Bug 21506

Summary:	flash-player-plugin security update 26.0.0.151
Product:	Mageia	Reporter:	Zombie Ryushu <zombie_ryushu>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	anssi.hannula, davidwhodgins, lewyssmith, mageia, mageia, qa-bugs, sysadmin-bugs, tarazed25, westel, wilcal.int
Version:	6	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://lwn.net/Alerts/730473/
Whiteboard:	MGA5TOO advisory MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
Source RPM:	flash-player-plugin	CVE:	CVE-2017-3085, CVE-2017-3106
Status comment:
Attachments:	gpg key for adobe

Description Zombie Ryushu 2017-08-12 03:59:36 CEST

This update upgrades Flash Player to version 26.0.0.151.

Security Fix(es):

* This update fixes multiple vulnerabilities in Adobe Flash Player. These
vulnerabilities, detailed in the Adobe Security Bulletin listed in the
References section, could allow an attacker to create a specially crafted
SWF file that would cause flash-plugin to crash, execute arbitrary code, or
disclose sensitive information when the victim loaded a page containing the
malicious SWF content. (CVE-2017-3085, CVE-2017-3106)

Zombie Ryushu 2017-08-12 04:00:02 CEST

CVE: (none) => CVE-2017-3085, CVE-2017-3106

David Walser 2017-08-12 04:20:55 CEST

Whiteboard: (none) => MGA5TOO
Assignee: bugsquad => anssi.hannula

Comment 1 Nicolas Lécureuil 2017-08-20 00:55:50 CEST

pushed in updates_testing
src.rpm:
        flash-player-plugin-26.0.0.151-1.mga6
        flash-player-plugin-26.0.0.151-1.mga5

Assignee: anssi.hannula => qa-bugs
CC: (none) => mageia

Comment 2 David Walser 2017-08-20 00:59:04 CEST

We still need an advisory for this one.  Anssi always does these.

CC: (none) => anssi.hannula

Comment 3 PC LX 2017-08-20 01:48:29 CEST

The packaged FAILED to install. The urpmi output is below. The downloads were successful, so this is probably a pre-install script issue.


Note that by downloading the Adobe Flash Player you indicate your acceptance of
the EULA, available at http://www.adobe.com/products/eulas/players/flash/
Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/26.0.0.151/flash-player-npapi-26.0.0.151-release.x86_64.rpm:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8773k  100 8773k    0     0  2796k      0  0:00:03  0:00:03 --:--:-- 2816k
Downloading from http://linuxdownload.adobe.com/linux/x86_64/flash-player-npapi-26.0.0.151-release.x86_64.rpm:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8773k  100 8773k    0     0  2982k      0  0:00:02  0:00:02 --:--:-- 3110k
Error: Unable to download Flash Player. This is likely due to this package
       being too old. Please file a bug report at https://bugs.mageia.org
       so that the package gets updated. Thank you.

       In the meantime, you can download Flash Player manually from
       http://get.adobe.com/flashplayer/
error: %prein(flash-player-plugin-26.0.0.151-1.mga5.nonfree.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for flash-player-plugin-26.0.0.151-1.mga5.nonfree
error: flash-player-plugin-26.0.0.151-1.mga5.nonfree.x86_64: install failed

CC: (none) => mageia

Comment 4 Dave Hodgins 2017-08-20 03:29:54 CEST

The sha256sum values are wrong.

For http://fpdownload.adobe.com/get/flashplayer/pdc/26.0.0.151/flash-player-npapi-26.0.0.151-release.x86_64.rpm
it should be
sha256sum ./flash-player-npapi-26.0.0.151-release.x86_64.rpm 
0d29d22f596e11140bb0d924f24d05fce8aa33b0941e7de9c0421b3534ddf0ed  ./flash-player-npapi-26.0.0.151-release.x86_64.rpm
with a file size of 8983724 bytes.

