery->register_globals) {

    if (is_array($HTTP_GET_VARS)) {
        extract($HTTP_GET_VARS);
    }
    ...

Insert the code below the first line so that it now appears as:

if (!$gallery->register_globals) {

    /* START OF NEW CODE */
    $scrubList = array('HTTP_GET_VARS', 'HTTP_POST_VARS',
'HTTP_COOKIE_VARS', 'HTTP_POST_FILES');
    foreach ($scrubList as $outer) {
       foreach ($scrubList as $inner) {
           unset(${$outer}[$inner]);
       }
    }
    /* END OF NEW CODE */

    if (is_array($HTTP_GET_VARS)) {
        extract($HTTP_GET_VARS);
    }
    ...

File: gallery/setup/init.php

Find the following code, at the top of the file:

/* emulate part of register_globals = on */
extract($HTTP_GET_VARS);
extract($HTTP_POST_VARS);
extract($HTTP_COOKIE_VARS);

Insert the code below the first line so that it now appears as:

/* emulate part of register_globals = on */

/* START OF NEW CODE */
$scrubList = array('HTTP_GET_VARS', 'HTTP_POST_VARS',
'HTTP_COOKIE_VARS', 'HTTP_POST_FILES');
foreach ($scrubList as $outer) {
    foreach ($scrubList as $inner) {
       unset(${$outer}[$inner]);
    }
}
/* END OF NEW CODE */

extract($HTTP_GET_VARS);
extract($HTTP_POST_VARS);
extract($HTTP_COOKIE_VARS);
joan's picture

Users of early versions of Gallery will notice that the code is slightly different in init.php. Look for <br />
<pre><br />
if (!$gallery->register_globals) {<br />
extract($HTTP_GET_VARS);<br />
extract($HTTP_POST_VARS);<br />
extract($HTTP_COOKIE_VARS);<br />
</pre><br />
and insert the new code <br />
<pre><br />
if (!$gallery->register_globals) {<br />
<br />
/* START OF NEW CODE */<br />
$scrubList = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_POST_FILES');<br />
foreach ($scrubList as $outer) {<br />
foreach ($scrubList as $inner) {<br />
unset(${$outer}[$inner]);<br />
}<br />
}<br />
/* END OF NEW CODE */<br />
<br />
extract($HTTP_GET_VARS);<br />
extract($HTTP_POST_VARS);<br />
extract($HTTP_COOKIE_VARS);<br />
</pre

SamBeckett's picture

does the new patch release display v1.4.1-pl1 as the installed version?<br />
<br />
mine still displays Gallery v1.4.1 <br />
<br />
<br />
thanks!

SamBeckett's picture

eak! Never mind. the patch does display v1.4.1-pl1.<br />
<br />
I did tar -xvf gallery-1.4.1.tar on accident (didnt push tab enough)<br />
<br />
tar -xvf gallery-1.4.1-pl1.tar <br />
<br />
lame mistake :(

schultmc's picture

This security fix is included in Debian package version 1.4.1-4 which was uploaded on Sunday, January 25, 2004 and will be available in Debian unstable after the archive run completes in the afternoon (EST) of January 25, 2004. <br />

Any word on if Gallery-1.3.3 in Debian/woody is vulnerable. If it is, is there any word on an updated package?

According to <br />
http://packages.debian.org/stable/web/gallery<br />
Woody (stable) is 1.2.5-8woody1<br />
<br />
This vulnerabilty affects only 1.3.1 and greater.<br />
<br />
Sarge (testing) is 1.4.1-3<br />
<br />
Looks like it has been fixed but not pushed out yet according to below.<br />
<br />
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=229611<br />
<br />
#229611: gallery: Security vulnerability in init.php and setup/init.php<br />
Package: gallery; Severity: serious; Reported by: Michael Schultheiss <schultmc@debian.org>; Tags: security; Done:

(Michael C. Schultheiss); Will be archived: in 26 days.<br />
<br />

Just to confirm: Is it correct to say that 1.3.4-pl1 is *not* affected - it wasn't accidentally left off the list of affected versions?<br />
<br />
Thanks!

schultmc's picture

Woody contains gallery 1.2.5 (which is not vulnerable). As of the afternoon (EST) of 1/28/2004, Sarge has gallery 1.4.1-pl1 (Debian package version 1.4.1-4).

beckett's picture

Whoops... 1.3.4-pl1 indeed *IS* affected.<br />
Any version of Gallery, inclusive, between 1.3.1 and 1.4.1 is affected, including the bugfix variations. I'll go back and clarify this now.<br />
<br />
While versions prior to 1.3.1 are not of concern for this particular security hole, those versions have other older security issues, so the recommendation is that if you're not running 1.4.1-pl1 or 1.4.2-RC or 1.4.3-cvs then you should upgrade immediately.