Site Navigation:
security gallery3-3.0.8-1.fc19 security update
Status:stable
Release: Fedora 19
Update ID: FEDORA-2013-10032
Builds: gallery3-3.0.8-1.fc19 (logs)
Pushed: True
Date Submitted: 2013-06-04 13:23:27
Date Released: 2013-06-05 01:56:26
Submitter: limb
Karma: 0
Stable karma: 3
Unstable karma: -3
Details

A security flaw was found in the way uploadify and flowplayer SWF files handling functionality of Gallery version 3, an open source project with the goal to develop and support leading photo sharing web application solutions, processed certain URL fragments passed to these files (certain URL fragments were not stripped properly when these files were called via direct URL request(s)). A remote attacker could use this flaw to conduct replay attacks.

References: [1] http://sourceforge.net/mailarchive/message.php?msg_id=30925931 [2] http://galleryproject.org/gallery_3_0_8

Relevant upstream tickets (and patches):

  • uploadify case:

[3] http://sourceforge.net/apps/trac/gallery/ticket/2068 [4] https://github.com/gallery/gallery3/commit/80bb0f2222dd99ed2ce59e804b833bab63cc376a

  • flowplayer case:

[5] http://sourceforge.net/apps/trac/gallery/ticket/2070 [6] https://github.com/gallery/gallery3/commit/3e5bba2cd4febe8331c0158c11ea418f21c72efa [7] https://github.com/gallery/gallery3/commit/12e51694fdc39c752cc439424cf309866f9f914a

Bugs Fixed
970599 - CVE-2013-2138: gallery3: Improper stripping of URL fragments in uploadify and flowplayer SWF files might lead to replay attacks [epel-6]
970598 - CVE-2013-2138: gallery3: Improper stripping of URL fragments in uploadify and flowplayer SWF files might lead to replay attacks [fedora-all]
Feedback
bodhi - 2013-06-04 13:23:45
This update has been submitted for testing by limb.
autoqa - 2013-06-04 13:55:06
AutoQA: depcheck test PASSED on x86_64. Result log: http://autoqa.fedoraproject.org/report/u9fi (results are informative only)
autoqa - 2013-06-04 17:17:09
AutoQA: depcheck test PASSED on i386. Result log: http://autoqa.fedoraproject.org/report/ua5y (results are informative only)
bodhi - 2013-06-04 23:54:14
This update is currently being pushed to the Fedora 19 testing updates repository.
bodhi - 2013-06-05 02:32:45
This update has been pushed to testing
bodhi - 2013-06-12 10:05:39
This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes
bodhi - 2013-06-12 12:15:17
This update has been submitted for stable by limb.
autoqa - 2013-06-12 19:49:17
AutoQA: upgradepath test PASSED on noarch. Result log: http://autoqa.fedoraproject.org/report/upj7 (results are informative only)
bodhi - 2013-06-13 06:16:51
This update is currently being pushed to the Fedora 19 stable updates repository.
bodhi - 2013-06-13 06:43:52
This update has been pushed to stable

Add a comment

Tip: Login to impact how quickly this update gets pushed or unpushed.
obfuscated letters