CVE-2008-3873 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3873): The System.setClipboard method in Adobe Flash Player allows remote attackers to populate the clipboard with a URL that is difficult to delete, as exploited in the wild in August 2008.
http://raffon.net/research/flash/cb/test.html
We should stabilize version 10.
Name: CVE-2008-4503 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4503 Published: 2008-10-09 Severity: Medium Description: The Settings Manager in Adobe Flash Player 9.0.124.0 and earlier allows remote attackers to cause victims to unknowingly click on a link or dialog via access control dialogs disguised as normal graphical elements, as demonstrated by hijacking the camera or microphone, and related to "clickjacking." Added it, because we need >9.0.124.0 for that vulnerability, too.
(In reply to comment #2) > We should stabilize version 10. Three outstanding issues here: The first is the "windowless mode crash" issue that affects <firefox-3.0.2 (bug 230413), so it would be best to wait until ff-3.0.3 goes stable. There is a workaround, but it would be much cleaner to wait. That said, I'm not sure what the status with the currently-stable firefox-2.0.0.17 Secondly, I have heard reports (bug 239163) that some badly-written sites don't recognize version 10 of flash as being greater than version 9 (Apparently they string compare and not numeric compare... Go javascript!), so they will tell you to *upgrade* your flash version if it's too new :) And finally, the current v10 is just an RC, not a true release. I can of course stabilize an RC if we really want, but with the other existing issues, I'd much prefer to leave it for the moment. I do already warn users (via ewarn, and I know most people don't see it...) to be careful and use an add-on like "flashblock" to only run flash applets they trust. I'm sure these vulnerabilities won't be the last, nor will v10 be free of flaws :)
Agreed. Since these vulnerabilities mostly impact usability and not the integrity of the systems, there is no sense in pushing prereleases that have other known flaws (but no CVE numbers assigned to them).
Seems that a new (stable!) Version is out: http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash&P2_Platform=Linux&P5_Language=English Adobe Flash Player-Version 10.0.12.36 .tar.gz für Linux (x86) | 3,8 MB
Indeed, I just add net-www/netscape-flash-10.0.12.36 to portage. I think I'd like to wait a week or so to let this settle out, but I'll push for stabilization then, providing no extremely ugly issues surface.
There are other holes, I wonder why 7.0.68 is marked stable in the tree? It should be masked and removed later on, too. e.g.: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6243 Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks. BTW: Adobe says that it's a critical patch: http://www.adobe.com/support/security/bulletins/apsb08-18.html
reportedly, CVE-2008-4401 allows for code execution, raising severity. How's this version been doing, can we target 2008-10-19 or earlier for stabilization?
(In reply to comment #9) > reportedly, CVE-2008-4401 allows for code execution, raising severity. > > How's this version been doing, can we target 2008-10-19 or earlier for > stabilization? Good news - No bugs reported yet, that I've seen. I just have to decide based on firefox adoption whether I need to default the "windowless mode crash" fix to ON or OFF. I'll talk to the ff folk and should have this ready to go by the 19th at the latest.
(In reply to comment #8) > There are other holes, I wonder why 7.0.68 is marked stable in the tree? It > should be masked and removed later on, too. Just hanging on for no good reason except that I hadn't removed it yet. No need to mask, since 9.x is stable on all the same arch's. I have removed it from the tree.
Okay, all outstanding issues for flash-10 are fixed in net-www/netscape-flash-10.0.12.36-r1 I deem it can go stable any time.
Arches, please test and mark stable: =net-www/netscape-flash-10.0.12.36-r1 Target keywords : "amd64 x86"
amd64 stable
CVE-2008-4546 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4546): Adobe Flash Player 9.0.45.0, 9.0.112.0, 9.0.124.0, and 10.0.12.10 allows remote web servers to cause a denial of service (NULL pointer dereference and browser crash) by returning a different response when an HTTP request is sent a second time, as demonstrated by two responses that provide SWF files with different SWF version numbers.
Note that <mozilla-firefox-3.0.2 or <mozilla-firefox-bin-3.0.2 has a bug which will cause Flash 10 to crash the browser when a rendering a wmode frame. For info on the Flash 10 crash look at here: http://blogs.adobe.com/penguin.swf/2008/07/addessing_wmode_crashes.html It seems that Firefox 3.0.2 has the patch that fixes the issue: https://bugzilla.mozilla.org/show_bug.cgi?id=435764 Any chance of blocking on less than ff3.0.2?
(In reply to comment #16) > Note that <mozilla-firefox-3.0.2 or <mozilla-firefox-bin-3.0.2 has a bug which > will cause Flash 10 to crash the browser when a rendering a wmode frame. > > Any chance of blocking on less than ff3.0.2? No. The only stable ff in the tree is 2.0.0.17, and the only unstable versions are 3.0.3 which is no longer affected by the wmode bug, and 3.0-r1 which is only still in the tree because of 3.0.3-issues on sparc. Now, flash is only available for x86 and amd64, which should either have 2.0.0.17 (stable) or 3.0.3 (unstable) installed, neither of which are affected by the wmode bug. I am assured that 3.0-r1 will NOT be going stable on any arch because of security issues, so it is guaranteed that at least 3.0.3 will be going stable in the future. Furthermore, for the very small percentage of users who may install 3.0-r1 by choice, or are running ~arch but neglect to update their firefox at the same time as everything else for some reason, the flash ebuild now installs the magic /etc/adobe/mms.cfg file, which has an entry that can disable the "WindowlessMode" thereby avoiding the crash.
x86 stable, all arches done.
I have also p.masked <net-www/netscape-flash-10.0.12.36 Version 9 is still in the tree for now, but will be removed soon.
(In reply to comment #19) > I have also p.masked <net-www/netscape-flash-10.0.12.36 > > Version 9 is still in the tree for now, but will be removed soon. > It seems epiphany suffers for the same crash problems mentioned above in relation to firefox. Any suggestion to avoid that? See bug 245041 for details.
Adobe has released an updated version of flash9 (9.0.151.0) to address some(all?) open security issues: http://www.adobe.com/go/kb406791 Might be worth adding to the tree to make all those konqueror users happy again. ;)
(In reply to comment #21) > Adobe has released an updated version of flash9 (9.0.151.0) to address > some(all?) open security issues: > > http://www.adobe.com/go/kb406791 > > Might be worth adding to the tree to make all those konqueror users happy > again. ;) Thanks, just added it. Sadly they're only using the un-versioned tarball as the source for this (and I can't mirror it either, thanks to licensing issues), so hopefully not many people will use it. I think I'll keep version 9 unmasked but at ~arch, so by default people will get the stable version 10. Do we know if this fixes any of the relevant security bugs here? I can't seem to find out exactly what Adobe's new 9 release changes.
(In reply to comment #22) > Sadly they're only using the un-versioned tarball as > the source for this (and I can't mirror it either, thanks to licensing issues) I don't know if it can be of much use, but Adobe also offers an archive tarball for each major version which is regularly updated when a new maintenance version appears. The zip file includes all previous versions with versioned subdirectories: http://www.adobe.com/go/tn_14266
CVE-2008-4822 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4822): Adobe Flash Player 9.0.124.0 and earlier does not properly interpret policy files, which allows remote attackers to bypass a non-root domain policy.
Just added those bugs for the archive.
Name: CVE-2008-4824 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4824 Published: 2008-11-17 Severity: High Description: Multiple unspecified vulnerabilities in Adobe Flash Player 10.x before 10.0.12.36 and 9.x before 9.0.151.0 allow remote attackers to execute arbitrary code via unknown vectors related to "input validation errors."
CVE-2008-5361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5361): The ActionScript 2 virtual machine in Adobe Flash Player 10.x before 10.0.12.36 and 9.x before 9.0.151.0, and Adobe AIR before 1.5, does not verify a member element's size when performing (1) DefineConstantPool, (2) ActionJump, (3) ActionPush, (4) ActionTry, and unspecified other actions, which allows remote attackers to read sensitive data from process memory via a crafted PDF file.
CVE-2008-5362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5362): The DefineConstantPool action in the ActionScript 2 virtual machine in Adobe Flash Player 10.x before 10.0.12.36 and 9.x before 9.0.151.0, and Adobe AIR before 1.5, accepts an untrusted input value for a "constant count," which allows remote attackers to read sensitive data from process memory via a crafted PDF file. CVE-2008-5363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5363): The ActionScript 2 virtual machine in Adobe Flash Player 10.x before 10.0.12.36 and 9.x before 9.0.151.0, and Adobe AIR before 1.5, does not validate character elements during retrieval from the dictionary data structure, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF file.
