Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 239543 (CVE-2007-4324) - net-www/netscape-flash <10.0.12.36-r1 Multiple vulnerabilities (CVE-2007-{4324,6243},CVE-2008-{3873,4401,4503,4818,4819,4821,4822,4823,4824,5361,5362,5363})
Summary: net-www/netscape-flash <10.0.12.36-r1 Multiple vulnerabilities (CVE-2007-{432...
Status: RESOLVED FIXED
Alias: CVE-2007-4324
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-04 14:54 UTC by Stefan Behte (RETIRED)
Modified: 2009-03-12 13:21 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 14:54:18 UTC
CVE-2008-3873 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3873):
  The System.setClipboard method in Adobe Flash Player allows remote
  attackers to populate the clipboard with a URL that is difficult to
  delete, as exploited in the wild in August 2008.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 14:55:59 UTC
http://raffon.net/research/flash/cb/test.html
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 15:00:14 UTC
We should stabilize version 10.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-10 13:23:13 UTC
Name:      CVE-2008-4503
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4503
Published: 2008-10-09
Severity:  Medium
Description:

The Settings Manager in Adobe Flash Player 9.0.124.0 and earlier allows
remote attackers to cause victims to unknowingly click on a link or
dialog via access control dialogs disguised as normal graphical
elements, as demonstrated by hijacking the camera or microphone, and
related to "clickjacking."

Added it, because we need >9.0.124.0 for that vulnerability, too.
Comment 4 Jim Ramsay (lack) (RETIRED) gentoo-dev 2008-10-10 14:26:38 UTC
(In reply to comment #2)
> We should stabilize version 10.
 
Three outstanding issues here:

The first is the "windowless mode crash" issue that affects <firefox-3.0.2 (bug 230413), so it would be best to wait until ff-3.0.3 goes stable.  There is a workaround, but it would be much cleaner to wait.  That said, I'm not sure what the status with the currently-stable firefox-2.0.0.17

Secondly, I have heard reports (bug 239163) that some badly-written sites don't recognize version 10 of flash as being greater than version 9 (Apparently they string compare and not numeric compare... Go javascript!), so they will tell you to *upgrade* your flash version if it's too new :)

And finally, the current v10 is just an RC, not a true release.  I can of course stabilize an RC if we really want, but with the other existing issues, I'd much prefer to leave it for the moment.  I do already warn users (via ewarn, and I know most people don't see it...) to be careful and use an add-on like "flashblock" to only run flash applets they trust.

I'm sure these vulnerabilities won't be the last, nor will v10 be free of flaws :)
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-10-10 15:02:26 UTC
Agreed.
Since these vulnerabilities mostly impact usability and not the integrity of the systems, there is no sense in pushing prereleases that have other known flaws (but no CVE numbers assigned to them).
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-15 07:06:46 UTC
Seems that a new (stable!) Version is out:

http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash&P2_Platform=Linux&P5_Language=English

Adobe Flash Player-Version 10.0.12.36
.tar.gz für Linux (x86) | 3,8 MB
Comment 7 Jim Ramsay (lack) (RETIRED) gentoo-dev 2008-10-15 17:31:36 UTC
Indeed, I just add net-www/netscape-flash-10.0.12.36 to portage.

I think I'd like to wait a week or so to let this settle out, but I'll push for stabilization then, providing no extremely ugly issues surface.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-16 21:28:03 UTC
There are other holes, I wonder why 7.0.68 is marked stable in the tree? It should be masked and removed later on, too.

e.g.:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6243
Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks.

BTW: Adobe says that it's a critical patch:
http://www.adobe.com/support/security/bulletins/apsb08-18.html
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-10-17 09:50:35 UTC
reportedly, CVE-2008-4401 allows for code execution, raising severity.

How's this version been doing, can we target 2008-10-19 or earlier for stabilization?
Comment 10 Jim Ramsay (lack) (RETIRED) gentoo-dev 2008-10-17 13:54:57 UTC
(In reply to comment #9)
> reportedly, CVE-2008-4401 allows for code execution, raising severity.
> 
> How's this version been doing, can we target 2008-10-19 or earlier for
> stabilization?

Good news - No bugs reported yet, that I've seen.

