Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 193519 - net-www/netscape-flash < Multiple vulnerabilities (CVE-2007-{4324,4768,5275,6242,6243,6244,6245,6246})
Summary: net-www/netscape-flash < Multiple vulnerabilities (CVE-2007-{4324,4...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2007-09-23 13:51 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-20 08:25 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-09-23 13:51:36 UTC
According to the CVE database:
  ActionScript 3 (AS3) in Adobe Flash Player allows remote
  attackers to bypass the Security Sandbox Model, obtain sensitive
  information, and port scan arbitrary hosts via a Flash (SWF) movie
  that specifies a connection to make, then using timing discrepancies
  from the SecurityErrorEvent error to determine whether a host is open
  or not.

POC at
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-23 13:54:23 UTC
Jim and desktop-misc, please advise.
Comment 2 Jim Ramsay (lack) (RETIRED) gentoo-dev 2007-09-24 14:33:48 UTC
I have verified that we are indeed affected by this, even though the security release does not explicitly mention version

But I'm not sure what to do about it, besides of course p.mask the package, which I would like to avoid unless absolutely necessary due to its popularity and the (in my opinion unfortunately) large number of websites which *require* this software.

Is this security flaw great enough to require that I mask this package?

I've done a little looking for "Version 8" that the page recommends you downgrade to, but I can't actually find it anywhere (and it may be affected by other vulnerabilities).  If someone can find a SRC_URI for this, I would 

I will add some sort of "This software is closed-source and has had a number of vulnerabilities, are you *sure* you want to install this..." disclaimer to the ebuild.
Comment 3 Matteo Azzali (RETIRED) gentoo-dev 2007-10-07 15:43:04 UTC
It seems that as a solution you unmasked
net-www/netscape-flash- ,
however it has a serious flaw if used in conjunction with nsplugin-wrapper
and konqueror, it often shows just black rectangles (like at ) even if those pages are working with firefox.

I don't know if bug #193513 (latest nspluginwrapper one) is in any way
related and if it's the case to open a separate bugreport (as it may slown
your stabilization of this security update) but please take into account
that this version of flash has flaws.
Comment 4 Jim Ramsay (lack) (RETIRED) gentoo-dev 2007-10-07 16:28:32 UTC
No, my addition of the beta version had nothing to do with this bug - It was requested by a user, and seemed more stable to me than the last beta released, so I added it as a testing version.  Unfortunately the new version is still affected by the same design flaw as

Please open a new bug about this non-security-related problem, and I will gladly take a look there, thanks!  Be sure to include your `emerge --info`, and which version of konqueror and firefox you used.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-10-23 19:28:40 UTC
Additional issue

         The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause
         a victim machine to establish TCP sessions with arbitrary hosts via a
         Flash (SWF) movie, related to lack of pinning of a hostname to a
         single IP address after receiving an allow-access-from element in a
         cross-domain-policy XML document, and the availability of a Flash
         Socket class that does not use the browser's DNS pins, aka DNS
         rebinding attacks, a different issue than CVE-2002-1467 and
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-19 00:38:54 UTC
Flash was released by Adobe. It addresses both vulnerabilities already mentioned in this bug (CVE-2007-4324, CVE-2007-5275)

Additionally, it fixes these vulnerabilities:

         Heap-based buffer overflow in Perl-Compatible Regular Expression
         (PCRE) library before 7.3 allows context-dependent attackers to
         execute arbitrary code via a singleton Unicode sequence in a character
         class in a regex pattern, which is incorrectly optimized.

         Multiple input validation errors have been identified in Flash
         Player and earlier versions that could lead to the
         potential execution of arbitrary code. These vulnerabilities
         could be accessed through content delivered from a remote location
         via the user’s web browser, email client, or other applications that
         include or reference the Flash Player. (CVE-2007-4768, CVE-2007-6242)

         This update introduces a new, stricter method for Flash Player to
         interpret cross-domain policy files. These changes could help
         prevent privilege escalation attacks against web servers hosting
         Flash content and cross-domain policy files.

         This update restricts the unsupported asfunction: protocol to
         address potential cross-site scripting issues with some SWF files.

         This update resolves an issue that could allow remote attackers
         to modify HTTP headers of client requests and conduct HTTP
         Request Splitting attacks. 

         The Linux update for Flash Player addresses a memory permissions
         issue that could lead to privilege escalation.

Not for Linux:

         Unspecified vulnerability in Adobe Flash Player and earlier,
         when running on Opera before 9.24 on Mac OS X, has unknown "Highly
         Severe" impact and unknown attack vectors.

CVE-2007-6244 (different vector):
         This update makes changes to the navigateToURL function to
         prevent potential Universal Cross-Site Scripting attacks. This issue
         is specific to the Flash Player ActiveX Control and the Internet
         Explorer Browser.
Comment 7 Jim Ramsay (lack) (RETIRED) gentoo-dev 2007-12-20 13:21:23 UTC
Sorry, forgot to mention in this bug: has been in the tree for a little while now.

I'm not sure about the other security issues, but by my test, it still fails the network scan attack that spawned this bug.  Go to and see for yourself.

I will be requesting stability in the near future.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-12-21 13:31:35 UTC
(In reply to comment #7)
> I will be requesting stability in the near future.

