Bugzilla Bug 193519

According to the CVE database:
  ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0 allows remote
  attackers to bypass the Security Sandbox Model, obtain sensitive
  information, and port scan arbitrary hosts via a Flash (SWF) movie
  that specifies a connection to make, then using timing discrepancies
  from the SecurityErrorEvent error to determine whether a host is open
  or not.

POC at http://scan.flashsec.org/

Jim and desktop-misc, please advise.

I have verified that we are indeed affected by this, even though the security
release does not explicitly mention version 9.0.48.0.

But I'm not sure what to do about it, besides of course p.mask the package,
which I would like to avoid unless absolutely necessary due to its popularity
and the (in my opinion unfortunately) large number of websites which *require*
this software.

Is this security flaw great enough to require that I mask this package?

I've done a little looking for "Version 8" that the flashsec.org page
recommends you downgrade to, but I can't actually find it anywhere (and it may
be affected by other vulnerabilities).  If someone can find a SRC_URI for this,
I would 

I will add some sort of "This software is closed-source and has had a number of
vulnerabilities, are you *sure* you want to install this..." disclaimer to the
ebuild.

It seems that as a solution you unmasked
net-www/netscape-flash-9.0.60.0_beta100107 ,
however it has a serious flaw if used in conjunction with nsplugin-wrapper
and konqueror, it often shows just black rectangles (like at
http://www.medusacinema.it/ ) even if those pages are working with firefox.

I don't know if bug #193513 (latest nspluginwrapper one) is in any way
related and if it's the case to open a separate bugreport (as it may slown
your stabilization of this security update) but please take into account
that this version of flash has flaws.

No, my addition of the beta version had nothing to do with this bug - It was
requested by a user, and seemed more stable to me than the last beta released,
so I added it as a testing version.  Unfortunately the new version is still
affected by the same design flaw as 0.9.48.0

Please open a new bug about this non-security-related problem, and I will
gladly take a look there, thanks!  Be sure to include your `emerge --info`, and
which version of konqueror and firefox you used.

Additional issue

CVE-2007-5275:
         The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause
         a victim machine to establish TCP sessions with arbitrary hosts via a
         Flash (SWF) movie, related to lack of pinning of a hostname to a
         single IP address after receiving an allow-access-from element in a
         cross-domain-policy XML document, and the availability of a Flash
         Socket class that does not use the browser's DNS pins, aka DNS
         rebinding attacks, a different issue than CVE-2002-1467 and
         CVE-2007-4324.

Flash 9.0.115.0 was released by Adobe. It addresses both vulnerabilities
already mentioned in this bug (CVE-2007-4324, CVE-2007-5275)

Additionally, it fixes these vulnerabilities:

CVE-2007-4768:
         Heap-based buffer overflow in Perl-Compatible Regular Expression
         (PCRE) library before 7.3 allows context-dependent attackers to
         execute arbitrary code via a singleton Unicode sequence in a character
         class in a regex pattern, which is incorrectly optimized.

CVE-2007-6242:
         Multiple input validation errors have been identified in Flash
         Player 9.0.48.0 and earlier versions that could lead to the
         potential execution of arbitrary code. These vulnerabilities
         could be accessed through content delivered from a remote location
         via the user’s web browser, email client, or other applications that
         include or reference the Flash Player. (CVE-2007-4768, CVE-2007-6242)

CVE-2007-6243:
         This update introduces a new, stricter method for Flash Player to
         interpret cross-domain policy files. These changes could help
         prevent privilege escalation attacks against web servers hosting
         Flash content and cross-domain policy files.

CVE-2007-6244:
         This update restricts the unsupported asfunction: protocol to
         address potential cross-site scripting issues with some SWF files.

CVE-2007-6245:
         This update resolves an issue that could allow remote attackers
         to modify HTTP headers of client requests and conduct HTTP
         Request Splitting attacks. 

CVE-2007-6246:
         The Linux update for Flash Player addresses a memory permissions
         issue that could lead to privilege escalation.

Not for Linux:

CVE-2007-5476:
         Unspecified vulnerability in Adobe Flash Player 9.0.47.0 and earlier,
         when running on Opera before 9.24 on Mac OS X, has unknown "Highly
         Severe" impact and unknown attack vectors.

CVE-2007-6244 (different vector):
         This update makes changes to the navigateToURL function to
         prevent potential Universal Cross-Site Scripting attacks. This issue
         is specific to the Flash Player ActiveX Control and the Internet
         Explorer Browser.

Sorry, forgot to mention in this bug: 9.0.115.0 has been in the tree for a
little while now.

I'm not sure about the other security issues, but by my test, it still fails
the network scan attack that spawned this bug.  Go to http://scan.flashsec.org/
and see for yourself.

I will be requesting stability in the near future.

(In reply to comment #7)
> I will be requesting stability in the near future.

Sorry, I did not notice. Can we go to stabling this right now? The new issues
that came up are pretty severe.

This version does not fix the konqueror problem, I still have needed to
downgrade to the 9.0.48 in order to have flash support in konqueror, the higher
versions simply don't work.

