Summary: | net-www/netscape-flash <10.0.22.87 Multiple vulnerabilities (CVE-2009-{0114,0519,0520,0521,0522}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | desktop-misc, ilmari.hytonen, lack, realnc |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.adobe.com/support/security/bulletins/apsb09-01.html | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2009-02-25 16:11:41 UTC
net-www/netscape-flash-10.0.22.87 is in the tree, at ~amd64 and ~x86 As this is the first time I've done a multilib installer for the flash installer (Yay, 32-bit and 64-bit plugins!), we should let it settle out a bit before stabilization. I've also bumped to net-www/netscape-flash-9.0.159.0 which theoretically backports the same security fixes as are in 10.0.22.87 to flash-9, for those folks who don't like new features. So let's target a week from now as a stabling date and collect as many bugs as we can until then. Agreed. *** Bug 260371 has been marked as a duplicate of this bug. *** No problems with 10.0.22.87 on ~x86 yet, I've been using it since it hit the tree, youtube etc. work flawless. Thanks! Adding lowest CVE number to Alias. CVE-2009-0114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0114): Unspecified vulnerability in the Settings Manager in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87, and possibly other versions, allows remote attackers to trick a user into visiting an arbitrary URL via unknown vectors, related to "a potential Clickjacking issue variant." CVE-2009-0519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0519): Unspecified vulnerability in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 allows remote attackers to cause a denial of service (browser crash) or possibly execute arbitrary code via a crafted Shockwave Flash (aka .swf) file. CVE-2009-0520 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0520): Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 does not properly remove references to destroyed objects during Shockwave Flash file processing, which allows remote attackers to execute arbitrary code via a crafted file, related to a "buffer overflow issue." CVE-2009-0521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0521): Untrusted search path vulnerability in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 on Linux allows local users to obtain sensitive information or gain privileges via a crafted library in a directory contained in the RPATH. This emerges with the 32bit USE flag set by default on my AMD64 machine. Is this intended? (In reply to comment #7) > This emerges with the 32bit USE flag set by default on my AMD64 machine. Is > this intended? Yes. If you are running a multilib profile, it is assumed you want multiple libs by default. The 32bit flag is to turn this off for advanced users who know that they only want the 64bit plugin in this case. (In reply to comment #8) > Yes. If you are running a multilib profile, it is assumed you want multiple > libs by default. Oh, OK. Even though in IMO Flash isn't a lib, but a Browser plugin, so it would make more sense to treat it like an application rather than a lib; that is, do 64-bit only on AMD64. Will people who upgrade from an older 32bit-only version of Flash automatically get the 64-bit version by default? Because I suppose there are a lot of people who simply don't know Flash is now 64-bit capable. (In reply to comment #9) > Oh, OK. Even though in IMO Flash isn't a lib, but a Browser plugin Technically it is a .so shared object library. From file(1): /opt/netscape/plugins/libflashplayer.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped But I can see how this may not be immediately obvious to everyone :) > so it > would make more sense to treat it like an application rather than a lib; that > is, do 64-bit only on AMD64. Will people who upgrade from an older 32bit-only > version of Flash automatically get the 64-bit version by default? Because I > suppose there are a lot of people who simply don't know Flash is now 64-bit > capable. Yes, this exactly what happens when you upgrade to 10.0.22.87. You will always get the 64-bit plugin. But why default to installing both simultaneously? Imagine if you are a "regular user" who is still using firefox-bin because most of your plugins (adobe, flash, and especially the current stable sun-jre-1.6.0.11) work better in a 32-bit browser - If you upgrade your netscape-flash to 10.0.22.8 and only get the 64-bit plugin... your flash suddenly stops working! And I get creamed by a zillion bug reports :) By installing both versions by default, I avoid this nasty upgrade issue. I think it's been long enough - I've had a couple isolated complaints about sound not working or random crashes, but this is flash we're talking about... Not like I can actually *fix* any of the bugs. Let's go stable. Arches, please test and mark stable: =net-www/netscape-flash-10.0.22.87 Target keywords : "amd64 x86" x86 stable amd64 stable, all arches done. glsa already filed for #239543 and #260264 GLSA 200903-23 Seems that CVE-2008-4546 isn't fixed. http://www.securityfocus.com/archive/1/501691 My firefox crashes after visiting: http://flashcrash.dempsky.org/ Opera survives the test. Some info about my setup: % grep mozilla /etc/portage/package.use www-client/mozilla-firefox restrict-javascript xforms mozdevelop % grep opera /etc/portage/package.use www-client/opera qt-static ia32 net-www/netscape-flash-10.0.22.87 www-client/mozilla-firefox-3.0.7 www-client/opera-9.64 % emerge --info Portage 2.1.6.7 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r8 i686) ================================================================= System uname: Linux-2.6.27-gentoo-r8-i686-Intel-R-_Core-TM-2_Duo_CPU_E8200_@_2.66GHz-with-glibc2.0 Timestamp of tree: Thu, 12 Mar 2009 06:30:01 +0000 app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7-r1, 2.1.7 dev-lang/python: 2.4.4-r14, 2.5.2-r7 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.4.8 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="buildpkg ccache collision-protect distlocks doc fixpackages gpg noinfo parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://src.gentoo.pl http://gentoo.mirror.pw.edu.pl http://gentoo.mirror.web4u.cz http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en pl" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/enlightenment" SYNC="rsync://repo.non.3dart.com/gentoo-portage" USE="X acl acpi alsa async berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups curl dbus dri dvd dvdr dvdread emboss encode esd evo exif fam firefox gdbm gif gnome gpm gstreamer gtk hal iconv idn imap isdnlog jabber jpeg kerberos lame ldap libnotify logrotate lzo mad memlimit mikmod mp3 mpeg mudflap mysql ncurses nls nntp nptl nptlonly nsplugin ogg opengl openmp pam pch pcre pdf perl php png ppds pppd python qt3support quicktime rdesktop readline reflection reiserfs ruby samba sdl session snmp spell spl srt ssl startup-notification svg sysfs syslog tcpd theora threads tiff truetype unicode usb vim-syntax vorbis win32codecs x86 xml xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en pl" USERLAND="GNU" VIDEO_CARDS="radeon ati vesa vga nv nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS (In reply to comment #17) > Seems that CVE-2008-4546 isn't fixed. True, though really that CVE was actually addressed in bug #239543, where we decided that this particular issue isn't really worth much effort. A local DoS is not that dangerous, and we'll just have to wait for Adobe to fix it regardless of how important we think it may be. |