112251 2005-11-12 03:16 0000 net-www/netscape-flash: arbitrary code execution 2005-11-25 04:21:07 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/17430/ A2 [glsa] P2 major --- 1 taviso@gentoo.org security@gentoo.org flash3001@yahoo.com tetromino@gmail.com taviso@gentoo.org 2005-11-12 03:16:04 0000 The netscape-flash package installs an old vulnerable `gflashplayer` when the gtk USE flag is set, this version is vulnerable to a security flaw and should be removed from the package. koon@gentoo.org 2005-11-13 10:04:51 0000 No maintainer... vapier@gentoo.org 2005-11-14 16:57:26 0000 so there is no new version of gflashplayer ? our only choice is to not install it at all ? kevquinn@gentoo.org 2005-11-15 00:17:39 0000 The Secunia advisory says that v8 and v7.0.60.0/7.0.61.0 are not vulnerable. The current ebuild installs 7.0.25 so presumably that's vulnerable as well as gflashplayer. There's no v8 available for Linux, and while there is a 7.0.61.0 currently at http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_7_linux.tar.gz it is not available through the official mirror sites http://macromedia.mplug.org/ where the latest version is 7.0.25.0 (presumably vulnerable). This macromedia.com URL obviously isn't stable from one point revision to the next, and http://www.macromedia.com/software/flashplayer/productinfo/faq/#item-3-2 explicitly prohibits redistribution. We could create net-www/netscape-flash-7.ebuild, and do a -rN bump every time Macromedia do a point revision so users see the revision change. Might need RESTRICT=fetch. Alternatively perhaps poking macromedia.mplug.org to update would be simpler (warren@togami.com) - 7.0.61.0 was released 4th Nov. The standalone player in v6 doesn't use libflashplayer.so so presumably is vulnerable, and as there's no newer version I guess we should ditch it. vapier@gentoo.org 2005-11-15 06:11:43 0000 dropped an e-mail to warren@togami.com taviso@gentoo.org 2005-11-15 08:56:12 0000 Kevin, the secunia advisory says "versions prior to 7.0.25.0 on the Unix platform.", so the plugin is fine, only the gflashplayer is vulnerable. kevquinn@gentoo.org 2005-11-16 13:44:57 0000 Hmm; didn't see that bit, I paid more attention to the 'solution' part that indicates updating to 7.0.61.0 as the recommended fix. Macromedia's notice at http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html says "Flash Player 7.0.53.0 and earlier" are vulnerable; whether that includes the Unix version or not is unclear but there's no real reason to suspect the Unix version is any different to the Windows version in this respect. The SEC Consult and the Eeye reports are different overflows, similar enough to be the same issue but in different functions. Macromedia's release indicates there were multiple instances of unchecked array bounds, "There was a problem with bounds validation for indexes of certain arrays in Flash Player 7 and earlier". SEC Consult say their issue is resolved in 7.0.25.0, eEye don't identify specific point revisions, however Macromedia say 7.0.61.0 or 7.0.60.0 are the versions in which the problems are fixed, so I'd tend to go with that. taviso@gentoo.org 2005-11-18 01:51:49 0000 karma@designfolks.com.au provided a testcase http://www.designfolks.com.au/df. swf It does crash gflashplayer, but the plugin seems to survive. taviso@gentoo.org 2005-11-18 02:15:22 0000 Oops, my mistake, the plugin is affected as well. taviso@gentoo.org 2005-11-18 03:17:10 0000 shellsage points out macromedia has released a new version of the plugin here http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html, i've installed 7.0.61.0 and confirm the poc no longer works. No gflashplayer, but we need to push the plugin out asap. shellsage@gentoo.org 2005-11-18 03:38:51 0000 Created an attachment (id=73126) Ebuild for =net-www/netscape-flash-7.0.61 Sending ebuild per taviso's request. shellsage@gentoo.org 2005-11-18 03:40:37 0000 A note about the ebuild I just posted: I removed support for gflashplayer and the gtk use flag. Versions <= 7.0.61 of the player are vulnerable. koon@gentoo.org 2005-11-18 04:27:45 0000 No maintainer, so security should bump it koon@gentoo.org 2005-11-21 01:03:57 0000 Tavis/solar/vapier: please doublecheck the ebuild and security-bump that package. The sooner it's out, the better. taviso@gentoo.org 2005-11-23 02:04:13 0000 bumpified, requires stabilisation. jaervosz@gentoo.org 2005-11-23 02:18:39 0000 Arches please test and mark stable. wolf31o2@gentoo.org 2005-11-23 08:13:44 0000 Using this plugin, if I right click on a movie in Firefox, it crashes Firefox. Firefox is 1.0.7-r3... The current stable plugin does not have this issue. dang@gentoo.org 2005-11-23 08:16:20 0000 Works fine here. amd64 done. koon@gentoo.org 2005-11-24 02:38:28 0000 Chris: can't reproduce your issue on x86 with Firefox 1.0.7. Right-clicking on Flash things works OK here. x86 ATs, please confirm. halcy0n@gentoo.org 2005-11-24 17:31:18 0000 No problems in firefox or mozilla for me. Looks good on x86. koon@gentoo.org 2005-11-25 04:21:07 0000 GLSA 200511-21 73126 2005-11-18 03:38 0000 Ebuild for =net-www/netscape-flash-7.0.61 netscape-flash-7.0.61.ebuild application/octet-stream IyBDb3B5cmlnaHQgMTk5OS0yMDA1IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L25ldC13d3cvbmV0c2NhcGUtZmxhc2gvbmV0c2Nh cGUtZmxhc2gtNy4wLjI1LmVidWlsZCx2IDEuOSAyMDA1LzA4LzExIDIwOjI1OjQyIGZsYW1lZXll cyBFeHAgJAoKaW5oZXJpdCBuc3BsdWdpbnMKClM9JHtXT1JLRElSfS9pbnN0YWxsX2ZsYXNoX3Bs YXllcl83X2xpbnV4CkRFU0NSSVBUSU9OPSJNYWNyb21lZGlhIFNob2Nrd2F2ZSBGbGFzaCBQbGF5 ZXIiClNSQ19VUkk9Im1pcnJvcjovL21hY3JvbWVkaWEvZmxhc2gtcGx1Z2luLSR7UFZ9LnRhci5n eiIKSE9NRVBBR0U9Imh0dHA6Ly93d3cubWFjcm9tZWRpYS5jb20vIgoKU0xPVD0iMCIKS0VZV09S RFM9Ing4NiBhbWQ2NCAtcHBjIC1zcGFyYyIKTElDRU5TRT0iTWFjcm9tZWRpYSIKCkRFUEVORD0i IW5ldC13d3cvZ3BsZmxhc2gKCWFtZDY0PyAoYXBwLWVtdWxhdGlvbi9lbXVsLWxpbnV4LXg4Ni1i YXNlbGlicwoJCWFwcC1lbXVsYXRpb24vZW11bC1saW51eC14ODYteGxpYnMgKSIKUkVTVFJJQ1Q9 Im5vc3RyaXAiCgpwa2dfc2V0dXAoKSB7CgkjIFRoaXMgaXMgYSBiaW5hcnkgeDg2IHBhY2thZ2Ug PT4gQUJJPXg4NgoJIyBQbGVhc2Uga2VlcCB0aGlzIGluIGZ1dHVyZSB2ZXJzaW9ucwoJIyBEYW5u eSB2YW4gRHlrIDxrdWdlbGZhbmdAZ2VudG9vLm9yZz4gMjAwNS8wMy8yNgoJaGFzX211bHRpbGli X3Byb2ZpbGUgJiYgQUJJPSJ4ODYiCn0KCnNyY19pbnN0YWxsKCkgewoJZXhlaW50byAvb3B0L25l dHNjYXBlL3BsdWdpbnMKCWRvZXhlIGxpYmZsYXNocGxheWVyLnNvCgoJaW5zaW50byAvb3B0L25l dHNjYXBlL3BsdWdpbnMKCWRvaW5zIGZsYXNocGxheWVyLnhwdAoKCWluc3RfcGx1Z2luIC9vcHQv bmV0c2NhcGUvcGx1Z2lucy9saWJmbGFzaHBsYXllci5zbwoJaW5zdF9wbHVnaW4gL29wdC9uZXRz Y2FwZS9wbHVnaW5zL2ZsYXNocGxheWVyLnhwdAoKCWRvZG9jIFJlYWRtZS50eHQKCWRvaHRtbCBS ZWFkbWUuaHRtCn0K