Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 391283 (CVE-2011-4328) - <www-plugins/gnash-0.8.9-r1: Unsafe management of HTTP cookies (CVE-2011-4328)
Summary: <www-plugins/gnash-0.8.9-r1: Unsafe management of HTTP cookies (CVE-2011-4328)
Alias: CVE-2011-4328
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on: 391915 CVE-2012-1175
  Show dependency tree
Reported: 2011-11-21 19:14 UTC by Sean Amoss (RETIRED)
Modified: 2012-07-12 00:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-11-21 19:14:26 UTC
From the oss-sec mailing list at $URL:

"a security flaw was found in the way Shockwave Flash plug-in of the
gnash, a GNU flash movie player, performed management of HTTP cookies
(they were stored under /tmp directory with predictable name and world-
readable permissions). A local attacker could use this flaw to obtain
sensitive information."

Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2011-11-21 21:43:27 UTC;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55 applied in 0.8.9-r1.

Arches, please stabilize www-plugins/gnash-0.8.9-r1
Target keywords: amd64 ppc ~ppc64 ~sparc x86

Due to bug 366407, gnash may fail to build if multiple versions of boost are present on the system. This is not a regression from 0.8.8.
Comment 2 Agostino Sarubbo gentoo-dev 2011-11-22 10:19:58 UTC

Can you fix on the fly:

Files matching a file type that is not allowed:
 * ERROR: www-plugins/gnash-0.8.9-r1 failed:
 *   multilib-strict check failed!
Comment 3 Michael Harrison 2011-11-24 08:26:55 UTC
Ditto ago--
* Call stack:
 *, line 992:  Called install_qa_check
 *, line 716:  Called die
 * The specific snippet of code:
 *              [[ ${abort} == yes ]] && die "multilib-strict check failed!"
Comment 4 Chí-Thanh Christopher Nguyễn gentoo-dev 2011-11-25 17:40:09 UTC
The multilib-strict check passes now in 0.8.9-r2
Comment 5 Agostino Sarubbo gentoo-dev 2011-11-26 10:11:30 UTC
amd64 ok
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2011-12-02 19:24:05 UTC
amd64 stable
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-12-08 17:02:28 UTC
x86 stable
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-05-16 17:00:25 UTC
GLSA Vote: yes.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-06-11 19:39:38 UTC
GLSA vote: yes.

Updated existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 23:32:42 UTC
This issue was resolved and addressed in
 GLSA 201207-08 at
by GLSA coordinator Sean Amoss (ackle).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-07-12 00:43:59 UTC
CVE-2011-4328 (
  plugin/npapi/plugin.cpp in Gnash before 0.8.10 uses weak permissions (word
  readable) for cookie files with predictable names in /tmp, which allows
  local users to obtain sensitive information.