Summary: | <www-plugins/gnash-0.8.9-r1: Unsafe management of HTTP cookies (CVE-2011-4328) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chithanh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2011/11/21/12 | ||
See Also: |
http://bugs.debian.org/649384 https://bugzilla.redhat.com/show_bug.cgi?id=755518 |
||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 391915, 408209 | ||
Bug Blocks: |
Description
Sean Amoss (RETIRED)
2011-11-21 19:14:26 UTC
http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55 applied in 0.8.9-r1. Arches, please stabilize www-plugins/gnash-0.8.9-r1 Target keywords: amd64 ppc ~ppc64 ~sparc x86 Due to bug 366407, gnash may fail to build if multiple versions of boost are present on the system. This is not a regression from 0.8.8. @chithanh: Can you fix on the fly: Files matching a file type that is not allowed: usr/lib/kde4/libklashpart.so * ERROR: www-plugins/gnash-0.8.9-r1 failed: * multilib-strict check failed! Ditto ago-- * Call stack: * misc-functions.sh, line 992: Called install_qa_check * misc-functions.sh, line 716: Called die * The specific snippet of code: * [[ ${abort} == yes ]] && die "multilib-strict check failed!" The multilib-strict check passes now in 0.8.9-r2 amd64 ok amd64 stable x86 stable GLSA Vote: yes. GLSA vote: yes. Updated existing GLSA request. This issue was resolved and addressed in GLSA 201207-08 at http://security.gentoo.org/glsa/glsa-201207-08.xml by GLSA coordinator Sean Amoss (ackle). CVE-2011-4328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4328): plugin/npapi/plugin.cpp in Gnash before 0.8.10 uses weak permissions (word readable) for cookie files with predictable names in /tmp, which allows local users to obtain sensitive information. |