Bug 20696

Summary: flash-player-plugin security update 25.0.0.148
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, marja11, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Source RPM: flash-player-plugin CVE:
Status comment:

Description Nicolas Salguero 2017-04-18 09:48:59 CEST 
Hi,

Version 25.0.0.148 fixes:

Use-after-free vulnerabilities that could lead to code execution (CVE-2017-3058, CVE-2017-3059, CVE-2017-3062, CVE-2017-3063).

Memory corruption vulnerabilities that could lead to code execution (CVE-2017-3060, CVE-2017-3061, CVE-2017-3064).

Reference: https://helpx.adobe.com/security/products/flash-player/apsb17-10.html

Best regards,

Nico.
Nicolas Salguero 2017-04-18 09:49:17 CEST

Source RPM: (none) => flash-player-plugin
Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-04-18 10:31:30 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => anssi.hannula

Comment 2 Thomas Andrews 2017-04-18 15:37:45 CEST 
Be aware, please, that the flash that's currently in the Cauldron repositories no longer installs. It attempts to do so, and the freshplayer plugin is installed, but not the flashplayer, after which the freshplayer plugin is listed as "orphaned." If already installed it will continue to work, but users will soon start to see messages that it should be updated.

I have seen this before. It is caused by Adobe's policy of moving flash versions older than whatever is current and the one immediately previous to the archives, making our script useless. It only happens when we fall too far behind Adobe's schedule. 

As far as I know, there is little we can do but stay on top of the new releases as they come out.

CC: (none) => andrewsfarm

Comment 3 Rémi Verschelde 2017-04-18 18:37:19 CEST 
Updates packages pushed to Cauldron and Mageia 5.

Advisory:
=========

Updated flash-player-plugin package fixes security vulnerabilities

  This update fixes the following critical security issues:
  * use-after-free vulnerabilities that could lead to code execution
    (CVE-2017-3058, CVE-2017-3059, CVE-2017-3062, CVE-2017-3063). 
  * memory corruption vulnerabilities that could lead to code execution
    (CVE-2017-3060, CVE-2017-3061, CVE-2017-3064).

References:
 - https://helpx.adobe.com/security/products/flash-player/apsb17-10.html
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3058
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3059
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3060
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3061
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3062
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3063
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3064


RPMs in nonfree/updates_testing:
================================

flash-player-plugin-25.0.0.148-1.mga5.nonfree


SRPMs in nonfree/updates_testing:
=================================

flash-player-plugin-25.0.0.148-1.mga5.nonfree

Assignee: anssi.hannula => qa-bugs
Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 4 Dave Hodgins 2017-04-18 22:29:08 CEST 
Fails to install, apparently do to the sha256sum and size.

$ sha256sum flash-player-npapi-25.0.0.148-release.x86_64.rpm 
3f694d661b49c7c52b4e9c2e71e9a7a312903dc010fd11aad3a01cecaf36a6bc  flash-player-npapi-25.0.0.148-release.x86_64.rpm
$ ls -l flash-player-npapi-25.0.0.148-release.x86_64.rpm 
-rw-r--r-- 1 root root 8973088 Apr 11 00:43 flash-player-npapi-25.0.0.148-release.x86_64.rpm

The script is looking for
SHA256SUM1="80a19f5b0a5f26c2cc56236acd2a720573d6f53cdd75defb8ab8bdba25a7225f:9413415"

CC: (none) => davidwhodgins

Comment 5 Dave Hodgins 2017-04-18 22:30:21 CEST 
Forgot to add feeback marker. Adding it now.

Whiteboard: (none) => feedback

Comment 6 Brian Rockwell 2017-04-18 22:32:32 CEST 
# urpmi flash-player-plugin


    http://mirrors.kernel.org/mageia/distrib/5/x86_64/media/nonfree/updates_testing/flash-player-plugin-25.0.0.148-1.mga5.nonfree.x86_64.rpm
installing flash-player-plugin-25.0.0.148-1.mga5.nonfree.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
Note that by downloading the Adobe Flash Player you indicate your acceptance of
the EULA, available at http://www.adobe.com/products/eulas/players/flash/
Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/25.0.0.148/flash-player-npapi-25.0.0.148-release.x86_64.rpm:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8762k  100 8762k    0     0  4209k      0  0:00:02  0:00:02 --:--:-- 4335k
Error: Unable to download Flash Player. This is likely due to this package
       being too old. Please file a bug report at https://bugs.mageia.org
       so that the package gets updated. Thank you.

       In the meantime, you can download Flash Player manually from
       http://get.adobe.com/flashplayer/
error: %prein(flash-player-plugin-25.0.0.148-1.mga5.nonfree.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for flash-player-plugin-25.0.0.148-1.mga5.nonfree
error: flash-player-plugin-25.0.0.148-1.mga5.nonfree.x86_64: install failed
error: flash-player-plugin-25.0.0.127-1.mga5.nonfree.x86_64: erase skipped
[root@localhost brian]# urpmi flash-player-plugin


    http://mirrors.kernel.org/mageia/distrib/5/x86_64/media/nonfree/updates_testing/flash-player-plugin-25.0.0.148-1.mga5.nonfree.x86_64.rpm
installing flash-player-plugin-25.0.0.148-1.mga5.nonfree.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
Note that by downloading the Adobe Flash Player you indicate your acceptance of
the EULA, available at http://www.adobe.com/products/eulas/players/flash/
Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/25.0.0.148/flash-player-npapi-25.0.0.148-release.x86_64.rpm:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8762k  100 8762k    0     0  4456k      0  0:00:01  0:00:01 --:--:-- 4556k
Error: Unable to download Flash Player. This is likely due to this package
       being too old. Please file a bug report at https://bugs.mageia.org
       so that the package gets updated. Thank you.

       In the meantime, you can download Flash Player manually from
       http://get.adobe.com/flashplayer/
error: %prein(flash-player-plugin-25.0.0.148-1.mga5.nonfree.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for flash-player-plugin-25.0.0.148-1.mga5.nonfree
error: flash-player-plugin-25.0.0.148-1.mga5.nonfree.x86_64: install failed

CC: (none) => brtians1

Comment 7 Nicolas Salguero 2017-04-19 10:29:28 CEST 
The SHA256 check sums and the sizes were the ones for PPAPI version, not for NPAPI version.

RPMs in nonfree/updates_testing:
================================

flash-player-plugin-25.0.0.148-1.1.mga5.nonfree


SRPMs in nonfree/updates_testing:
=================================

flash-player-plugin-25.0.0.148-1.1.mga5.nonfree
Comment 8 Rémi Verschelde 2017-04-19 10:40:49 CEST 
Ah thanks for the fix Nicolas, and for editing the download script accordingly.

Whiteboard: feedback => (none)

Comment 9 Len Lawrence 2017-04-19 11:03:56 CEST 
x86_64 nvidia machine
Working fine at Vevo and Youtube videos.

CC: (none) => tarazed25

Len Lawrence 2017-04-19 11:04:31 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 10 Rémi Verschelde 2017-04-19 15:43:05 CEST 
Advisory uploaded.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 11 Dave Hodgins 2017-04-19 19:22:46 CEST 
Tested on i586 under vb ok.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2017-04-21 09:25:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0114.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED