| Summary: | www-plugins/adobe-flash-11.2 is built with SSE2 instructions | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Rafał Mużyło <galtgendo> |
| Component: | Current packages | Assignee: | Jeroen Roovers (RETIRED) <jer> |
| Status: | VERIFIED UPSTREAM | ||
| Severity: | normal | CC: | desktop-misc, powerman-asdf |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugbase.adobe.com/index.cfm?event=bug&id=3154276 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Rafał Mużyło
2012-04-02 13:09:56 UTC
For security, vulnerable ebuilds <11.2.202.228 should be cleaned up as part of bug 410005. Whether or not the maintainer/herd wants to add 10.3.183.18 does not really have anything to do with us, so removing security from cc: It not quite an enhancement, if 11.2.202.228 just doesn't work. Also, while the forum thread has seen very little input from other parties, it seems that the "not working" part affects only x86 (though it's still hard to say whether the problem lies in CPU or GPU). It seems that it was CPU - all the similar reports seems to come from various types of AthlonXP. The problem reached even the upstream bug tracker. This wouldn't be the first time Adobe has compiled their binary with a non-AMD-compatible compiler optimization enabled. (See bug #268336) Looks like in this case the issue is that 11.2 is now being compiled using SSE2 instructions, making the binary completely useless for anyone not running a CPU with SSE2. In the mean time, I have bumped 10.3 to the security-fixed 10.3.183.18 (*and* removed the RPM dependency!). I'm going to also consider adding a pkg_pretend check and failing the 11.2 install for non-SSE2 CPUs, recommending users package-mask their way back to 10.3. Leaving this bug open to track the upstream CPU issue and future pkg_pretend changes. Okay, updated the adobe-flash-11.2.202.228 to error out at pkg_pretend time if any local CPU doesn't support the SSE2 instructions, with a suggestions that users mask the 11.2 version to fall back to 10.3 instead. Leaving this bug open to track the upstream bug(s). Jim, there was a whole thread on the gentoo-dev mailing list about this sse2check (that apparently you did not see?) Wouldn't it be better if we just did this? IUSE="... sse2" REQUIRED_USE="sse2" The release of adobe-flash 11.2.202.236 has turned things worse (unless it's firefox 13 related change). Now flash (playing on youtube) while trying to start playback brings down firefox. (In reply to comment #7) > The release of adobe-flash 11.2.202.236 has turned things worse (unless it's > firefox 13 related change). > Now flash (playing on youtube) while trying to start playback brings down > firefox. The original issue (Adobe compiles with SSE2 instructions) hasn't been fixed yet (at least I don't think so) So I have 2 questions: - Does your /proc/cpuinfo have SSE2 - Does the workaround of downgrading to 10.3 still work for you? Well, the x86 one doesn't and 10.3 still works. The crash is most likely caused by the non-working plugin triggering the problem behind 13.0.1 release. (In reply to Matt Turner from comment #6) > Jim, there was a whole thread on the gentoo-dev mailing list about this > sse2check (that apparently you did not see?) > > Wouldn't it be better if we just did this? > > IUSE="... sse2" > REQUIRED_USE="sse2" Jeroen, Now that you're maintaining adobe-flash, might I ask you to consider using REQUIRED_USE="sse2" to allow users to immediately know that SSE2 is required? (In reply to Matt Turner from comment #10) > (In reply to Matt Turner from comment #6) > > Jim, there was a whole thread on the gentoo-dev mailing list about this > > sse2check (that apparently you did not see?) > > > > Wouldn't it be better if we just did this? > > > > IUSE="... sse2" > > REQUIRED_USE="sse2" > > Jeroen, > Now that you're maintaining adobe-flash, might I ask you to consider using > REQUIRED_USE="sse2" to allow users to immediately know that SSE2 is required? I don't think Jim ever found the time to consider this solution. I'll let it run rampant in www-plugins/adobe-flash-11.2.202.291-r1 for a while. Rafał, is there something else that needs to be done for this bug, short of a new flash player that doesn't use SSE2? (In reply to Matt Turner from comment #12) > Rafał, is there something else that needs to be done for this bug, short of > a new flash player that doesn't use SSE2? Don't you mean 'could be' ? Unfortunately, AFAICT, no. Without Adobe releasing a working version, older machines are stuck with the insecure version. Maybe it's possible to somehow extract flash plugin from chrome (AFAIK it's compiled without SSE2)? Having to use 10.3 for 1.5 years and without any signs adobe will fix this issue soon is a critical security issue! (In reply to Alex Efros from comment #14) > Maybe it's possible to somehow extract flash plugin from chrome (AFAIK it's > compiled without SSE2)? Having to use 10.3 for 1.5 years and without any > signs adobe will fix this issue soon is a critical security issue! Not sure, but I seem to recall a post that said that recent versions of chrome flash also have this problem. They're PPAPI - IIRC - anyway, so not really useful outside chrome. (In reply to Jeroen Roovers from comment #11) > I'll let it run rampant in www-plugins/adobe-flash-11.2.202.291-r1 for a while. The problem with UPSTREAM resolution is obviously that all points toward that upstream doesn't give a damn, even though they're the only one who can really fix this. |
