The netscape-flash package installs an old vulnerable `gflashplayer` when the gtk USE flag is set, this version is vulnerable to a security flaw and should be removed from the package.
No maintainer...
so there is no new version of gflashplayer ? our only choice is to not install it at all ?
The Secunia advisory says that v8 and v7.0.60.0/7.0.61.0 are not vulnerable. The current ebuild installs 7.0.25 so presumably that's vulnerable as well as gflashplayer. There's no v8 available for Linux, and while there is a 7.0.61.0 currently at http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_7_linux.tar.gz it is not available through the official mirror sites http://macromedia.mplug.org/ where the latest version is 7.0.25.0 (presumably vulnerable). This macromedia.com URL obviously isn't stable from one point revision to the next, and http://www.macromedia.com/software/flashplayer/productinfo/faq/#item-3-2 explicitly prohibits redistribution. We could create net-www/netscape-flash-7.ebuild, and do a -rN bump every time Macromedia do a point revision so users see the revision change. Might need RESTRICT=fetch. Alternatively perhaps poking macromedia.mplug.org to update would be simpler (warren@togami.com) - 7.0.61.0 was released 4th Nov. The standalone player in v6 doesn't use libflashplayer.so so presumably is vulnerable, and as there's no newer version I guess we should ditch it.
dropped an e-mail to warren@togami.com
Kevin, the secunia advisory says "versions prior to 7.0.25.0 on the Unix platform.", so the plugin is fine, only the gflashplayer is vulnerable.
Hmm; didn't see that bit, I paid more attention to the 'solution' part that indicates updating to 7.0.61.0 as the recommended fix. Macromedia's notice at http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html says "Flash Player 7.0.53.0 and earlier" are vulnerable; whether that includes the Unix version or not is unclear but there's no real reason to suspect the Unix version is any different to the Windows version in this respect. The SEC Consult and the Eeye reports are different overflows, similar enough to be the same issue but in different functions. Macromedia's release indicates there were multiple instances of unchecked array bounds, "There was a problem with bounds validation for indexes of certain arrays in Flash Player 7 and earlier". SEC Consult say their issue is resolved in 7.0.25.0, eEye don't identify specific point revisions, however Macromedia say 7.0.61.0 or 7.0.60.0 are the versions in which the problems are fixed, so I'd tend to go with that.
karma@designfolks.com.au provided a testcase http://www.designfolks.com.au/df. swf It does crash gflashplayer, but the plugin seems to survive.
Oops, my mistake, the plugin is affected as well.
shellsage points out macromedia has released a new version of the plugin here http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html, i've installed 7.0.61.0 and confirm the poc no longer works. No gflashplayer, but we need to push the plugin out asap.
Created attachment 73126 [details] Ebuild for =net-www/netscape-flash-7.0.61 Sending ebuild per taviso's request.
A note about the ebuild I just posted: I removed support for gflashplayer and the gtk use flag. Versions <= 7.0.61 of the player are vulnerable.
No maintainer, so security should bump it
Tavis/solar/vapier: please doublecheck the ebuild and security-bump that package. The sooner it's out, the better.
bumpified, requires stabilisation.
Arches please test and mark stable.
Using this plugin, if I right click on a movie in Firefox, it crashes Firefox. Firefox is 1.0.7-r3... The current stable plugin does not have this issue.
Works fine here. amd64 done.
Chris: can't reproduce your issue on x86 with Firefox 1.0.7. Right-clicking on Flash things works OK here. x86 ATs, please confirm.
No problems in firefox or mozilla for me. Looks good on x86.
GLSA 200511-21