For http://linuxdownload.adobe.com/linux/x86_64/flash-player-npapi-26.0.0.151-release.x86_64.rpm
it should be 2374a07d66f6e13e9d436aca85fd78d0894de0f54dcae7c91c09cd6bce5b7a59
with a file size of 8983900 bytes.

I don't know where adobe publishes the values. The way I obtain them is to download
the rpm files in a snapshotted vb guest, test that they work to ensure the download
was ok, and then see what the values are.

CC: (none) => davidwhodgins

Comment 5 Dave Hodgins 2017-08-20 03:59:43 CEST

Instead of using the sha256sum values and the file size, it would make more sense to
me to have a separate package that imports the adobe key used to sign the rpm
package, and have that package required by the flash-player-plugin package.

The gpg key to import can be obtained from
http://pgp.mit.edu/pks/lookup?op=get&search=0x3A69BD24F6777C67
or any of the other working gpg key servers.

The package for the adobe key should be similar to the gpg-pubkey-80420f66-4d4fe123
package that imports the key used to sign Mageia packages.

Comment 6 Dave Hodgins 2017-08-20 04:25:30 CEST

Created attachment 9615 [details]
gpg key for adobe

Attached is the gpg key for adobe which can be imported using rpm --import

Dave Hodgins 2017-08-20 05:29:22 CEST

Attachment 9615 filename: adobe.gpg => adobe.gpg.asc

Dave Hodgins 2017-08-20 05:31:05 CEST

Attachment 9615 mime type: text/plain => application/octet-stream

David Walser 2017-08-22 18:47:32 CEST

CC: (none) => qa-bugs
Assignee: qa-bugs => anssi.hannula

Comment 7 Nicolas Lécureuil 2017-08-26 01:02:47 CEST

Please test new rpms:

src.rpm:
        flash-player-plugin-26.0.0.151-1.1.mga5
        flash-player-plugin-26.0.0.151-1.1.mga6

Assignee: anssi.hannula => qa-bugs

Comment 8 Ben McMonagle 2017-08-26 05:11:18 CEST

# urpmi flash-player-plugin


    http://mirror.internode.on.net/pub/mageia/distrib/5/i586/media/nonfree/updates_testing/flash-player-plugin-26.0.0.151-1.mga5.nonfree.i586.rpm
installing flash-player-plugin-26.0.0.151-1.mga5.nonfree.i586.rpm from /var/cache/urpmi/rpms 
Preparing...                     ###########################################################
Note that by downloading the Adobe Flash Player you indicate your acceptance of
the EULA, available at http://www.adobe.com/products/eulas/players/flash/
Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/26.0.0.151/flash-player-npapi-26.0.0.151-release.i386.rpm:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8269k  100 8269k    0     0   887k      0  0:00:09  0:00:09 --:--:--  915k
Downloading from http://linuxdownload.adobe.com/linux/i386/flash-player-npapi-26.0.0.151-release.i386.rpm:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8269k  100 8269k    0     0   292k      0  0:00:28  0:00:28 --:--:--  444k
Error: Unable to download Flash Player. This is likely due to this package
       being too old. Please file a bug report at https://bugs.mageia.org
       so that the package gets updated. Thank you.

       In the meantime, you can download Flash Player manually from
       http://get.adobe.com/flashplayer/
error: %prein(flash-player-plugin-26.0.0.151-1.mga5.nonfree.i586) scriptlet failed, exit status 1
ERROR: 'script' failed for flash-player-plugin-26.0.0.151-1.mga5.nonfree
error: flash-player-plugin-26.0.0.151-1.mga5.nonfree.i586: install failed

CC: (none) => westel

Comment 9 Len Lawrence 2017-08-26 08:22:31 CEST

It installed fine on mga6 (64-bits) after the import of the key provided by David in the attachment.

