Bugzilla Bug 112251

The netscape-flash package installs an old vulnerable `gflashplayer` when the 
gtk USE flag is set, this version is vulnerable to a security flaw and should be 
removed from the package.

No maintainer...

so there is no new version of gflashplayer ?  our only choice is to not install
it at all ?

The Secunia advisory says that v8 and v7.0.60.0/7.0.61.0 are not vulnerable.
The current ebuild installs 7.0.25 so presumably that's vulnerable as well as
gflashplayer.  There's no v8 available for Linux, and while there is a 7.0.61.0
currently at

http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_7_linux.tar.gz

it is not available through the official mirror sites
http://macromedia.mplug.org/ where the latest version is 7.0.25.0 (presumably
vulnerable).

This macromedia.com URL obviously isn't stable from one point revision to the
next, and
http://www.macromedia.com/software/flashplayer/productinfo/faq/#item-3-2
explicitly prohibits redistribution.

We could create net-www/netscape-flash-7.ebuild, and do a -rN bump every time
Macromedia do a point revision so users see the revision change.  Might need
RESTRICT=fetch.  Alternatively perhaps poking macromedia.mplug.org to update
would be simpler (warren@togami.com) - 7.0.61.0 was released 4th Nov.

The standalone player in v6 doesn't use libflashplayer.so so presumably is
vulnerable, and as there's no newer version I guess we should ditch it.

dropped an e-mail to warren@togami.com

Kevin, the secunia advisory says "versions prior to 7.0.25.0 on the Unix 
platform.", so the plugin is fine, only the gflashplayer is vulnerable.

Hmm; didn't see that bit, I paid more attention to the 'solution' part that
indicates updating to 7.0.61.0 as the recommended fix.

Macromedia's notice at
http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html says
"Flash Player 7.0.53.0 and earlier" are vulnerable; whether that includes the
Unix version or not is unclear but there's no real reason to suspect the Unix
version is any different to the Windows version in this respect.

The SEC Consult and the Eeye reports are different overflows, similar enough to
be the same issue but in different functions.  Macromedia's release indicates
there were multiple instances of unchecked array bounds, "There was a problem
with bounds validation for indexes of certain arrays in Flash Player 7 and
earlier".  SEC Consult say their issue is resolved in 7.0.25.0, eEye don't
identify specific point revisions, however Macromedia say 7.0.61.0 or 7.0.60.0
are the versions in which the problems are fixed, so I'd tend to go with that.

karma@designfolks.com.au provided a testcase http://www.designfolks.com.au/df.
swf

It does crash gflashplayer, but the plugin seems to survive.

Oops, my mistake, the plugin is affected as well.

shellsage points out macromedia has released a new version of the plugin here 
http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html, i've 
installed 7.0.61.0 and confirm the poc no longer works.

No gflashplayer, but we need to push the plugin out asap.

Created an attachment (id=73126) [details]
Ebuild for =net-www/netscape-flash-7.0.61

Sending ebuild per taviso's request.

A note about the ebuild I just posted: I removed support for gflashplayer and
the gtk use flag. Versions <= 7.0.61 of the player are vulnerable.

No maintainer, so security should bump it

Tavis/solar/vapier: please doublecheck the ebuild and security-bump that
package. The sooner it's out, the better.

bumpified, requires stabilisation.

Arches please test and mark stable. 

Using this plugin, if I right click on a movie in Firefox, it crashes Firefox. 
Firefox is 1.0.7-r3...

The current stable plugin does not have this issue.

Works fine here.  amd64 done.

Chris: can't reproduce your issue on x86 with Firefox 1.0.7. Right-clicking on
Flash things works OK here. x86 ATs, please confirm.

No problems in firefox or mozilla for me.  Looks good on x86.

GLSA 200511-21