From the oss-sec mailing list at $URL: "a security flaw was found in the way Shockwave Flash plug-in of the gnash, a GNU flash movie player, performed management of HTTP cookies (they were stored under /tmp directory with predictable name and world- readable permissions). A local attacker could use this flaw to obtain sensitive information." [1] http://secunia.com/advisories/46955/ [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649384 [3] https://bugzilla.redhat.com/show_bug.cgi?id=755518
http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55 applied in 0.8.9-r1. Arches, please stabilize www-plugins/gnash-0.8.9-r1 Target keywords: amd64 ppc ~ppc64 ~sparc x86 Due to bug 366407, gnash may fail to build if multiple versions of boost are present on the system. This is not a regression from 0.8.8.
@chithanh: Can you fix on the fly: Files matching a file type that is not allowed: usr/lib/kde4/libklashpart.so * ERROR: www-plugins/gnash-0.8.9-r1 failed: * multilib-strict check failed!
Ditto ago-- * Call stack: * misc-functions.sh, line 992: Called install_qa_check * misc-functions.sh, line 716: Called die * The specific snippet of code: * [[ ${abort} == yes ]] && die "multilib-strict check failed!"
The multilib-strict check passes now in 0.8.9-r2
amd64 ok
amd64 stable
x86 stable
GLSA Vote: yes.
GLSA vote: yes. Updated existing GLSA request.
This issue was resolved and addressed in GLSA 201207-08 at http://security.gentoo.org/glsa/glsa-201207-08.xml by GLSA coordinator Sean Amoss (ackle).
CVE-2011-4328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4328): plugin/npapi/plugin.cpp in Gnash before 0.8.10 uses weak permissions (word readable) for cookie files with predictable names in /tmp, which allows local users to obtain sensitive information.