According to the CVE database: ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0 allows remote attackers to bypass the Security Sandbox Model, obtain sensitive information, and port scan arbitrary hosts via a Flash (SWF) movie that specifies a connection to make, then using timing discrepancies from the SecurityErrorEvent error to determine whether a host is open or not. POC at http://scan.flashsec.org/
Jim and desktop-misc, please advise.
I have verified that we are indeed affected by this, even though the security release does not explicitly mention version 9.0.48.0. But I'm not sure what to do about it, besides of course p.mask the package, which I would like to avoid unless absolutely necessary due to its popularity and the (in my opinion unfortunately) large number of websites which *require* this software. Is this security flaw great enough to require that I mask this package? I've done a little looking for "Version 8" that the flashsec.org page recommends you downgrade to, but I can't actually find it anywhere (and it may be affected by other vulnerabilities). If someone can find a SRC_URI for this, I would I will add some sort of "This software is closed-source and has had a number of vulnerabilities, are you *sure* you want to install this..." disclaimer to the ebuild.
It seems that as a solution you unmasked net-www/netscape-flash-9.0.60.0_beta100107 , however it has a serious flaw if used in conjunction with nsplugin-wrapper and konqueror, it often shows just black rectangles (like at http://www.medusacinema.it/ ) even if those pages are working with firefox. I don't know if bug #193513 (latest nspluginwrapper one) is in any way related and if it's the case to open a separate bugreport (as it may slown your stabilization of this security update) but please take into account that this version of flash has flaws.
No, my addition of the beta version had nothing to do with this bug - It was requested by a user, and seemed more stable to me than the last beta released, so I added it as a testing version. Unfortunately the new version is still affected by the same design flaw as 0.9.48.0 Please open a new bug about this non-security-related problem, and I will gladly take a look there, thanks! Be sure to include your `emerge --info`, and which version of konqueror and firefox you used.
Additional issue CVE-2007-5275: The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause a victim machine to establish TCP sessions with arbitrary hosts via a Flash (SWF) movie, related to lack of pinning of a hostname to a single IP address after receiving an allow-access-from element in a cross-domain-policy XML document, and the availability of a Flash Socket class that does not use the browser's DNS pins, aka DNS rebinding attacks, a different issue than CVE-2002-1467 and CVE-2007-4324.
Flash 9.0.115.0 was released by Adobe. It addresses both vulnerabilities already mentioned in this bug (CVE-2007-4324, CVE-2007-5275) Additionally, it fixes these vulnerabilities: CVE-2007-4768: Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to execute arbitrary code via a singleton Unicode sequence in a character class in a regex pattern, which is incorrectly optimized. CVE-2007-6242: Multiple input validation errors have been identified in Flash Player 9.0.48.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007-4768, CVE-2007-6242) CVE-2007-6243: This update introduces a new, stricter method for Flash Player to interpret cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files. CVE-2007-6244: This update restricts the unsupported asfunction: protocol to address potential cross-site scripting issues with some SWF files. CVE-2007-6245: This update resolves an issue that could allow remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks. CVE-2007-6246: The Linux update for Flash Player addresses a memory permissions issue that could lead to privilege escalation. Not for Linux: CVE-2007-5476: Unspecified vulnerability in Adobe Flash Player 9.0.47.0 and earlier, when running on Opera before 9.24 on Mac OS X, has unknown "Highly Severe" impact and unknown attack vectors. CVE-2007-6244 (different vector): This update makes changes to the navigateToURL function to prevent potential Universal Cross-Site Scripting attacks. This issue is specific to the Flash Player ActiveX Control and the Internet Explorer Browser.
Sorry, forgot to mention in this bug: 9.0.115.0 has been in the tree for a little while now. I'm not sure about the other security issues, but by my test, it still fails the network scan attack that spawned this bug. Go to http://scan.flashsec.org/ and see for yourself. I will be requesting stability in the near future.
(In reply to comment #7) > I will be requesting stability in the near future. Sorry, I did not notice. Can we go to stabling this right now? The new issues that came up are pretty severe.
This version does not fix the konqueror problem, I still have needed to downgrade to the 9.0.48 in order to have flash support in konqueror, the higher versions simply don't work.
BTW, this is not an nspluginwrapper issue, it affects X86 installations equally, simply put, flash does not work in konqueror when using any version higher than 9.0.48. This is the same in Debian also.
