Bug 185141

Comment 1 Jakub Moc (RETIRED) 2007-07-13 03:04:15 UTC

(In reply to comment #0)
> There's RESTRICT="mirror" and SRC_URI is the same, so previous version should
> be deleted from the tree.

Wonderful; upstream folks really 'rock'. Bleh :/ 

Comment 2 Matteo Azzali (RETIRED) 2007-07-13 11:52:30 UTC

Upstream just corrected a vulnerability, and removed the vulnerable 
package:
http://www.betanews.com/article/Adobe_Patches_Flash_Vulnerabilities/1184255769

this means that this bug should be processed ASAP.

Comment 3 Jakub Moc (RETIRED) 2007-07-13 11:57:19 UTC

(In reply to comment #2)
> Upstream just corrected a vulnerability, and removed the vulnerable 
> package:
> http://www.betanews.com/article/Adobe_Patches_Flash_Vulnerabilities/1184255769

That's nice, now someone should teach them how to use versions properly in tarball names.

Comment 4 Matteo Azzali (RETIRED) 2007-07-13 12:02:10 UTC

ops, I forgot to mention that a version-named archive can be found at:
http://macromedia.mplug.org/rpmsource/

( http://macromedia.mplug.org/rpmsource/flash-player-plugin-9.0.48.0.tar.bz2
for this latest package )

Comment 5 Jakub Moc (RETIRED) 2007-07-13 12:02:48 UTC

http://secunia.com/advisories/26027/

An input validation error can be exploited to execute arbitrary code when a user e.g. visits a malicious website.

The vulnerability affects versions 9.0.45.0 and prior.

http://www.adobe.com/support/security/bulletins/apsb07-12.html

Summary

Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.

Severity rating

Adobe categorizes this as a critical issue and recommends affected users upgrade to version 9.0.47.0 (Win, Mac, Solaris) or 9.0.48.0 (Linux).
Details

An input validation error has been identified in Flash Player 9.0.45.0 and earlier versions that could lead to the potential execution of arbitrary code. This vulnerability could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007-3456)

An issue with insufficient validation of the HTTP Referer has been identified in Flash Player 8.0.34.0 and earlier. This issue does not affect Flash Player 9. This issue could potentially aid an attacker in executing a cross-site request forgery attack. (CVE-2007-3457)

The Linux and Solaris updates for Flash Player 7 (7.0.70.0) address the issues with Flash Player and the Opera and Konqueror browsers described in Security Advisory APSA07-03. These issues do not impact Flash Player 9 on Linux or Solaris. (CVE-2007-2022)

Comment 6 Olivier Crete (RETIRED) 2007-07-13 13:20:51 UTC

I put 9.0.48.0 in the tree and removed 9.0.31.0.
Its straight to stable, since the old version disappeared...
I guess this is a case for a GLSA? Security team, its all yours!

Looks like upstream have replaced flash_player_9_linux_dev.tar.gz with a new version too - it's 8,820,378 bytes long and the manifest says 8,820,435. (Of course, why flash_player_9_linux_dev.tar.gz is being downloaded at all is an interesting question in itself...)

... which means that the currently stable'd netscape-flash fails to install, which is somewhat unfun.

Comment 9 Olivier Crete (RETIRED) 2007-07-14 16:16:45 UTC

I just fetched it again and the digest match.

9.0.48.0 always fails to complete for me, since first adding to portage.

Resolving fpdownload.macromedia.com... 72.246.34.70
Connecting to fpdownload.macromedia.com|72.246.34.70|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8,820,378 (8.4M) [application/x-gzip]

100%[=====================================>] 8,820,378      1.07M/s    ETA 00:00

12:20:01 (1.04 MB/s) - `/usr/portage/distfiles/flash_player_9_linux_dev.tar.gz' saved [8820378/8820378]

!!! Couldn't download 'flash_player_9_linux_dev.tar.gz'. Aborting.

Comment 11 Arfrever Frehtes Taifersar Arahesis (RETIRED) 2007-07-14 16:27:42 UTC

(In reply to comment #7 and comment #8 and comment #10)

Run:
emerge --sync
rm -fr /usr/portage/distfiles/install_flash_player_9_linux.tar.gz
rm -fr /usr/portage/distfiles/flash_player_9_linux_dev.tar.gz

Comment 12 Arfrever Frehtes Taifersar Arahesis (RETIRED) 2007-07-14 16:52:23 UTC

>>> Install netscape-flash-9.0.48.0 into /var/tmp/portage/net-www/netscape-flash-9.0.48.0/image/ category net-www
dodoc: install_flash_player_9_linux/Readme.txt does not exist
>>> Completed installing netscape-flash-9.0.48.0 into /var/tmp/portage/net-www/netscape-flash-9.0.48.0/image/


Patch:
--- netscape-flash-9.0.48.0.ebuild
+++ netscape-flash-9.0.48.0.ebuild
@@ -56,7 +56,6 @@
        dobin flashplayer

        dodoc ${MY_PD}/README
-       use debug || dodoc ${MY_P}/Readme.txt

        cd ${MY_P}
        exeinto /opt/netscape/plugins

(In reply to comment #11)
> (In reply to comment #7 and comment #8 and comment #10)
> 
> Run:
> emerge --sync
> rm -fr /usr/portage/distfiles/install_flash_player_9_linux.tar.gz
> rm -fr /usr/portage/distfiles/flash_player_9_linux_dev.tar.gz
> 

Of course. Already tried that, every 12 hours since the ebuild was added. :-) Doesn't work for me.

