Hi, attached is a patch to fix this issue. Uploading as 0-day NMU. Cheers Nico
-- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u gallery-1.5.9/debian/changelog gallery-1.5.9/debian/changelog
--- gallery-1.5.9/debian/changelog
+++ gallery-1.5.9/debian/changelog
@@ -1,3 +1,13 @@
+gallery (1.5.9-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix insecure usage of superglobal $_REQUEST by first cleaning
+ it up and then merging $_GET and $_POST into it to it to prevent
+ interfering values set by malicious cookies when register_globals is on
+ (No CVE id yet; Closes: #506824).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Sun, 30 Nov 2008 11:12:34 +0100
+
gallery (1.5.9-1.1) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- gallery-1.5.9.orig/init.php
+++ gallery-1.5.9/init.php
@@ -24,8 +24,6 @@
$sensitiveList = array('gallery', 'GALLERY_EMBEDDED_INSIDE', 'GALLERY_EMBEDDED_INSIDE_TYPE', 'GLOBALS', '_SERVER');
-$_REQUEST = array_merge($_GET, $_POST);
-
foreach ($sensitiveList as $sensitive) {
if (!empty($_REQUEST[$sensitive])) {
echo "Security violation! Override attempt.\n";
@@ -96,6 +94,8 @@
}
}
+$_REQUEST = array_merge($_GET, $_POST);
+
// Optional developer hook - location to add useful
// functions such as code profiling modules
if (file_exists(dirname(__FILE__) . "/lib/devel.php")) {
only in patch2:
unchanged:
--- gallery-1.5.9.orig/index.php
+++ gallery-1.5.9/index.php
@@ -25,8 +25,6 @@
global $GALLERY_MODULENAME;
global $MOS_GALLERY_PARAMS;
-$_REQUEST = array_merge($_GET, $_POST);
-
// Mambo / Joomla calls index.php directly for popups - we need to make
// sure that the option var has been extracted into the environment
// otherwise it just won't work.
pgpmTrW64VKU8.pgp
Description: PGP signature