Release date: December 17, 2008 Vulnerability identifier: APSB08-24 CVE number: CVE-2008-5499 Platform: Linux Summary A critical vulnerability has been identified in Adobe Flash Player for Linux 10.0.12.36, Adobe Flash Player for Linux 9.0.151.0 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A specially formed SWF must be loaded in Flash Player for Linux by the user for an attacker to exploit this potential vulnerability. http://www.adobe.com/support/security/bulletins/apsb08-24.html
(In reply to comment #29) > Release date: December 17, 2008 > > Vulnerability identifier: APSB08-24 > > CVE number: CVE-2008-5499 > > Platform: Linux > Summary > > A critical vulnerability has been identified in Adobe Flash Player for Linux > 10.0.12.36, Adobe Flash Player for Linux 9.0.151.0 and earlier that could > allow an attacker who successfully exploits this potential vulnerability to > take control of the affected system. A specially formed SWF must be loaded in > Flash Player for Linux by the user for an attacker to exploit this potential > vulnerability. > > http://www.adobe.com/support/security/bulletins/apsb08-24.html > Oh, the solution: Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.15.3.
Okay: 10.0.15.3 is in the tree. It can be stabilized immediately (Not like it's going to get any better with time...)
(In reply to comment #30) > > CVE number: CVE-2008-5499 > > A critical vulnerability has been identified in Adobe Flash Player for Linux > > 10.0.12.36, Adobe Flash Player for Linux 9.0.151.0 and earlier that could > > allow an attacker who successfully exploits this potential vulnerability to > > take control of the affected system. A specially formed SWF must be loaded in > > Flash Player for Linux by the user for an attacker to exploit this potential > > vulnerability. > > > > http://www.adobe.com/support/security/bulletins/apsb08-24.html We're handling this one in bug 251496. (In reply to comment #31) > Okay: 10.0.15.3 is in the tree. It can be stabilized immediately (Not like > it's going to get any better with time...) And the stabilization is in bug 251496 as well. :)
and the GLSA for this bug will be common with bug 251496 too
GLSA 200903-23
(In reply to comment #34) > GLSA 200903-23 > My flash still crashes... Looks like CVE-2008-4546 isn't fixed. http://www.securityfocus.com/archive/1/501691/30/0/threaded my versions: net-www/netscape-flash-10.0.22.87 www-client/mozilla-firefox-3.0.7 % grep mozilla-firefox /etc/portage/package.use www-client/mozilla-firefox restrict-javascript xforms mozdevelop % emerge --info Portage 2.1.6.7 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r8 i686) ================================================================= System uname: Linux-2.6.27-gentoo-r8-i686-Intel-R-_Core-TM-2_Duo_CPU_E8200_@_2.66GHz-with-glibc2.0 Timestamp of tree: Thu, 12 Mar 2009 06:30:01 +0000 app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7-r1, 2.1.7 dev-lang/python: 2.4.4-r14, 2.5.2-r7 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.4.8 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="buildpkg ccache collision-protect distlocks doc fixpackages gpg noinfo parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://src.gentoo.pl http://gentoo.mirror.pw.edu.pl http://gentoo.mirror.web4u.cz http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en pl" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/enlightenment" SYNC="rsync://repo.non.3dart.com/gentoo-portage" USE="X acl acpi alsa async berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups curl dbus dri dvd dvdr dvdread emboss encode esd evo exif fam firefox gdbm gif gnome gpm gstreamer gtk hal iconv idn imap isdnlog jabber jpeg kerberos lame ldap libnotify logrotate lzo mad memlimit mikmod mp3 mpeg mudflap mysql ncurses nls nntp nptl nptlonly nsplugin ogg opengl openmp pam pch pcre pdf perl php png ppds pppd python qt3support quicktime rdesktop readline reflection reiserfs ruby samba sdl session snmp spell spl srt ssl startup-notification svg sysfs syslog tcpd theora threads tiff truetype unicode usb vim-syntax vorbis win32codecs x86 xml xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en pl" USERLAND="GNU" VIDEO_CARDS="radeon ati vesa vga nv nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #35) > (In reply to comment #34) > > GLSA 200903-23 > > > > My flash still crashes... > Looks like CVE-2008-4546 isn't fixed. This seems to be correct. I am not sure why the CVE was added to this bug when the affected versions differ. We should remove the CVE from the GLSA and either track this as a new bug, or not track this as a bug at all (since it's a client DoS).
We have modified the GLSA and removed the reference to CVE-2008-4546. Agreeing with the maintainer, we are not following up on this DoS issue separately.