Billy, can you please open a new bug about the Opera/Konqueror issues, and mark it blocking this bug? For reference, Debian tracks this here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=455283 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456538
FWIW, the Konqueror issue is not a problem with flash, it's technically a problem with konqueror. Here's KDE's bug: http://bugs.kde.org/132138 I have an assurance from Philanthrop via IRC that the Gentoo KDE team will soon be applying patches which will make the new flash work in Konqueror. As for Opera, I'm not sure what can be done, it's a binary package, so there's no real way to patch it. That said, the newer version (9.50) seems to work with the new flash. (9.50_beta1 here), though I've heard others that experience the contrary.
The Opera issues *may* be related to this: https://bugs.gentoo.org/show_bug.cgi?id=127200#c25
(In reply to comment #12) > I have an assurance from Philanthrop via IRC that the Gentoo KDE team will soon > be applying patches which will make the new flash work in Konqueror. Wulf, can you give us a ping on this bug, so we can stable both Flash and Konqueror at the same time, to limit disruption of stable users? > As for Opera, I'm not sure what can be done, it's a binary package True. I don't think stabling the p.masked Opera beta is an option, I'm also not sure where it stands security-wise. Since we're dealing with two binary packages not cooperating here, there seems to be nothing at all to be done. Let's get Flash stable as soon as Konqueror is ok for it.
KDE herd, there are two big patches linked in the KDE bug. Did you try getting them to work with our stable konqueror? I would think they still contain bugs, but we could at least apply them on ~arch for some days to get flash stable sooner than later.
Don't hold back stablizing this new flash version, just because Adobe is too much a PITA or some users complaining not getting their dose Youtube or whatever. That's irrelevant. For people who do not care for vulnerabililties, Portage provides the means. Wrt. Konqueror you can read in this¹ blog entry, that the patches are preliminary and cause crashes, so these changes cannot go stable anytime soon anyways. [1] http://www.kdedevelopers.org/node/3162
As I understood it, the crashes were introduced without the patches. The patches just fix some (?) of the issues, but not all. It's up to the KDE herd if they want konqueror to ship the preliminary patches before stabling. I'd propose Saturday to cc arches. Jeroen, did you follow the discussion from the Opera side?
(In reply to comment #17) > Jeroen, did you follow the discussion from the Opera side? First time I see this bug. :-\ Opera 9.50 betas are very unstable and are not meant to go stable, ever. Issues between Opera and Flash are well known among Opera users. That said, I find that the latest version of the Flash plugin works better than the 9.0.60.* betas, only it doesn't solve the Opera issue (which is that the Flash plugin dislikes finding *netscape* in its library's path while the browser doesn't identify itself as such - which is Adobe's problem to fix and which 9.0.115.0 doesn't fix anyhow). So feel free to stabilise.
Ehm, as a side note, konqueror can already use newer flash version if you use npplugin instead than nsplugin. npplugin ships together with kmplayer, check http://www.kde-apps.org/content/show.php/KMPlayer?content=10004 The only issue is that kmplayer configure script doesn't emerge /usr/bin/knpplayer if the parameter --without-gstreamer is passed. However gstreamer is not needed at all, I haven't it installed and anything is 100% fine if --without-gstreamer is not passed.
Discussion in the kde herd turned out that the stable konqueror will not be patched accepting any regressions introduced here and the patches will be applied on the ~arch 3.5.8 konqueror to keep testing them. So we're ready for stabling.
Arches, please test and mark stable net-www/netscape-flash-9.0.115.0. Target keywords : "amd64 x86"
net-www/netscape-flash-9.0.115.0 1. Emerges on AMD64 2. No collisions etc. 3. Works. YouTube works in both 64bit (through nspluginwrapper) and 32bit Firefox. Portage 2.1.3.19 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64) ================================================================= System uname: 2.6.23-gentoo-r3 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Timestamp of tree: Sat, 29 Dec 2007 12:46:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo" LC_ALL="en_DK.utf8" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/portage/local/layman/mozilla /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable FYI - the only stable version of kmplayer has gmstreamer disabled - the use flag was introduced in the ~arch version.
x86 stable
request filed
GLSA 200801-07, thank you everybody! When updates to Konqueror, Opera or Flash are out to fix regressions, please let us know.