Comment 14 Olivier Crete (RETIRED) 2007-07-14 17:01:48 UTC

(In reply to comment #12)
> Patch:
> -       use debug || dodoc ${MY_P}/Readme.txt

Thanks for noticing, I fixed the ebuild.

Comment 15 Olivier Crete (RETIRED) 2007-07-14 22:48:06 UTC

Ok, I've given up on flash... its package.masked.. I guess you may want to send out a GLSA?

(In reply to comment #10)
> 9.0.48.0 always fails to complete for me, since first adding to portage.
> 
same problem in my 32bit gentoo chroot environment

Created attachment 124893 [details, diff]
tar => version rpm for flash

The RPM version comes as a versioned file, so heres a patch to use that instead of the tarball.

debug removed since it doesn't come versioned.

This patch worked here, both with and without USE=debug.  I have no idea why:

--- netscape-flash-9.0.48.0.ebuild.orig 2007-07-14 21:15:49.000000000 -0700
+++ netscape-flash-9.0.48.0.ebuild      2007-07-14 21:11:37.000000000 -0700
@@ -8,8 +8,9 @@
 MY_PD="flash_player_9_linux_dev"

 DESCRIPTION="Adobe Flash Player"
-SRC_URI="!debug? ( http://fpdownload.macromedia.com/get/flashplayer/current/${MY_P}.tar.gz )
-       http://fpdownload.macromedia.com/pub/flashplayer/updaters/9/${MY_PD}.tar.gz"
+SRC_URI="debug? ( http://fpdownload.macromedia.com/pub/flashplayer/updaters/9/${MY_PD}.tar.gz )
+       http://fpdownload.macromedia.com/get/flashplayer/current/${MY_P}.tar.gz"
+
 HOMEPAGE="http://www.adobe.com/"
 IUSE="debug"
 SLOT="0"

Ah, crap.  Sorry about the formatting.

This patch works here on my AMD64 under ndiswrapper.  The workaround works and gets us out of the current really crappy situation.  Unless there are problems, it should probably be committed.

Comment 21 Olivier Crete (RETIRED) 2007-07-15 22:10:54 UTC

It works for some people and not for others, because different mirrors have different files, its impossible for us to properly support it.

Why not use the versioned tarball from comment #4?

Comment 23 Olivier Crete (RETIRED) 2007-07-16 14:16:50 UTC

(In reply to comment #22)
> Why not use the versioned tarball from comment #4?


If you go to macromedia.mplug.org, you'll see that they stated that this mirror won't be there for long.

(In reply to comment #21)
> It works for some people and not for others, because different mirrors have
> different files, its impossible for us to properly support it.
> 

http://fpdownload.macromedia.com/get/flashplayer/current/flash-plugin-9.0.48.0-release.i386.rpm

This link is versioned and there is a patch to the ebuild that supports it.  I copied it directly from the macromedia webiage.  What's the problem exactly?  I mean, your bug and all but seems like something this major is worth getting a fix out there until a more permanent solution can be attained.

Comment 25 Jim Ramsay (lack) (RETIRED) 2007-07-17 20:27:21 UTC

> (In reply to comment #21)
> http://fpdownload.macromedia.com/get/flashplayer/current/flash-plugin-9.0.48.0-release.i386.rpm
> 
> This link is versioned and there is a patch to the ebuild that supports it.  I
> copied it directly from the macromedia webiage.  What's the problem exactly?  I
> mean, your bug and all but seems like something this major is worth getting a
> fix out there until a more permanent solution can be attained.

Indeed, this patch seems to work for me.

One thing the patch misses are installing the README and readme.txt files from the rpm.  However, this may not be a big deal since the README file refers to version 9.0.31.0 and the readme.txt still refers to "Flash Player 9 for Linux: BETA"

Shouldn't the severity be upgraded to major? (A major loss of function - no current support for flash.)

Comment 27 Jim Ramsay (lack) (RETIRED) 2007-07-19 17:02:34 UTC

Committed net-www/netscape-flash-9.0.48.0-r1 that installs from the RPM instead of the tarball.

Hopefully this should:
a) Work
b) Alleviate the security concern

Enjoy :)

Comment 28 Olivier Crete (RETIRED) 2007-07-19 17:06:47 UTC

shouldn't this be re-opened for a GLSA ?

Comment 29 Pierre-Yves Rofes (RETIRED) 2007-07-19 17:43:53 UTC

indeed, please do not close security bugs by yourself, we will handle it ;)

Comment 30 Jim Ramsay (lack) (RETIRED) 2007-07-19 19:21:03 UTC

Oops, my apologies :)

(In reply to comment #13)
> Doesn't work for me.

Works now. :-)

Comment 32 Pierre-Yves Rofes (RETIRED) 2007-07-24 09:19:00 UTC

adding CVE refs.

Comment 33 Pierre-Yves Rofes (RETIRED) 2007-08-08 21:20:17 UTC

that was GLSA 200708-01, thanks everybody!