Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality.
gallery.menalto.com/gallery_1.5.9_released
gallery.menalto.com/gallery_2.2.6_released
secunia.com/advisories/31912
secunia.com/advisories/32662
secunia.com/advisories/33144
security.gentoo.org/glsa/glsa-200811-02.xml
www.securityfocus.com/bid/31231
exchange.xforce.ibmcloud.com/vulnerabilities/45228
www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html
www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html