BTW, this is not an nspluginwrapper issue, it affects X86 installations
equally, simply put, flash does not work in konqueror when using any version
higher than 9.0.48. This is the same in Debian also.

Billy, can you please open a new bug about the Opera/Konqueror issues, and mark
it blocking this bug? 

For reference, Debian tracks this here:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=455283
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456538

FWIW, the Konqueror issue is not a problem with flash, it's technically a
problem with konqueror.  Here's KDE's bug:

http://bugs.kde.org/132138

I have an assurance from Philanthrop via IRC that the Gentoo KDE team will soon
be applying patches which will make the new flash work in Konqueror.

As for Opera, I'm not sure what can be done, it's a binary package, so there's
no real way to patch it.  That said, the newer version (9.50) seems to work
with the new flash. (9.50_beta1 here), though I've heard others that experience
the contrary.

The Opera issues *may* be related to this:

https://bugs.gentoo.org/show_bug.cgi?id=127200#c25

(In reply to comment #12)
> I have an assurance from Philanthrop via IRC that the Gentoo KDE team will soon
> be applying patches which will make the new flash work in Konqueror.

Wulf, can you give us a ping on this bug, so we can stable both Flash and
Konqueror at the same time, to limit disruption of stable users?


> As for Opera, I'm not sure what can be done, it's a binary package

True. I don't think stabling the p.masked Opera beta is an option, I'm also not
sure where it stands security-wise.
Since we're dealing with two binary packages not cooperating here, there seems
to be nothing at all to be done.

Let's get Flash stable as soon as Konqueror is ok for it.

KDE herd, there are two big patches linked in the KDE bug. Did you try getting
them to work with our stable konqueror?
I would think they still contain bugs, but we could at least apply them on
~arch for some days to get flash stable sooner than later.

Don't hold back stablizing this new flash version, just because Adobe is too
much a PITA or some users complaining not getting their dose Youtube or
whatever. That's irrelevant. For people who do not care for vulnerabililties,
Portage provides the means.


Wrt. Konqueror you can read in this¹ blog entry, that the patches are
preliminary and cause crashes, so these changes cannot go stable anytime soon
anyways.

[1] http://www.kdedevelopers.org/node/3162

As I understood it, the crashes were introduced without the patches. The
patches just fix some (?) of the issues, but not all.

It's up to the KDE herd if they want konqueror to ship the preliminary patches
before stabling. I'd propose Saturday to cc arches.

Jeroen, did you follow the discussion from the Opera side?

(In reply to comment #17)
> Jeroen, did you follow the discussion from the Opera side?

First time I see this bug. :-\

Opera 9.50 betas are very unstable and are not meant to go stable, ever. Issues
between Opera and Flash are well known among Opera users. That said, I find
that the latest version of the Flash plugin works better than the 9.0.60.*
betas, only it doesn't solve the Opera issue (which is that the Flash plugin
dislikes finding *netscape* in its library's path while the browser doesn't
identify itself as such - which is Adobe's problem to fix and which 9.0.115.0
doesn't fix anyhow).

So feel free to stabilise.

Ehm, as a side note, konqueror can already use newer flash version if you
use npplugin instead than nsplugin.
npplugin ships together with kmplayer, check
http://www.kde-apps.org/content/show.php/KMPlayer?content=10004

The only issue is that kmplayer configure script doesn't emerge 
/usr/bin/knpplayer if the parameter --without-gstreamer is passed.
However gstreamer is not needed at all, I haven't it installed
and anything is 100% fine if --without-gstreamer is not passed.

Discussion in the kde herd turned out that the stable konqueror will not be
patched accepting any regressions introduced here and the patches will be
applied on the ~arch 3.5.8 konqueror to keep testing them.

So we're ready for stabling.

Arches, please test and mark stable net-www/netscape-flash-9.0.115.0.
Target keywords : "amd64 x86"

net-www/netscape-flash-9.0.115.0

1. Emerges on AMD64
2. No collisions etc. 
3. Works. YouTube works in both 64bit (through nspluginwrapper) and 32bit
Firefox. 

Portage 2.1.3.19 (default-linux/amd64/2007.0/desktop, gcc-4.1.2,
glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r3 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Sat, 29 Dec 2007 12:46:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo
/etc/udev/rules.d"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer
multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans
userfetch"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/
http://trumpetti.atm.tut.fi/gentoo/
http://ftp.snt.utwente.nl/pub/os/linux/gentoo
http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing
/usr/portage/local/layman/mozilla /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts
cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread
eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2
gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos
live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn
mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf
perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection
samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff
truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg
xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem
bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel
intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias
authn_anon authn_dbm authn_default authn_file authz_dbm authz_default
authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs
dav_lock deflate dir disk_cache env expires ext_filter file_cache filter
headers include info log_config logio mem_cache mime mime_magic negotiation
rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad
cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"
VIDEO_CARDS="radeon"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS,
LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

amd64 stable

FYI - the only stable version of kmplayer has gmstreamer disabled - the use
flag was introduced in the ~arch version.

x86 stable

request filed

GLSA 200801-07, thank you everybody!

When updates to Konqueror, Opera or Flash are out to fix regressions, please
let us know.