Bug 8071

Summary: nspluginwrapper new security issue CVE-2011-2486
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, thierry.vignaud, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/524705/
Whiteboard: MGA1-64-OK MGA1-32-OK
Source RPM: nspluginwrapper-1.3.0-7.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-11-14 00:32:52 CET 
RedHat has issued an advisory today (November 13):
https://rhn.redhat.com/errata/RHSA-2012-1459.html

Mageia 2 and Cauldron should be affected, as they contain the same version as RHEL6.  It is not clear if Mageia 1 is affected.

The upstream commit to fix this is linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=715384
David Walser 2012-11-14 00:33:02 CET

Whiteboard: (none) => MGA2TOO, MGA1TOO

Thierry Vignaud 2012-11-14 10:41:02 CET

Keywords: (none) => Junior_job

Comment 1 David Walser 2012-11-14 13:52:46 CET 
The fixed code is already present in 1.4.4, which RedHat upgraded to from 1.3.0.

Mageia 2 and Cauldron are therefore unaffected.

1.3.0 fails to build with the upstream patch applied, so I guess we should just upgrade Mageia 1 to 1.4.4 as well.

Keywords: Junior_job => (none)
Version: Cauldron => 1
Whiteboard: MGA2TOO, MGA1TOO => (none)

Comment 2 David Walser 2012-11-16 19:52:20 CET 
Updated package uploaded for Mageia 1.

Advisory:
========================

Updated nspluginwrapper package fixes security vulnerability:

It was not possible for plug-ins wrapped by nspluginwrapper to discover
whether the browser was running in Private Browsing mode. This flaw could
lead to plug-ins wrapped by nspluginwrapper using normal mode while they
were expected to run in Private Browsing mode (CVE-2011-2486).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2486
https://rhn.redhat.com/errata/RHSA-2012-1459.html
========================

Updated packages in core/updates_testing:
========================
nspluginwrapper-1.4.4-1.mga1

from nspluginwrapper-1.4.4-1.mga1.src.rpm

CC: (none) => thierry.vignaud
Assignee: thierry.vignaud => qa-bugs
Source RPM: nspluginwrapper-1.4.4-4.mga3.src.rpm => nspluginwrapper-1.3.0-7.mga1.src.rpm

Comment 3 Dave Hodgins 2012-11-20 01:28:03 CET 
Testing complete on Mageia 1.

For testing, on x86-64, I installed the old version, created the directory
/usr/lib/mozilla/plugins, installed adobe reader, ran
/opt/Adobe/Reader9/Browser/install_browser_plugin -global 
and then ran
# nspluginwrapper -i /usr/lib/mozilla/plugins/nppdf.so

Confirmed firefox could view a pdf file using the plugin, installed the
update, and confirmed it still works.

For i586, just confirmed the package installed cleanly, since it's of
no real use on a 32 bit system.

Could someone from the sysadmin team push the srpm
nspluginwrapper-1.4.4-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated nspluginwrapper package fixes security vulnerability:

It was not possible for plug-ins wrapped by nspluginwrapper to discover
whether the browser was running in Private Browsing mode. This flaw could
lead to plug-ins wrapped by nspluginwrapper using normal mode while they
were expected to run in Private Browsing mode (CVE-2011-2486).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2486
https://rhn.redhat.com/errata/RHSA-2012-1459.html

https://bugs.mageia.org/show_bug.cgi?id=8071

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA1-64-OK MGA1-32-OK

Comment 4 Thomas Backlund 2012-11-21 21:03:23 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0336

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED