Bug 185141 - net-www/netscape-flash < 9.0.48.0 multiple vulnerabilities (CVE-2007-2022, CVE-2007-345[67])
|
Bug#:
185141
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: arfrever@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://secunia.com/advisories/26027/
|
|
Summary: net-www/netscape-flash < 9.0.48.0 multiple vulnerabilities (CVE-2007-2022, CVE-2007-345[67])
|
|
Keywords:
|
|
Status Whiteboard: B2 [glsa]
|
|
Opened: 2007-07-13 00:14 0000
|
net-www/netscape-flash-9.0.48.0 was released on 2007-07-10.
There's RESTRICT="mirror" and SRC_URI is the same, so previous version should
be deleted from the tree.
(In reply to comment #0)
> There's RESTRICT="mirror" and SRC_URI is the same, so previous version should
> be deleted from the tree.
Wonderful; upstream folks really 'rock'. Bleh :/
http://secunia.com/advisories/26027/
An input validation error can be exploited to execute arbitrary code when a
user e.g. visits a malicious website.
The vulnerability affects versions 9.0.45.0 and prior.
http://www.adobe.com/support/security/bulletins/apsb07-12.html
Summary
Critical vulnerabilities have been identified in Adobe Flash Player that could
allow an attacker who successfully exploits these potential vulnerabilities to
take control of the affected system. A malicious SWF must be loaded in Flash
Player by the user for an attacker to exploit these potential vulnerabilities.
Users are recommended to update to the most current version of Flash Player
available for their platform.
Severity rating
Adobe categorizes this as a critical issue and recommends affected users
upgrade to version 9.0.47.0 (Win, Mac, Solaris) or 9.0.48.0 (Linux).
Details
An input validation error has been identified in Flash Player 9.0.45.0 and
earlier versions that could lead to the potential execution of arbitrary code.
This vulnerability could be accessed through content delivered from a remote
location via the user’s web browser, email client, or other applications that
include or reference the Flash Player. (CVE-2007-3456)
An issue with insufficient validation of the HTTP Referer has been identified
in Flash Player 8.0.34.0 and earlier. This issue does not affect Flash Player
9. This issue could potentially aid an attacker in executing a cross-site
request forgery attack. (CVE-2007-3457)
The Linux and Solaris updates for Flash Player 7 (7.0.70.0) address the issues
with Flash Player and the Opera and Konqueror browsers described in Security
Advisory APSA07-03. These issues do not impact Flash Player 9 on Linux or
Solaris. (CVE-2007-2022)
I put 9.0.48.0 in the tree and removed 9.0.31.0.
Its straight to stable, since the old version disappeared...
I guess this is a case for a GLSA? Security team, its all yours!
Looks like upstream have replaced flash_player_9_linux_dev.tar.gz with a new
version too - it's 8,820,378 bytes long and the manifest says 8,820,435. (Of
course, why flash_player_9_linux_dev.tar.gz is being downloaded at all is an
interesting question in itself...)
... which means that the currently stable'd netscape-flash fails to install,
which is somewhat unfun.
I just fetched it again and the digest match.
9.0.48.0 always fails to complete for me, since first adding to portage.
Resolving fpdownload.macromedia.com... 72.246.34.70
Connecting to fpdownload.macromedia.com|72.246.34.70|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8,820,378 (8.4M) [application/x-gzip]
100%[=====================================>] 8,820,378 1.07M/s ETA
00:00
12:20:01 (1.04 MB/s) - `/usr/portage/distfiles/flash_player_9_linux_dev.tar.gz'
saved [8820378/8820378]
!!! Couldn't download 'flash_player_9_linux_dev.tar.gz'. Aborting.
(In reply to comment #7 and comment #8 and comment #10)
Run:
emerge --sync
rm -fr /usr/portage/distfiles/install_flash_player_9_linux.tar.gz
rm -fr /usr/portage/distfiles/flash_player_9_linux_dev.tar.gz
>>> Install netscape-flash-9.0.48.0 into /var/tmp/portage/net-www/netscape-flash-9.0.48.0/image/ category net-www
dodoc: install_flash_player_9_linux/Readme.txt does not exist
>>> Completed installing netscape-flash-9.0.48.0 into /var/tmp/portage/net-www/netscape-flash-9.0.48.0/image/
Patch:
--- netscape-flash-9.0.48.0.ebuild
+++ netscape-flash-9.0.48.0.ebuild
@@ -56,7 +56,6 @@
dobin flashplayer
dodoc ${MY_PD}/README
- use debug || dodoc ${MY_P}/Readme.txt
cd ${MY_P}
exeinto /opt/netscape/plugins
(In reply to comment #11)
> (In reply to comment #7 and comment #8 and comment #10)
>
> Run:
> emerge --sync
> rm -fr /usr/portage/distfiles/install_flash_player_9_linux.tar.gz
> rm -fr /usr/portage/distfiles/flash_player_9_linux_dev.tar.gz
>
Of course. Already tried that, every 12 hours since the ebuild was added. :-)
Doesn't work for me.
(In reply to comment #12)
> Patch:
> - use debug || dodoc ${MY_P}/Readme.txt
Thanks for noticing, I fixed the ebuild.
Ok, I've given up on flash... its package.masked.. I guess you may want to send
out a GLSA?
(In reply to comment #10)
> 9.0.48.0 always fails to complete for me, since first adding to portage.
>
same problem in my 32bit gentoo chroot environment
Created an attachment (id=124893) [details]
tar => version rpm for flash
The RPM version comes as a versioned file, so heres a patch to use that instead
of the tarball.
debug removed since it doesn't come versioned.
Ah, crap. Sorry about the formatting.
This patch works here on my AMD64 under ndiswrapper. The workaround works and
gets us out of the current really crappy situation. Unless there are problems,
it should probably be committed.
It works for some people and not for others, because different mirrors have
different files, its impossible for us to properly support it.
Why not use the versioned tarball from comment #4?
(In reply to comment #22)
> Why not use the versioned tarball from comment #4?
If you go to macromedia.mplug.org, you'll see that they stated that this mirror
won't be there for long.
(In reply to comment #21)
> It works for some people and not for others, because different mirrors have
> different files, its impossible for us to properly support it.
>
http://fpdownload.macromedia.com/get/flashplayer/current/flash-plugin-9.0.48.0-release.i386.rpm
This link is versioned and there is a patch to the ebuild that supports it. I
copied it directly from the macromedia webiage. What's the problem exactly? I
mean, your bug and all but seems like something this major is worth getting a
fix out there until a more permanent solution can be attained.
> (In reply to comment #21)
> http://fpdownload.macromedia.com/get/flashplayer/current/flash-plugin-9.0.48.0-release.i386.rpm
>
> This link is versioned and there is a patch to the ebuild that supports it. I
> copied it directly from the macromedia webiage. What's the problem exactly? I
> mean, your bug and all but seems like something this major is worth getting a
> fix out there until a more permanent solution can be attained.
Indeed, this patch seems to work for me.
One thing the patch misses are installing the README and readme.txt files from
the rpm. However, this may not be a big deal since the README file refers to
version 9.0.31.0 and the readme.txt still refers to "Flash Player 9 for Linux:
BETA"
Shouldn't the severity be upgraded to major? (A major loss of function - no
current support for flash.)
Committed net-www/netscape-flash-9.0.48.0-r1 that installs from the RPM instead
of the tarball.
Hopefully this should:
a) Work
b) Alleviate the security concern
Enjoy :)
shouldn't this be re-opened for a GLSA ?
indeed, please do not close security bugs by yourself, we will handle it ;)
(In reply to comment #13)
> Doesn't work for me.
Works now. :-)
that was GLSA 200708-01, thanks everybody!