I just have to decide based on firefox adoption whether I need to default the "windowless mode crash" fix to ON or OFF.  I'll talk to the ff folk and should have this ready to go by the 19th at the latest.
Comment 11 Jim Ramsay (lack) (RETIRED) gentoo-dev 2008-10-17 13:56:14 UTC
(In reply to comment #8)
> There are other holes, I wonder why 7.0.68 is marked stable in the tree? It
> should be masked and removed later on, too.

Just hanging on for no good reason except that I hadn't removed it yet.

No need to mask, since 9.x is stable on all the same arch's.  I have removed it from the tree.
Comment 12 Jim Ramsay (lack) (RETIRED) gentoo-dev 2008-10-17 20:33:39 UTC
Okay, all outstanding issues for flash-10 are fixed in net-www/netscape-flash-10.0.12.36-r1

I deem it can go stable any time.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-10-18 15:53:08 UTC
Arches, please test and mark stable:
=net-www/netscape-flash-10.0.12.36-r1
Target keywords : "amd64 x86"
Comment 14 Dawid Węgliński (RETIRED) gentoo-dev 2008-10-18 16:21:03 UTC
amd64 stable
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-18 20:19:45 UTC
CVE-2008-4546 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4546):
  Adobe Flash Player 9.0.45.0, 9.0.112.0, 9.0.124.0, and 10.0.12.10
  allows remote web servers to cause a denial of service (NULL pointer
  dereference and browser crash) by returning a different response when
  an HTTP request is sent a second time, as demonstrated by two
  responses that provide SWF files with different SWF version numbers.

Comment 16 Nickolas Grigoriadis 2008-10-20 08:08:39 UTC
Note that <mozilla-firefox-3.0.2 or <mozilla-firefox-bin-3.0.2 has a bug which will cause Flash 10 to crash the browser when a rendering a wmode frame.

For info on the Flash 10 crash look at here:
http://blogs.adobe.com/penguin.swf/2008/07/addessing_wmode_crashes.html
It seems that Firefox 3.0.2 has the patch that fixes the issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=435764

Any chance of blocking on less than ff3.0.2?
Comment 17 Jim Ramsay (lack) (RETIRED) gentoo-dev 2008-10-20 12:30:59 UTC
(In reply to comment #16)
> Note that <mozilla-firefox-3.0.2 or <mozilla-firefox-bin-3.0.2 has a bug which
> will cause Flash 10 to crash the browser when a rendering a wmode frame.
> 
> Any chance of blocking on less than ff3.0.2?

No.  The only stable ff in the tree is 2.0.0.17, and the only unstable versions are 3.0.3 which is no longer affected by the wmode bug, and 3.0-r1 which is only still in the tree because of 3.0.3-issues on sparc.

Now, flash is only available for x86 and amd64, which should either have 2.0.0.17 (stable) or 3.0.3 (unstable) installed, neither of which are affected by the wmode bug.  I am assured that 3.0-r1 will NOT be going stable on any arch because of security issues, so it is guaranteed that at least 3.0.3 will be going stable in the future.

Furthermore, for the very small percentage of users who may install 3.0-r1 by choice, or are running ~arch but neglect to update their firefox at the same time as everything else for some reason, the flash ebuild now installs the magic /etc/adobe/mms.cfg file, which has an entry that can disable the "WindowlessMode" thereby avoiding the crash.
Comment 18 Markus Meier gentoo-dev 2008-10-23 18:26:00 UTC
x86 stable, all arches done.
Comment 19 Jim Ramsay (lack) (RETIRED) gentoo-dev 2008-10-28 13:14:21 UTC
I have also p.masked <net-www/netscape-flash-10.0.12.36

Version 9 is still in the tree for now, but will be removed soon.
Comment 20 Paolo Bacchetta 2008-11-05 08:17:37 UTC
(In reply to comment #19)
> I have also p.masked <net-www/netscape-flash-10.0.12.36
> 
> Version 9 is still in the tree for now, but will be removed soon.
> 

It seems epiphany suffers for the same crash problems mentioned above in relation to firefox. Any suggestion to avoid that? See bug 245041 for details.
Comment 21 Timo Gurr (RETIRED) gentoo-dev 2008-11-06 11:40:27 UTC
Adobe has released an updated version of flash9 (9.0.151.0) to address some(all?) open security issues:

http://www.adobe.com/go/kb406791

Might be worth adding to the tree to make all those konqueror users happy again. ;)
Comment 22 Jim Ramsay (lack) (RETIRED) gentoo-dev 2008-11-06 15:08:56 UTC
(In reply to comment #21)
> Adobe has released an updated version of flash9 (9.0.151.0) to address
> some(all?) open security issues:
> 
> http://www.adobe.com/go/kb406791
> 
> Might be worth adding to the tree to make all those konqueror users happy
> again. ;)

Thanks, just added it.  Sadly they're only using the un-versioned tarball as the source for this (and I can't mirror it either, thanks to licensing issues), so hopefully not many people will use it.  I think I'll keep version 9 unmasked but at ~arch, so by default people will get the stable version 10.

