Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260264 (CVE-2009-0519) - net-www/netscape-flash <10.0.22.87 Multiple vulnerabilities (CVE-2009-{0114,0519,0520,0521,0522})
Summary: net-www/netscape-flash <10.0.22.87 Multiple vulnerabilities (CVE-2009-{0114,0...
Status: RESOLVED FIXED
Alias: CVE-2009-0519
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: A2 [glsa]
Keywords:
: 260371 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-02-25 16:11 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-18 02:44 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 16:11:41 UTC
Flash Player update available to address security vulnerabilities

Release date: February 24, 2009

Vulnerability identifier: APSB09-01

CVE number: CVE-2009-0519, CVE-2009-0520, CVE-2009-0522, CVE-2009-0114, CVE-2009-0521
Comment 1 Jim Ramsay (lack) (RETIRED) gentoo-dev 2009-02-25 19:46:03 UTC
net-www/netscape-flash-10.0.22.87 is in the tree, at ~amd64 and ~x86

As this is the first time I've done a multilib installer for the flash installer (Yay, 32-bit and 64-bit plugins!), we should let it settle out a bit before stabilization.

I've also bumped to net-www/netscape-flash-9.0.159.0 which theoretically backports the same security fixes as are in 10.0.22.87 to flash-9, for those folks who don't like new features.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 20:41:57 UTC
So let's target a week from now as a stabling date and collect as many bugs as we can until then.
Comment 3 Jim Ramsay (lack) (RETIRED) gentoo-dev 2009-02-25 20:45:52 UTC
Agreed.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-02-26 15:15:19 UTC
*** Bug 260371 has been marked as a duplicate of this bug. ***
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-26 19:23:00 UTC
No problems with 10.0.22.87 on ~x86 yet, I've been using it since it hit the tree, youtube etc. work flawless. Thanks!
Adding lowest CVE number to Alias.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-26 20:46:41 UTC
CVE-2009-0114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0114):
  Unspecified vulnerability in the Settings Manager in Adobe Flash
  Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87, and possibly
  other versions, allows remote attackers to trick a user into visiting
  an arbitrary URL via unknown vectors, related to "a potential
  Clickjacking issue variant."

CVE-2009-0519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0519):
  Unspecified vulnerability in Adobe Flash Player 9.x before 9.0.159.0
  and 10.x before 10.0.22.87 allows remote attackers to cause a denial
  of service (browser crash) or possibly execute arbitrary code via a
  crafted Shockwave Flash (aka .swf) file.

CVE-2009-0520 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0520):
  Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87
  does not properly remove references to destroyed objects during
  Shockwave Flash file processing, which allows remote attackers to
  execute arbitrary code via a crafted file, related to a "buffer
  overflow issue."

CVE-2009-0521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0521):
  Untrusted search path vulnerability in Adobe Flash Player 9.x before
  9.0.159.0 and 10.x before 10.0.22.87 on Linux allows local users to
  obtain sensitive information or gain privileges via a crafted library
  in a directory contained in the RPATH.

Comment 7 Nikos Chantziaras 2009-02-26 20:59:36 UTC
This emerges with the 32bit USE flag set by default on my AMD64 machine.  Is this intended?
Comment 8 Jim Ramsay (lack) (RETIRED) gentoo-dev 2009-02-27 13:15:11 UTC
(In reply to comment #7)
> This emerges with the 32bit USE flag set by default on my AMD64 machine.  Is
> this intended?

Yes.  If you are running a multilib profile, it is assumed you want multiple libs by default.  The 32bit flag is to turn this off for advanced users who know that they only want the 64bit plugin in this case.
Comment 9 Nikos Chantziaras 2009-02-27 13:23:18 UTC
(In reply to comment #8)
> Yes.  If you are running a multilib profile, it is assumed you want multiple
> libs by default.

Oh, OK.  Even though in IMO Flash isn't a lib, but a Browser plugin, so it would make more sense to treat it like an application rather than a lib; that is, do 64-bit only on AMD64.  Will people who upgrade from an older 32bit-only version of Flash automatically get the 64-bit version by default?  Because I suppose there are a lot of people who simply don't know Flash is now 64-bit capable.
Comment 10 Jim Ramsay (lack) (RETIRED) gentoo-dev 2009-02-27 13:58:24 UTC
(In reply to comment #9)
> Oh, OK.  Even though in IMO Flash isn't a lib, but a Browser plugin

Technically it is a .so shared object library.  From file(1):

/opt/netscape/plugins/libflashplayer.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped

But I can see how this may not be immediately obvious to everyone :)

> so it 
> would make more sense to treat it like an application rather than a lib; that
> is, do 64-bit only on AMD64.  Will people who upgrade from an older 32bit-only
> version of Flash automatically get the 64-bit version by default?  Because I
> suppose there are a lot of people who simply don't know Flash is now 64-bit
> capable.

Yes, this exactly what happens when you upgrade to 10.0.22.87.  You will always get the 64-bit plugin.  But why default to installing both simultaneously?

Imagine if you are a "regular user" who is still using firefox-bin because most of your plugins (adobe, flash, and especially the current stable sun-jre-1.6.0.11) work better in a 32-bit browser - If you upgrade your netscape-flash to 10.0.22.8 and only get the 64-bit plugin... your flash suddenly stops working!  And I get creamed by a zillion bug reports :)

By installing both versions by default, I avoid this nasty upgrade issue.
Comment 11 Jim Ramsay (lack) (RETIRED) gentoo-dev 2009-03-06 14:17:48 UTC
I think it's been long enough - I've had a couple isolated complaints about sound not working or random crashes, but this is flash we're talking about... Not like I can actually *fix* any of the bugs.

Let's go stable.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 16:38:34 UTC
Arches, please test and mark stable:
=net-www/netscape-flash-10.0.22.87
Target keywords : "amd64 x86"
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2009-03-08 09:08:30 UTC
x86 stable
Comment 14 Markus Meier gentoo-dev 2009-03-08 14:39:52 UTC
amd64 stable, all arches done.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-09 12:34:38 UTC
glsa already filed for #239543 and #260264
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-10 22:34:14 UTC
GLSA 200903-23
Comment 17 szmytson 2009-03-18 00:09:11 UTC
Seems that CVE-2008-4546 isn't fixed.
http://www.securityfocus.com/archive/1/501691

My firefox crashes after visiting:
 http://flashcrash.dempsky.org/
Opera survives the test.

Some info about my setup:

% grep mozilla /etc/portage/package.use
www-client/mozilla-firefox restrict-javascript xforms mozdevelop

% grep opera /etc/portage/package.use
www-client/opera qt-static ia32

net-www/netscape-flash-10.0.22.87
www-client/mozilla-firefox-3.0.7
www-client/opera-9.64

% emerge --info
Portage 2.1.6.7 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r8 i686)
=================================================================
System uname: Linux-2.6.27-gentoo-r8-i686-Intel-R-_Core-TM-2_Duo_CPU_E8200_@_2.66GHz-with-glibc2.0
Timestamp of tree: Thu, 12 Mar 2009 06:30:01 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python:     2.4.4-r14, 2.5.2-r7
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.4.8
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="buildpkg ccache collision-protect distlocks doc fixpackages gpg noinfo parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://src.gentoo.pl http://gentoo.mirror.pw.edu.pl http://gentoo.mirror.web4u.cz http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en pl"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/enlightenment"
SYNC="rsync://repo.non.3dart.com/gentoo-portage"
USE="X acl acpi alsa async berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups curl dbus dri dvd dvdr dvdread emboss encode esd evo exif fam firefox gdbm gif gnome gpm gstreamer gtk hal
iconv idn imap isdnlog jabber jpeg kerberos lame ldap libnotify logrotate lzo mad memlimit mikmod mp3 mpeg mudflap mysql ncurses nls nntp nptl nptlonly nsplugin ogg opengl openmp pam pch pcre pdf perl
php png ppds pppd python qt3support quicktime rdesktop readline reflection reiserfs ruby samba sdl session snmp spell spl srt ssl startup-notification svg sysfs syslog tcpd theora threads tiff
truetype unicode usb vim-syntax vorbis win32codecs x86 xml xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370
ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks
iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default
authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include
info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en pl" USERLAND="GNU" VIDEO_CARDS="radeon ati vesa vga nv nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 18 Jim Ramsay (lack) (RETIRED) gentoo-dev 2009-03-18 02:44:34 UTC
(In reply to comment #17)
> Seems that CVE-2008-4546 isn't fixed.

True, though really that CVE was actually addressed in bug #239543, where we decided that this particular issue isn't really worth much effort.  A local DoS is not that dangerous, and we'll just have to wait for Adobe to fix it regardless of how important we think it may be.