| Summary: | gnash new security issues CVE-2011-4328 and CVE-2012-1175 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, dmorganec, fundawang, sysadmin-bugs, thierry.vignaud, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | gnash-0.8.9-2.mga1.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
gnash-0.8.9-CVE-2011-4328.diff
gnash-0.8.10-CVE-2012-1175.diff |
||
|
Description
David Walser
2012-04-18 12:22:00 CEST
David Walser
2012-04-18 12:22:21 CEST
CC:
(none) =>
fundawang
David Walser
2012-04-18 12:22:58 CEST
CC:
(none) =>
thierry.vignaud
David Walser
2012-04-18 12:23:19 CEST
Blocks:
(none) =>
5046 For Cauldron, gnash has been updated to 0.8.10 in SVN, but it was never pushed to the build system. Either it needs a freeze push or it needs to be reverted. It also needs the patch for CVE-2012-1175. Created attachment 2054 [details]
gnash-0.8.9-CVE-2011-4328.diff
Created attachment 2055 [details]
gnash-0.8.10-CVE-2012-1175.diff
Reverted to 0.8.9 and patched in Cauldron.
David Walser
2012-04-21 19:59:39 CEST
Blocks:
5046 =>
(none) This won't build in Mageia 1 updates_testing because xulrunner 10.0.3 is causing a problem.
David Walser
2012-04-21 20:00:38 CEST
CC:
(none) =>
dmorganec Here is the error: /bin/sh ../../libtool --silent --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -I../.. -DPLUGIN_TRACE -DGNASHBINDIR=\"/usr/bin\" -DSYSCONFDIR=\"/etc\" -I../../libcore -I../../libcore/parser -I../../libbase -I../../librender -I./mozilla-sdk -I/usr/include/xulrunner-10.0.3 -DXP_UNIX -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -DXP_UNIX -DMOZ_X11 -fvisibility=hidden -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -W -Wall -Wcast-align -Wcast-qual -Wpointer-arith -Wreturn-type -Wnon-virtual-dtor -Wunused -fvisibility-inlines-hidden -c -o libgnashplugin_la-external.lo `test -f 'external.cpp' || echo './'`external.cpp mozilla-sdk/npp_gate.cpp:59:9: warning: unused parameter 'save' mozilla-sdk/np_entry.cpp: In function 'char* NP_GetMIMEDescription()': mozilla-sdk/np_entry.cpp:242:27: error: new declaration 'char* NP_GetMIMEDescription()' /usr/include/xulrunner-10.0.3/npfunctions.h:307:24: error: ambiguates old declaration 'const char* NP_GetMIMEDescription()' mozilla-sdk/np_entry.cpp:244:35: error: invalid conversion from 'const char*' to 'char*' make[4]: *** [libgnashplugin_la-np_entry.lo] Error 1 make[4]: *** Waiting for unfinished jobs.... plugin.cpp: In function 'char* NPP_GetMIMEDescription()': plugin.cpp:134:28: error: new declaration 'char* NPP_GetMIMEDescription()' /usr/include/xulrunner-10.0.3/npapi.h:794:13: error: ambiguates old declaration 'const char* NPP_GetMIMEDescription()' make[4]: *** [libgnashplugin_la-plugin.lo] Error 1 make[4]: Leaving directory `/home/iurt/rpm/BUILD/gnash-0.8.9/plugin/npapi'
David Walser
2012-04-21 20:03:07 CEST
Blocks:
(none) =>
4405 Used a patch from Cauldron to fix the build. Patched package uploaded. Note to QA: This is built against xulrunner 10 in updates_testing, so please test that it works with our current FF 9.0.1. Advisory: ======================== Updated gnash packages fix security vulnerabilities: Tielei Wang from Georgia Tech Information Security Center discovered a vulnerability in GNU Gnash which is caused due to an integer overflow error and can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted SWF file (CVE-2012-1175). Alexander Kurtz discovered an unsafe management of HTTP cookies. Cookie files are stored under /tmp and have predictable names, and the vulnerability allows a local attacker to overwrite arbitrary files the users has write permissions for, and are also world-readable which may cause information leak (CVE-2011-4328). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4328 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1175 http://www.debian.org/security/2012/dsa-2435 ======================== Updated packages in core/updates_testing: ======================== gnash-0.8.9-2.1.mga1 libgnash0-0.8.9-2.1.mga1 libgnash-devel-0.8.9-2.1.mga1 gnash-firefox-plugin-0.8.9-2.1.mga1 klash-0.8.9-2.1.mga1 gnash-cygnal-0.8.9-2.1.mga1 gnash-tools-0.8.9-2.1.mga1 python-gnash-0.8.9-2.1.mga1 gnash-extension-fileio-0.8.9-2.1.mga1 gnash-extension-lirc-0.8.9-2.1.mga1 gnash-extension-dejagnu-0.8.9-2.1.mga1 gnash-extension-mysql-0.8.9-2.1.mga1 from gnash-0.8.9-2.1.mga1.src.rpm Assignee:
bugsquad =>
qa-bugs
David Walser
2012-04-22 21:29:56 CEST
Blocks:
4405 =>
(none) Testing with firefox 10, as it's now been validated. http://www.totallytom.com/MadCow.swf plays with gnash-firefox-plugin, and using gnash to play a locally saved copy. The klash konqueror plugin doesn't seem to be working at the same site. The firefox-plugin is not working with opera. gnash-qt-launcher doesn't have the option to open a file while gnash-gtk-launcher does. gnash only seems to support some support some swf files. It won't load flv files. I'll have to test with the prior version to see if these are regressions or not. CC:
(none) =>
davidwhodgins Testing x86_64 Using the same file as Dave. Tested OK with cli, firefox and konqueror. It doesn't work in opera x86_64 either although it does find the plugin in /usr/lib64/mozilla/plugins While gnash-gtk-launcher does have an option to open a file it doesn't seem to do anything when it is used and an swf selected. Checked a couple of the gnash-tools too OK. I don't think the opera problem should block the update so I'll validate this one Please see comment 7 for advisory and srpm Could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update pushed. https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0108 Status:
NEW =>
RESOLVED |