Do we know if this fixes any of the relevant security bugs here?  I can't seem to find out exactly what Adobe's new 9 release changes.
Comment 23 Timo Gurr (RETIRED) gentoo-dev 2008-11-07 09:05:37 UTC
(In reply to comment #22)
> Sadly they're only using the un-versioned tarball as
> the source for this (and I can't mirror it either, thanks to licensing issues)

I don't know if it can be of much use, but Adobe also offers an archive tarball for each major version which is regularly updated when a new maintenance version appears. The zip file includes all previous versions with versioned subdirectories:

http://www.adobe.com/go/tn_14266
Comment 24 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-11 00:07:05 UTC
CVE-2008-4822 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4822):
  Adobe Flash Player 9.0.124.0 and earlier does not properly interpret
  policy files, which allows remote attackers to bypass a non-root
  domain policy.

Comment 25 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-11 00:11:20 UTC
Just added those bugs for the archive.
Comment 26 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-18 18:44:44 UTC
Name:      CVE-2008-4824
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4824
Published: 2008-11-17
Severity:  High
Description:

Multiple unspecified vulnerabilities in Adobe Flash Player 10.x before
10.0.12.36 and 9.x before 9.0.151.0 allow remote attackers to execute
arbitrary code via unknown vectors related to "input validation errors."
Comment 27 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 15:44:36 UTC
CVE-2008-5361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5361):
  The ActionScript 2 virtual machine in Adobe Flash Player 10.x before
  10.0.12.36 and 9.x before 9.0.151.0, and Adobe AIR before 1.5, does
  not verify a member element's size when performing (1)
  DefineConstantPool, (2) ActionJump, (3) ActionPush, (4) ActionTry,
  and unspecified other actions, which allows remote attackers to read
  sensitive data from process memory via a crafted PDF file.

Comment 28 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 15:50:17 UTC
CVE-2008-5362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5362):
  The DefineConstantPool action in the ActionScript 2 virtual machine
  in Adobe Flash Player 10.x before 10.0.12.36 and 9.x before
  9.0.151.0, and Adobe AIR before 1.5, accepts an untrusted input value
  for a "constant count," which allows remote attackers to read
  sensitive data from process memory via a crafted PDF file.

CVE-2008-5363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5363):
  The ActionScript 2 virtual machine in Adobe Flash Player 10.x before
  10.0.12.36 and 9.x before 9.0.151.0, and Adobe AIR before 1.5, does
  not validate character elements during retrieval from the dictionary
  data structure, which allows remote attackers to cause a denial of
  service (NULL pointer dereference and application crash) via a
  crafted PDF file.

Comment 29 Richard Cox 2008-12-20 22:21:36 UTC
Release date: December 17, 2008

Vulnerability identifier: APSB08-24

CVE number: CVE-2008-5499

Platform: Linux
Summary

A critical vulnerability has been identified in Adobe Flash Player for Linux 10.0.12.36,  Adobe Flash Player for Linux 9.0.151.0 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A specially formed SWF must be loaded in Flash Player for Linux by the user for an attacker to exploit this potential vulnerability.

http://www.adobe.com/support/security/bulletins/apsb08-24.html
Comment 30 Richard Cox 2008-12-20 22:24:08 UTC
(In reply to comment #29)
> Release date: December 17, 2008
> 
> Vulnerability identifier: APSB08-24
> 
> CVE number: CVE-2008-5499
> 
> Platform: Linux
> Summary
> 
> A critical vulnerability has been identified in Adobe Flash Player for Linux
> 10.0.12.36,  Adobe Flash Player for Linux 9.0.151.0 and earlier that could
> allow an attacker who successfully exploits this potential vulnerability to
> take control of the affected system. A specially formed SWF must be loaded in
> Flash Player for Linux by the user for an attacker to exploit this potential
> vulnerability.
> 
> http://www.adobe.com/support/security/bulletins/apsb08-24.html
> 