# urpmi flash-player-plugin
Unknown option: X
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  freshplayerplugin              0.3.6        8.mga6        x86_64  
(medium "Nonfree Updates (distrib13)")
  flash-player-plugin            26.0.0.137   1.1.mga6.non> x86_64  
1MB of additional disk space will be used.
374KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) 


    $MIRRORLIST: media/core/release/freshplayerplugin-0.3.6-8.mga6.x86_64.rpm
    $MIRRORLIST: media/nonfree/updates/flash-player-plugin-26.0.0.137-1.1.mga6.nonfree.x86_64.rpm
installing flash-player-plugin-26.0.0.137-1.1.mga6.nonfree.x86_64.rpm freshplayerplugin-0.3.6-8.mga6.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
      1/2: freshplayerplugin     #############################################
Note that by downloading the Adobe Flash Player you indicate your acceptance of
the EULA, available at http://www.adobe.com/products/eulas/players/flash/
Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/26.0.0.137/flash-player-ppapi-26.0.0.137-release.x86_64.rpm:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   277  100   277    0     0   2097      0 --:--:-- --:--:-- --:--:--  2387
Downloading from http://linuxdownload.adobe.com/linux/x86_64/flash-player-ppapi-26.0.0.137-release.x86_64.rpm:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9196k  100 9196k    0     0  3468k      0  0:00:02  0:00:02 --:--:-- 3545k
      2/2: flash-player-plugin   #############################################
Adobe Flash Player installation successful.

Not tested in the wild yet.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2017-08-26 08:53:22 CEST

Following on from comment 9.  Played showcase videos on Adobe home site.  Sound and vision OK, fullscreen no problem.

Comment 11 Len Lawrence 2017-08-26 09:06:05 CEST

Scrap all that.  Just noticed that it was version 137 that installed.  151 did not appear in updates testing so tried again with search-media.

# urpmi --search-media "Core Updates Testing" flash-player-plugin
No package named flash-player-plugin

Holding off until the mirrors catch up.

Comment 12 PC LX 2017-08-26 13:41:16 CEST

Installed and tested without issue.

Tested several flash games, video and audio on Firefox 56.0b6 (64-bit, upstream) and Konqueror 4.14.3.

System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU with proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q flash-player-plugin
flash-player-plugin-26.0.0.151-1.1.mga5

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 13 Len Lawrence 2017-08-26 19:36:35 CEST

Installed on mga6, played some showcase videos on the Adobe home site UK, tried a couple of browser games.  Sound and video OK.

$ rpm -qa | grep flash-player-plugin
flash-player-plugin-26.0.0.151-1.1.mga6
Correct this time.

Good for 64-bits.

Len Lawrence 2017-08-26 19:36:49 CEST

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 14 Lewis Smith 2017-08-26 21:52:26 CEST

Thanks to all testers for the tricky testing.
Advisory uploaded from Comments 0 & 7.

Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 15 Nicolas Lécureuil 2017-08-26 21:59:49 CEST

Update ID assignment failed

Checking for QA validation keywordâ¦   â
Checking dependent bugsâ¦              â (None found)
Checking SRPMsâ¦                       â (5/nonfree/flash-player-plugin-26.0.0.151-1.1.mga5.nonfree) â (6/nonfree/flash-player-plugin-26.0.0.151-1.1.mga6.nonfree) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 16 Lewis Smith 2017-08-26 22:08:09 CEST

(In reply to Nicolas Lécureuil from comment #15)
> Update ID assignment failed
> 
> Checking SRPMsâ¦                       â
> (5/nonfree/flash-player-plugin-26.0.0.151-1.1.mga5.nonfree) â
> (6/nonfree/flash-player-plugin-26.0.0.151-1.1.mga6.nonfree) 
Please tell me what is wrong. I thought that the SRPM names should end in nonfree|tainted if that applies.

