Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP
archives containing symbolic links, which allows remote authenticated users
to conduct directory traversal attacks and read arbitrary files via vectors
related to the archive upload (aka zip upload) functionality.