Oh, the solution:

Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.15.3.
Comment 31 Jim Ramsay (lack) (RETIRED) gentoo-dev 2008-12-21 15:55:43 UTC
Okay: 10.0.15.3 is in the tree.  It can be stabilized immediately (Not like it's going to get any better with time...)
Comment 32 Christian Hoffmann (RETIRED) gentoo-dev 2008-12-21 21:21:45 UTC
(In reply to comment #30)
> > CVE number: CVE-2008-5499
> > A critical vulnerability has been identified in Adobe Flash Player for Linux
> > 10.0.12.36,  Adobe Flash Player for Linux 9.0.151.0 and earlier that could
> > allow an attacker who successfully exploits this potential vulnerability to
> > take control of the affected system. A specially formed SWF must be loaded in
> > Flash Player for Linux by the user for an attacker to exploit this potential
> > vulnerability.
> > 
> > http://www.adobe.com/support/security/bulletins/apsb08-24.html
We're handling this one in bug 251496.

(In reply to comment #31)
> Okay: 10.0.15.3 is in the tree.  It can be stabilized immediately (Not like
> it's going to get any better with time...)
And the stabilization is in bug 251496 as well. :)

Comment 33 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2009-01-11 17:48:19 UTC
and the GLSA for this bug will be common with bug 251496 too
Comment 34 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-10 22:31:55 UTC
GLSA 200903-23
Comment 35 szmytson 2009-03-12 12:16:27 UTC
(In reply to comment #34)
> GLSA 200903-23
> 

My flash still crashes...
Looks like CVE-2008-4546 isn't fixed.

http://www.securityfocus.com/archive/1/501691/30/0/threaded

my versions:
net-www/netscape-flash-10.0.22.87
www-client/mozilla-firefox-3.0.7

% grep mozilla-firefox /etc/portage/package.use 
www-client/mozilla-firefox restrict-javascript xforms mozdevelop

% emerge --info
Portage 2.1.6.7 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r8 i686)
=================================================================
System uname: Linux-2.6.27-gentoo-r8-i686-Intel-R-_Core-TM-2_Duo_CPU_E8200_@_2.66GHz-with-glibc2.0
Timestamp of tree: Thu, 12 Mar 2009 06:30:01 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python:     2.4.4-r14, 2.5.2-r7
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.4.8
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="buildpkg ccache collision-protect distlocks doc fixpackages gpg noinfo parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://src.gentoo.pl http://gentoo.mirror.pw.edu.pl http://gentoo.mirror.web4u.cz http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en pl"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/enlightenment"
SYNC="rsync://repo.non.3dart.com/gentoo-portage"
USE="X acl acpi alsa async berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups curl dbus dri dvd dvdr dvdread emboss encode esd evo exif fam firefox gdbm gif gnome gpm gstreamer gtk hal iconv idn imap isdnlog jabber jpeg kerberos lame ldap libnotify logrotate lzo mad memlimit mikmod mp3 mpeg mudflap mysql ncurses nls nntp nptl nptlonly nsplugin ogg opengl openmp pam pch pcre pdf perl php png ppds pppd python qt3support quicktime rdesktop readline reflection reiserfs ruby samba sdl session snmp spell spl srt ssl startup-notification svg sysfs syslog tcpd theora threads tiff truetype unicode usb vim-syntax vorbis win32codecs x86 xml xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en pl" USERLAND="GNU" VIDEO_CARDS="radeon ati vesa vga nv nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 36 Robert Buchholz (RETIRED) gentoo-dev 2009-03-12 12:31:03 UTC
(In reply to comment #35)
> (In reply to comment #34)
> > GLSA 200903-23
> > 
> 
> My flash still crashes...
> Looks like CVE-2008-4546 isn't fixed.

This seems to be correct. I am not sure why the CVE was added to this bug when the affected versions differ. We should remove the CVE from the GLSA and either track this as a new bug, or not track this as a bug at all (since it's a client DoS).
Comment 37 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-12 13:21:38 UTC
We have modified the GLSA and removed the reference to CVE-2008-4546.
Agreeing with the maintainer, we are not following up on this DoS issue separately.