Sorry, I did not notice. Can we go to stabling this right now? The new issues that came up are pretty severe.
Comment 9 Billy DeVincentis 2007-12-22 10:44:03 UTC
This version does not fix the konqueror problem, I still have needed to downgrade to the 9.0.48 in order to have flash support in konqueror, the higher versions simply don't work.
Comment 10 Billy DeVincentis 2007-12-22 11:03:34 UTC
BTW, this is not an nspluginwrapper issue, it affects X86 installations equally, simply put, flash does not work in konqueror when using any version higher than 9.0.48. This is the same in Debian also.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 13:42:45 UTC
Billy, can you please open a new bug about the Opera/Konqueror issues, and mark it blocking this bug? 

For reference, Debian tracks this here:
Comment 12 Jim Ramsay (lack) (RETIRED) gentoo-dev 2007-12-22 16:46:48 UTC
FWIW, the Konqueror issue is not a problem with flash, it's technically a problem with konqueror.  Here's KDE's bug:

I have an assurance from Philanthrop via IRC that the Gentoo KDE team will soon be applying patches which will make the new flash work in Konqueror.

As for Opera, I'm not sure what can be done, it's a binary package, so there's no real way to patch it.  That said, the newer version (9.50) seems to work with the new flash. (9.50_beta1 here), though I've heard others that experience the contrary.
Comment 13 Jim Ramsay (lack) (RETIRED) gentoo-dev 2007-12-22 16:55:01 UTC
The Opera issues *may* be related to this:
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 22:07:26 UTC
(In reply to comment #12)
> I have an assurance from Philanthrop via IRC that the Gentoo KDE team will soon
> be applying patches which will make the new flash work in Konqueror.

Wulf, can you give us a ping on this bug, so we can stable both Flash and Konqueror at the same time, to limit disruption of stable users?

> As for Opera, I'm not sure what can be done, it's a binary package

True. I don't think stabling the p.masked Opera beta is an option, I'm also not sure where it stands security-wise.
Since we're dealing with two binary packages not cooperating here, there seems to be nothing at all to be done.

Let's get Flash stable as soon as Konqueror is ok for it.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-12-26 23:50:55 UTC
KDE herd, there are two big patches linked in the KDE bug. Did you try getting them to work with our stable konqueror?
I would think they still contain bugs, but we could at least apply them on ~arch for some days to get flash stable sooner than later.
Comment 16 Carsten Lohrke (RETIRED) gentoo-dev 2007-12-27 16:52:07 UTC
Don't hold back stablizing this new flash version, just because Adobe is too much a PITA or some users complaining not getting their dose Youtube or whatever. That's irrelevant. For people who do not care for vulnerabililties, Portage provides the means.

Wrt. Konqueror you can read in this¹ blog entry, that the patches are preliminary and cause crashes, so these changes cannot go stable anytime soon anyways.

Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-12-27 17:59:20 UTC
As I understood it, the crashes were introduced without the patches. The patches just fix some (?) of the issues, but not all.

It's up to the KDE herd if they want konqueror to ship the preliminary patches before stabling. I'd propose Saturday to cc arches.

Jeroen, did you follow the discussion from the Opera side?
Comment 18 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-27 18:15:27 UTC
(In reply to comment #17)
> Jeroen, did you follow the discussion from the Opera side?

First time I see this bug. :-\

Opera 9.50 betas are very unstable and are not meant to go stable, ever. Issues between Opera and Flash are well known among Opera users. That said, I find that the latest version of the Flash plugin works better than the 9.0.60.* betas, only it doesn't solve the Opera issue (which is that the Flash plugin dislikes finding *netscape* in its library's path while the browser doesn't identify itself as such - which is Adobe's problem to fix and which doesn't fix anyhow).

So feel free to stabilise.
Comment 19 Matteo Azzali (RETIRED) gentoo-dev 2007-12-27 19:43:26 UTC
Ehm, as a side note, konqueror can already use newer flash version if you
use npplugin instead than nsplugin.
npplugin ships together with kmplayer, check

The only issue is that kmplayer configure script doesn't emerge 
/usr/bin/knpplayer if the parameter --without-gstreamer is passed.
However gstreamer is not needed at all, I haven't it installed
and anything is 100% fine if --without-gstreamer is not passed.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2007-12-29 01:01:21 UTC
Discussion in the kde herd turned out that the stable konqueror will not be patched accepting any regressions introduced here and the patches will be applied on the ~arch 3.5.8 konqueror to keep testing them.

So we're ready for stabling.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2007-12-29 01:02:51 UTC
Arches, please test and mark stable net-www/netscape-flash-
Target keywords : "amd64 x86"
Comment 22 Jonas Pedersen 2007-12-29 15:12:34 UTC

1. Emerges on AMD64
2. No collisions etc. 
3. Works. YouTube works in both 64bit (through nspluginwrapper) and 32bit Firefox. 

Portage (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64)
System uname: 2.6.23-gentoo-r3 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Sat, 29 Dec 2007 12:46:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.10-r5
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r2
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/portage/local/layman/mozilla /usr/local/portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"

Comment 23 Richard Freeman gentoo-dev 2007-12-30 14:15:23 UTC
amd64 stable

FYI - the only stable version of kmplayer has gmstreamer disabled - the use flag was introduced in the ~arch version.
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2008-01-01 16:06:12 UTC
x86 stable
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2008-01-01 22:05:23 UTC
request filed
Comment 26 Robert Buchholz (RETIRED) gentoo-dev 2008-01-20 00:44:10 UTC
GLSA 200801-07, thank you everybody!

When updates to Konqueror, Opera or Flash are out to fix regressions, please let us know.