cpg1.3.3 released - upgrade strongly recommended

[Joachim Müller]

The coppermine team has released a maintenance version of coppermine v1.3: cpg1.3.3 is the most recent stable version that is strongly recommended to be used. We originally planned to release cpg1.4.x pretty soon, but we were forced to publish the maintenance release first, because possible security issues that relate to cpg1.3.0, cpg1.3.1 and cpg1.3.2 have been discovered:

• Possible IP spoofing and XSS vulnerability as posted on Bugtraq: Vulnerability in Coppermine Photo Gallery 1.3.
  
• (non-critical) mySQL injection issue
  

Coppermine 1.3.3 fixes other minor issues as well - as usual, it's the best coppermine version we could think of - it's recommended to use in production environments.

There are instructions included in the package (in the docs folder) how to upgrade existing installs as well as fresh install instructions - please read the documentation carefully.

Download cpg1.3.3

Joachim

[Nibbler]

For those wishing to fix the XSS security issue without making a full update, here is the change that is required:

file: include/init.inc.php

find:

Code Select Expand


// Record User's IP address
$raw_ip = stripslashes($HTTP_SERVER_VARS['REMOTE_ADDR']);

if (isset($HTTP_SERVER_VARS['HTTP_CLIENT_IP'])) {
    $hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_CLIENT_IP']);
} else {
    if (isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'])) {
        $hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR']);
    } else {
        $hdr_ip = $raw_ip;
    }
}


and add after it, the following 2 new lines:

Code Select Expand


if (!preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $raw_ip)) $raw_ip = '0.0.0.0';
if (!preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $hdr_ip)) $hdr_ip = '0.0.0.0';



Please note that a full update is preferable where possible as other issues are also addressed in this update.

Thankyou.

[flog]

Thank you very much for this important message

[Titooy]

Maybe you should change "Latest downloads ::." on the home page. It still points to cpg1.3.2

[SaigonK]

What other fixes are there?

[neodragon]

I think one user's gallerry is not shown if there is no public album in it. (for a visitor of course)

[Joachim Müller]

What other fixes are there?

Roughly: a lot of language files in the cpg1.3.2 contained errors that were fixed in cpg1.3.3; additionally, a vulnerability in the way favorites are handled has been fixed. There are too many fixes to mention them all - please refer to the changelog for exact data and to the postings in the "cpg1.3 testing / bugs" board.

I think one user's gallerry is not shown if there is no public album in it. (for a visitor of course)

This is expected behaviour.

Joachim

[neodragon]

This is expected behaviour.

With 1.3.2, i had some users galleries with no public album, that were shown for visitor.

But anyway, it's ok for me. I like this "new" (or not new that's the question  ) behavior.

[JTynes]

What is the best way to go about an upgrade? Can you simply FTP the new files and run install as before? How does this affect data and MySQL already established. I'd love to find a step by step guide on upgrading? Does one exist?

[Joachim Müller]

inside the docs that come with the package, as suggested above :

There are instructions included in the package (in the docs folder) how to upgrade existing installs as well as fresh install instructions - please read the documentation carefully.

In fact: yes, you upload all new files to your webspace, overwriting the older coppermine files. Make sure to backup before doing so, as you might lose customizations (e.g. anycontent.php or bridging) and you will have to re-apply them after the udpate. Make sure to run update.php as well.

Joachim

[Joachim Müller]

split unrelated topic and moved it to proper board: http://forum.coppermine-gallery.net/index.php?topic=17195.0

@all: do not reply to this thread on particular issues you have with setting up coppermine. This is an announcement thread that is only meant for news to the fix itself (i.e. the security flaws that were fixed with the release). All other issues you may have with cpg1.3.3 should be addressed in the proper board: "CPG 1.3 Standalone Support" and its sub-boards.

Joachim

[cdrake]

what files have been edited?

[Casper]

There are too many fixes to mention them all - please refer to the changelog for exact data and to the postings in the "cpg1.3 testing / bugs" board.

It would be much easier to just replace them all, unless you have loads of mods applied.

[cdrake]

Unless you have loads of mods applied.

I do

[Joachim Müller]

nearly all, that's why you're suggested to do a full update, not just replacement of 2 or 3 files.
This is a list of the file versions. Compare them to your file versions of your cpg1.3.2 install (the last column in versioncheck.php):

addfav.php	1.6
addpic.php	1.9
admin.php	1.6
albmgr.php	1.6
anycontent.php	1.6
banning.php	1.7
calendar.php	1.4
catmgr.php	1.7
config.php	1.13
db_ecard.php	1.5
db_input.php	1.9
delete.php	1.7
displayecard.php	1.6
displayimage.php	1.11
ecard.php	1.12
editOnePic.php	1.12
editpics.php	1.8
faq.php	1.4
forgot_passwd.php	1.6
getlang.php	1.6
groupmgr.php	1.7
image_processor.php	1.5
index.php	1.17
install.php	1.14
installer.css	1.4
login.php	1.6
logout.php	1.6
modifyalb.php	1.7
phpinfo.php	1.6
picEditor.php	1.4
profile.php	1.7
ratepic.php	1.6
register.php	1.11
reviewcom.php	1.6
search.php	1.6
searchnew.php	1.10
showthumb.php	1.6
thumbnails.php	1.6
update.php	1.9
upgrade-1.0-to-1.2.php	1.7
upload.php	1.14
usermgr.php	1.7
util.php	1.13
versioncheck.php	1.8
xp_publish.php	1.8
zipdownload.php	1.5
bridge/invisionboard.inc.php	1.9
bridge/phpbb.inc.php	1.11
bridge/punbb.inc.php	1.3
bridge/smf.inc.php	1.8
bridge/vbulletin.inc.php	1.7
bridge/vbulletin23.inc.php	1.7
bridge/vbulletin30.inc.php	1.8
bridge/vbulletin3gamma.inc.php	1.6
bridge/woltlab21.inc.php	1.7
bridge/yabbse.inc.php	1.9
include/archive.php	1.4
include/crop.inc.php	1.5
include/exif_php.inc.php	1.7
include/exifReader.inc.php	1.4
include/functions.inc.php	1.24
include/imageObjectGD.class.php	1.5
include/imageObjectIM.class.php	1.4
include/init.inc.php	1.15
include/iptc.inc.php	1.4
include/mailer.inc.php	1.6
include/media.functions.inc.php	1.4
include/picmgmt.inc.php	1.10
include/search.inc.php	1.6
include/select_lang.inc.php	1.7
include/slideshow.inc.php	1.9
include/smilies.inc.php	1.6
include/sql_parse.php	1.6
lang/arabic.php	1.11
lang/arabic-utf-8.php	1.12
lang/brazilian_portuguese.php	1.9
lang/brazilian_portuguese-utf-8.php	1.10
lang/bulgarian.php	1.6
lang/bulgarian-utf-8.php	1.8
lang/catalan.php	1.6
lang/catalan-utf-8.php	1.7
lang/chinese_big5.php	1.11
lang/chinese_big5-utf-8.php	1.12
lang/chinese_gb.php	1.11
lang/chinese_gb-utf-8.php	1.12
lang/croatian.php	1.9
lang/croatian-utf-8.php	1.10
lang/czech.php	1.10
lang/czech-utf-8.php	1.11
lang/danish.php	1.11
lang/danish-utf-8.php	1.11
lang/dutch.php	1.10
lang/dutch-utf-8.php	1.11
lang/english.php	1.18
lang/english-utf-8.php	1.13
lang/estonian.php	1.10
lang/estonian-utf-8.php	1.11
lang/finnish.php	1.7
lang/finnish-utf-8.php	1.8
lang/french.php	1.15
lang/french-utf-8.php	1.14
lang/german.php	1.13
lang/german-utf-8.php	1.13
lang/german_sie.php	1.4
lang/german_sie-utf-8.php	1.4
lang/greek.php	1.8
lang/greek-utf-8.php	1.9
lang/hebrew.php	1.9
lang/hebrew-utf-8.php	1.11
lang/hungarian.php	1.8
lang/hungarian-utf-8.php	1.9
lang/indonesian.php	1.7
lang/indonesian-utf-8.php	1.8
lang/italian.php	1.10
lang/italian-utf-8.php	1.11
lang/italian2.php	1.3
lang/italian2-utf-8.php	1.4
lang/japanese.php	1.9
lang/japanese-utf-8.php	1.10
lang/kurdish.php	1.2
lang/kurdish-utf-8.php	1.3
lang/latvian.php	1.10
lang/latvian-utf-8.php	1.12
lang/malay.php	1.3
lang/malay-utf-8.php	1.4
lang/norwegian.php	1.9
lang/norwegian-utf-8.php	1.10
lang/polish.php	1.6
lang/polish-utf-8.php	1.8
lang/romanian.php	1.7
lang/romanian-utf-8.php	1.8
lang/romanian_no_diacritics.php	1.2
lang/romanian_no_diacritics-utf-8.php	1.3
lang/russian.php	1.13
lang/russian-utf-8.php	1.14
lang/slovak.php	1.5
lang/slovak-utf-8.php	1.6
lang/slovenian.php	1.7
lang/slovenian-utf-8.php	1.8
lang/spanish.php	1.7
lang/spanish-utf-8.php	1.9
lang/swedish.php	1.9
lang/swedish-utf-8.php	1.10
lang/turkish.php	1.8
lang/turkish-utf-8.php	1.9
lang/uighur.php	1.3
lang/uighur-utf-8.php	1.4
lang/vietnamese.php	1.5
lang/vietnamese-utf-8.php	1.6
sql/basic.sql	1.8
sql/schema.sql	1.4
sql/update.sql	1.14
themes/classic/style.css	1.2
themes/classic/template.html	1.2
themes/classic/theme.php	1.8
themes/eyeball/style.css	1.3
themes/eyeball/template.html	1.5
themes/eyeball/theme.php	1.10
themes/fruity/style.css	1.3
themes/fruity/template.html	1.6
themes/fruity/theme.php	1.9
themes/hardwired/style.css	1.3
themes/hardwired/template.html	1.7
themes/hardwired/theme.php	1.12
themes/igames/style.css	1.3
themes/igames/template.html	1.6
themes/igames/theme.php	1.11
themes/mac_ox_x/style.css	1.3
themes/mac_ox_x/template.html	1.5
themes/mac_ox_x/theme.php	1.10
themes/project_vii/style.css	1.3
themes/project_vii/template.html	1.5
themes/project_vii/theme.php	1.10
themes/rainy_day/style.css	1.3
themes/rainy_day/template.html	1.7
themes/rainy_day/theme.php	1.10
themes/water_drop/style.css	1.3
themes/water_drop/template.html	1.5
themes/water_drop/theme.php	1.10

It would be much easier to just replace them all, unless you have loads of mods applied.

I do

It's generally a drawback of heavily modifying any web app: upgrading gets harder. Use a diff viwer like winmerge to handle your mods issue.

Joachim

[cdrake]

Thanks for the help. WinMerge is a great tool!

[nanothree]

will this mess up my phpBB bridge?

[Nibbler]

You'll have to redo the integration steps, that's all.

[Makc666]

========================
Step 0.
All steps were made under FreeBSD.
You can read about patch here:
http://www.phpbb.com/support/documents.php?mode=install#upgradeSTABLE_patch

========================
Step 1.
First of all!
I removed
/cpg132/lang/
/cpg133/lang/
dirs before patching, as it:
- becomes to big
- there is problems with patching in Japan (etc. country) languages.
- you can update lang files manually

========================
Step 2.
Second I run:
diff -crbBN cpg132 cpg133 >cpg-1.3.2_to_1.3.3.patch

========================
Step 3.
Then I made a copy of gallery folder which I was going to patch
cp -R coppermine coppermine-new

========================
Step 4.
Also you must have to copy these files into your directory.
/coppermine/CHANGELOG
/coppermine/COPYING
/coppermine/install.php

You can take them from cpg1.3.2.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.3.2.zip?download

========================
Step 5.
Put your patch file into:
/coppermine-new/cpg-1.3.2_to_1.3.3.patch

========================
Step 6.
patch -cl -d /coppermine-new/ -p1 < /coppermine-new/cpg-1.3.2_to_1.3.3.patch
In this case you will see all results on your screen.
So make your Scroll Buffer big enough.
It will be about 1200 lines!

========================
Step 7.
Update your
/coppermine/lang/
dir with necessary files.
For example I use only Eng, Ger, Rus.

###########################
###!!! READ THIS ONE !!!###
###########################
During patch process you will (can) see two main information strings:
--> Hunk #3 succeeded at 216.
--> Hunk #1 failed at 1.

Example below.
Word "succeeded" means that there is no problems with patching of that part of code.
Word "failed" means there was some problem.

If you see "failed" for some file, you have to open file with name "FILENAME_WITH_ERROR.rej"
below for example it is "zipdownload.php.rej"
and look what the patch couldn't change and fix that manually.

After all such fixes you will have to delete all *.rej and *.orig files from coppermine directory and subdirs!

Word "done" means that patch go throw all "cpg-1.3.2_to_1.3.3.patch" file.

###########################
###### EXAMPLE START ######
###########################

--------------------------
|diff -crbBN cpg132/xp_publish.php cpg133/xp_publish.php
|*** cpg132/xp_publish.php      Sat Jul 24 17:03:00 2004
|--- cpg133/xp_publish.php      Tue Apr 19 05:17:00 2005
--------------------------
Patching file xp_publish.php using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 205.
Hunk #3 succeeded at 216.
Hunk #4 succeeded at 333.
Hunk #5 succeeded at 571.
Hmm...  The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|diff -crbBN cpg132/zipdownload.php cpg133/zipdownload.php
|*** cpg132/zipdownload.php     Sat Jul 24 17:03:00 2004
|--- cpg133/zipdownload.php     Tue Apr 19 05:17:00 2005
--------------------------
Patching file zipdownload.php using Plan A...
Hunk #1 failed at 1.
Hunk #2 succeeded at 57.
1 out of 2 hunks failed--saving rejects to zipdownload.php.rej
done

###########################
###### EXAMPLE END ########
###########################

========================
Step 8.
Run: http://your.gallery.com/update.php

- If you have not already done so, create a folder called "edit" within your "albums" directory - this folder will be used by coppermine as a temporary folder, do not ftp-upload files there. Make sure the new "edit"-folder is CHMODed the same way your albums-directory is (755 or 777, depending on your server's config)
- Run the file "update.php" in the coppermine directory once in your browser (e.g. http://yourdomain.tld/coppermine/update.php). This will update your coppermine install by making all necessary changes in the database.

Taken from:
/cpg133/docs/index.htm#13
3.4 Upgrading from cpg1.2.0rc2 or better to version cpg1.3.3

========================
That it!
(c) Makc666

makc666 [at] newmail.ru
makc666 [at] yahoo.com

[nanothree]

thanks Makc666