Comment 17 Dave Hodgins 2017-08-26 22:13:33 CEST

It should. This is a mistake in the srpm name ...
$ urpmq -i flash-player-plugin|grep ^Source|sort -uV|tail -n 5
Source RPM  : flash-player-plugin-25.0.0.171-1.mga5.nonfree.src.rpm
Source RPM  : flash-player-plugin-26.0.0.126-1.mga5.nonfree.src.rpm
Source RPM  : flash-player-plugin-26.0.0.137-1.mga5.nonfree.src.rpm
Source RPM  : flash-player-plugin-26.0.0.151-1.mga5.nonfree.src.rpm
Source RPM  : flash-player-plugin-26.0.0.151-1.1.mga5.src.rpm

Comment 18 Dave Hodgins 2017-08-26 22:21:41 CEST

With the incorrect srpm name, it's also in the core updates testing repo instead
of the nonfree updates testing repo.

Comment 19 William Kenney 2017-08-26 22:49:47 CEST

In VirtualBox, M5.1, KDE, 32-bit

Package(s) under test:
flash-player-plugin

default install of flash-player-plugin

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-26.0.0.137-1.mga5.nonfree.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 26,0,0,137 ( out of date )
Various sites indicate that flash is out of date.
http://www.y8.com/tags/Flash  games play

install flash-player-plugin from updates_testing

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-26.0.0.151-1.1.mga5.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 26.0.0.151 ( up to date )
No indication of out of date flash player.
http://www.y8.com/tags/Flash  games play

CC: (none) => wilcal.int
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK advisory => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK advisory

Comment 20 William Kenney 2017-08-26 22:50:03 CEST

In VirtualBox, M5.1, KDE, 32-bit

Package(s) under test:
flash-player-plugin

default install of flash-player-plugin

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-26.0.0.137-1.mga5.nonfree.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 26,0,0,137 ( out of date )
Various sites indicate that flash is out of date.
http://www.y8.com/tags/Flash  games play

install flash-player-plugin from updates_testing

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-26.0.0.151-1.1.mga5.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 26.0.0.151 ( up to date )
No indication of out of date flash player.
http://www.y8.com/tags/Flash  games play

Comment 21 William Kenney 2017-08-26 22:50:39 CEST

Disregard Comment #20 Redundent

Comment 22 Nicolas Lécureuil 2017-08-26 22:52:42 CEST

(In reply to Dave Hodgins from comment #18)
> With the incorrect srpm name, it's also in the core updates testing repo
> instead
> of the nonfree updates testing repo.

my bad. I fix this

Comment 23 William Kenney 2017-08-26 23:01:14 CEST

In VirtualBox, M6, KDE, 32-bit

Package(s) under test:
flash-player-plugin

default install of flash-player-plugin

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-26.0.0.137-1.1.mga6.nonfree.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 26,0,0,137 ( out of date )
Various sites indicate that flash is out of date.
http://www.y8.com/tags/Flash  games play

install flash-player-plugin from updates_testing

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-26.0.0.151-1.1.mga6.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 26.0.0.151 ( up to date )
No indication of out of date flash player.
http://www.y8.com/tags/Flash  games play

William Kenney 2017-08-26 23:01:42 CEST

Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK advisory => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK advisory

Comment 24 William Kenney 2017-08-26 23:02:39 CEST

This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update

Comment 25 Dave Hodgins 2017-08-26 23:16:57 CEST

Removing the OKs and validation till the srpm name is corrected and the update put in the nonfree updates testing repo instead of the core update testing repo.

Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK advisory => MGA5TOO advisory
Keywords: validated_update => (none)

Comment 26 Dave Hodgins 2017-08-26 23:18:01 CEST

Adding the feedback whiteboard entry to make it clear there is a problem.

Whiteboard: MGA5TOO advisory => MGA5TOO advisory feedback

Comment 27 Mageia Robot 2017-08-26 23:18:32 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0314.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 28 Dave Hodgins 2017-08-26 23:24:26 CEST

Putting back the oks and validation. Sorry for the noise.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO advisory feedback => MGA5TOO advisory MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK