Bug 21224

Summary: Security update request for flash-player-plugin, to 26.0.0.137
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, tarazed25
Version: 6Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://helpx.adobe.com/security/products/flash-player/apsb17-21.html
Whiteboard: advisory MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK
Source RPM: flash-player-plugin CVE: CVE-2017-3080, CVE-2017-3099, CVE-2017-3100
Status comment:

Description Anssi Hannula 2017-07-11 16:48:10 CEST 
Advisory:
============
Adobe Flash Player 26.0.0.137 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves security bypass and memory corruption vulnerabilities that could lead to information disclosure or code execution (CVE-2017-3080, CVE-2017-3099, CVE-2017-3100).

References:
https://helpx.adobe.com/security/products/flash-player/apsb17-21.html
============

Updated Flash Player packages have been submitted to mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-26.0.0.137-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde
Comment 1 Dave Hodgins 2017-07-13 04:12:30 CEST 
Usual flash testing, including http://get.adobe.com/flashplayer/about/
and checking the player settings under the tools menu.

Validating the update.

Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Rémi Verschelde 2017-07-13 09:37:37 CEST 
It needs to be pushed and validated for Mageia 6 too before we can get it in Mageia 5, otherwise it will break the upgrade path.

Keywords: validated_update => (none)
Version: 5 => 6
Whiteboard: advisory MGA5-64-OK MGA5-32-OK => MGA5TOO MGA5-64-OK MGA5-32-OK

Comment 3 Rémi Verschelde 2017-07-13 09:38:13 CEST 
Note that as announced by Thomas on the dev@ ML, we can now use updates_testing for cauldron/mga6 to test and validate normal updates for the stable Mageia 6.
Comment 4 Anssi Hannula 2017-07-13 13:00:22 CEST 
I've submitted updated Flash Player packages now into mga6/cauldron nonfree/updates_testing as well.
Comment 5 Thomas Andrews 2017-07-14 00:52:49 CEST 
FWIW, OK for me on 32-bit install on real Intel motherboard, Core 2 Duo, and graphics.

CC: (none) => andrewsfarm

Comment 6 Len Lawrence 2017-07-16 19:00:44 CEST 
mga6  x86_64  Mate

Installed flash-player-plugin-26.0.0.137-1.mga6.nonfree
Restarted firefox
Visited get.adobe.com and played some of the corporate videos.
Checked bubbleshooter.com but it hung every time, so free play must be disabled now.
The plugin is working anyway.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2017-07-16 23:19:24 CEST 
On a new installation of mageia 6 flash-player-plugin was updated to version 26.0.0.137 (see comment 6) but in firefox -> tools -> plugins this is what is registered:
Shockwave Flash 26.0.0.126 - last updated 2 May 2017

/usr/share/doc/flash-player-plugin/README.mageia says:
This package does not contain the Flash Player itself. The software is
automatically downloaded from Adobe during package installation.

This package requires the freshplayerplugin wrapper in
/usr/lib64/mozilla/plugins/libfreshwrapper-flashplayer.so which allows
the PPAPI plugin to be used on NPAPI browsers (e.g. Firefox) as well.

From `ls -l /usr/lib64/mozilla/plugins`
-rwxr-xr-x 1 root root 1088312 May  2 11:29 libfreshwrapper-flashplayer.so
/var/lib/flash-player-plugin/ contains
flash-player-ppapi-26.0.0.137-release.x86_64.rpm

flash-player-plugin]$ sudo urpmi --test flash-player-ppapi-26.0.0.137-release.x86_64.rpm
The following package has to be removed for others to be upgraded:
flash-player-plugin-26.0.0.137-1.mga6.nonfree.x86_64
 (due to conflicts with flash-player-ppapi)
(test only, removal will not be actually done) (y/N) 

This is all very confusing.  What should we expect to see?

Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK => MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK

Comment 8 Rémi Verschelde 2017-07-16 23:27:42 CEST 
(In reply to Len Lawrence from comment #7)
> On a new installation of mageia 6 flash-player-plugin was updated to version
> 26.0.0.137 (see comment 6) but in firefox -> tools -> plugins this is what
> is registered:
> Shockwave Flash 26.0.0.126 - last updated 2 May 2017

Did you restart Firefox?

---

Testing on Mageia 6 x86_64, works fine.
Comment 9 Anssi Hannula 2017-07-16 23:38:55 CEST 
Hmm, I think a "touch" for libfreshwrapper*so is missing from %post of flash-player-plugin, to make Firefox detect the new version.

This was discussed before and David had already added the prequisite %verify(not mtime) tag in freshplayerplugin.

I'll submit a new flash-player-plugin for mga6 testing within a day.

Assignee: qa-bugs => anssi.hannula

Comment 10 David Walser 2017-07-16 23:41:13 CEST 
Len, you shouldn't be trying to install the adobe package directly.  Sometimes when you upgrade Flash you have to kill the plugin-container process (or restart Firefox) for it to use the new version.

Assignee: anssi.hannula => qa-bugs

Comment 11 Len Lawrence 2017-07-17 01:28:29 CEST 
@Rémi - re comment 8 - yes I remembered to restart the browser.

@David - re comment 10 - I only tried that as a test to see what it would try to do - had no intention of running the command for real.  Just curious about the different version numbers.
Comment 12 Herman Viaene 2017-07-17 14:49:04 CEST 
MGA6-32 on Asus A6000VM MATE
Installation: I did not find flash-player-plugin-kde in the repo
Checked with Adobe website, checked plugin in Firefox and run www.classiccomposers.org (press "Live" to play). OK for me.

Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OK
CC: (none) => herman.viaene

Comment 13 Anssi Hannula 2017-07-17 23:54:00 CEST 
Updated Flash Player packages have been submitted to mga6 nonfree/updates_testing that should fix Len Lawrence's issue in comment #7.

Specifically, Firefox should now see the new version number after upgrading from mga6 version 26.0.0.126.

No change in advisory. Mageia 5 packages were not affected.

Source packages:
flash-player-plugin-26.0.0.137-1.1.mga6.nonfree

Binary packages:
flash-player-plugin

Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OK => MGA5TOO MGA5-64-OK MGA5-32-OK

Comment 14 Rémi Verschelde 2017-07-18 00:03:51 CEST 
Advisory updated.

Whiteboard: MGA5TOO MGA5-64-OK MGA5-32-OK => advisory MGA5TOO MGA5-64-OK MGA5-32-OK

Comment 15 Len Lawrence 2017-07-18 02:49:43 CEST 
x86_64

Yep, that has fixed it.  And Adobe's own showcase videos run fine.
Len Lawrence 2017-07-18 09:01:17 CEST

Whiteboard: advisory MGA5TOO MGA5-64-OK MGA5-32-OK => advisory MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-64-OK

Comment 16 Rémi Verschelde 2017-07-19 09:00:20 CEST 
Works fine here too, validating.

Keywords: (none) => validated_update

Comment 17 Mageia Robot 2017-07-22 11:00:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0211.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED