Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
net-www/netscape-flash-9.0.48.0 was released on 2007-07-10. There's RESTRICT="mirror" and SRC_URI is the same, so previous version should be deleted from the tree.
(In reply to comment #0) > There's RESTRICT="mirror" and SRC_URI is the same, so previous version should > be deleted from the tree. Wonderful; upstream folks really 'rock'. Bleh :/
Upstream just corrected a vulnerability, and removed the vulnerable package: http://www.betanews.com/article/Adobe_Patches_Flash_Vulnerabilities/1184255769 this means that this bug should be processed ASAP.
(In reply to comment #2) > Upstream just corrected a vulnerability, and removed the vulnerable > package: > http://www.betanews.com/article/Adobe_Patches_Flash_Vulnerabilities/1184255769 That's nice, now someone should teach them how to use versions properly in tarball names.
ops, I forgot to mention that a version-named archive can be found at: http://macromedia.mplug.org/rpmsource/ ( http://macromedia.mplug.org/rpmsource/flash-player-plugin-9.0.48.0.tar.bz2 for this latest package )
http://secunia.com/advisories/26027/ An input validation error can be exploited to execute arbitrary code when a user e.g. visits a malicious website. The vulnerability affects versions 9.0.45.0 and prior. http://www.adobe.com/support/security/bulletins/apsb07-12.html Summary Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform. Severity rating Adobe categorizes this as a critical issue and recommends affected users upgrade to version 9.0.47.0 (Win, Mac, Solaris) or 9.0.48.0 (Linux). Details An input validation error has been identified in Flash Player 9.0.45.0 and earlier versions that could lead to the potential execution of arbitrary code. This vulnerability could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007-3456) An issue with insufficient validation of the HTTP Referer has been identified in Flash Player 8.0.34.0 and earlier. This issue does not affect Flash Player 9. This issue could potentially aid an attacker in executing a cross-site request forgery attack. (CVE-2007-3457) The Linux and Solaris updates for Flash Player 7 (7.0.70.0) address the issues with Flash Player and the Opera and Konqueror browsers described in Security Advisory APSA07-03. These issues do not impact Flash Player 9 on Linux or Solaris. (CVE-2007-2022)
I put 9.0.48.0 in the tree and removed 9.0.31.0. Its straight to stable, since the old version disappeared... I guess this is a case for a GLSA? Security team, its all yours!
Looks like upstream have replaced flash_player_9_linux_dev.tar.gz with a new version too - it's 8,820,378 bytes long and the manifest says 8,820,435. (Of course, why flash_player_9_linux_dev.tar.gz is being downloaded at all is an interesting question in itself...)
... which means that the currently stable'd netscape-flash fails to install, which is somewhat unfun.
I just fetched it again and the digest match.
9.0.48.0 always fails to complete for me, since first adding to portage. Resolving fpdownload.macromedia.com... 72.246.34.70 Connecting to fpdownload.macromedia.com|72.246.34.70|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 8,820,378 (8.4M) [application/x-gzip] 100%[=====================================>] 8,820,378 1.07M/s ETA 00:00 12:20:01 (1.04 MB/s) - `/usr/portage/distfiles/flash_player_9_linux_dev.tar.gz' saved [8820378/8820378] !!! Couldn't download 'flash_player_9_linux_dev.tar.gz'. Aborting.
(In reply to comment #7 and comment #8 and comment #10) Run: emerge --sync rm -fr /usr/portage/distfiles/install_flash_player_9_linux.tar.gz rm -fr /usr/portage/distfiles/flash_player_9_linux_dev.tar.gz
>>> Install netscape-flash-9.0.48.0 into /var/tmp/portage/net-www/netscape-flash-9.0.48.0/image/ category net-www dodoc: install_flash_player_9_linux/Readme.txt does not exist >>> Completed installing netscape-flash-9.0.48.0 into /var/tmp/portage/net-www/netscape-flash-9.0.48.0/image/ Patch: --- netscape-flash-9.0.48.0.ebuild +++ netscape-flash-9.0.48.0.ebuild @@ -56,7 +56,6 @@ dobin flashplayer dodoc ${MY_PD}/README - use debug || dodoc ${MY_P}/Readme.txt cd ${MY_P} exeinto /opt/netscape/plugins
(In reply to comment #11) > (In reply to comment #7 and comment #8 and comment #10) > > Run: > emerge --sync > rm -fr /usr/portage/distfiles/install_flash_player_9_linux.tar.gz > rm -fr /usr/portage/distfiles/flash_player_9_linux_dev.tar.gz > Of course. Already tried that, every 12 hours since the ebuild was added. :-) Doesn't work for me.
(In reply to comment #12) > Patch: > - use debug || dodoc ${MY_P}/Readme.txt Thanks for noticing, I fixed the ebuild.
Ok, I've given up on flash... its package.masked.. I guess you may want to send out a GLSA?
(In reply to comment #10) > 9.0.48.0 always fails to complete for me, since first adding to portage. > same problem in my 32bit gentoo chroot environment
Created an attachment (id=124893) [details] tar => version rpm for flash The RPM version comes as a versioned file, so heres a patch to use that instead of the tarball. debug removed since it doesn't come versioned.
This patch worked here, both with and without USE=debug. I have no idea why: --- netscape-flash-9.0.48.0.ebuild.orig 2007-07-14 21:15:49.000000000 -0700 +++ netscape-flash-9.0.48.0.ebuild 2007-07-14 21:11:37.000000000 -0700 @@ -8,8 +8,9 @@ MY_PD="flash_player_9_linux_dev" DESCRIPTION="Adobe Flash Player" -SRC_URI="!debug? ( http://fpdownload.macromedia.com/get/flashplayer/current/${MY_P}.tar.gz ) - http://fpdownload.macromedia.com/pub/flashplayer/updaters/9/${MY_PD}.tar.gz" +SRC_URI="debug? ( http://fpdownload.macromedia.com/pub/flashplayer/updaters/9/${MY_PD}.tar.gz ) + http://fpdownload.macromedia.com/get/flashplayer/current/${MY_P}.tar.gz" + HOMEPAGE="http://www.adobe.com/" IUSE="debug" SLOT="0"
Ah, crap. Sorry about the formatting.
This patch works here on my AMD64 under ndiswrapper. The workaround works and gets us out of the current really crappy situation. Unless there are problems, it should probably be committed.
It works for some people and not for others, because different mirrors have different files, its impossible for us to properly support it.
Why not use the versioned tarball from comment #4?
(In reply to comment #22) > Why not use the versioned tarball from comment #4? If you go to macromedia.mplug.org, you'll see that they stated that this mirror won't be there for long.
(In reply to comment #21) > It works for some people and not for others, because different mirrors have > different files, its impossible for us to properly support it. > http://fpdownload.macromedia.com/get/flashplayer/current/flash-plugin-9.0.48.0-release.i386.rpm This link is versioned and there is a patch to the ebuild that supports it. I copied it directly from the macromedia webiage. What's the problem exactly? I mean, your bug and all but seems like something this major is worth getting a fix out there until a more permanent solution can be attained.
> (In reply to comment #21) > http://fpdownload.macromedia.com/get/flashplayer/current/flash-plugin-9.0.48.0-release.i386.rpm > > This link is versioned and there is a patch to the ebuild that supports it. I > copied it directly from the macromedia webiage. What's the problem exactly? I > mean, your bug and all but seems like something this major is worth getting a > fix out there until a more permanent solution can be attained. Indeed, this patch seems to work for me. One thing the patch misses are installing the README and readme.txt files from the rpm. However, this may not be a big deal since the README file refers to version 9.0.31.0 and the readme.txt still refers to "Flash Player 9 for Linux: BETA"
Shouldn't the severity be upgraded to major? (A major loss of function - no current support for flash.)
Committed net-www/netscape-flash-9.0.48.0-r1 that installs from the RPM instead of the tarball. Hopefully this should: a) Work b) Alleviate the security concern Enjoy :)
shouldn't this be re-opened for a GLSA ?
indeed, please do not close security bugs by yourself, we will handle it ;)
Oops, my apologies :)
(In reply to comment #13) > Doesn't work for me. Works now. :-)
adding CVE refs.
that was GLSA 200708-01, thanks everybody!
