This would be a good time to switch our packaging to the PPAPI implementation as discussed in Bug 18993, as it's supposed to be more functional.

Assignee: bugsquad => anssi.hannula

(In reply to David Walser from comment #1)
> This would be a good time to switch our packaging to the PPAPI
> implementation as discussed in Bug 18993, as it's supposed to be more
> functional.

I'll take a look.

Status: NEW => ASSIGNED

I'm setting the bug against Mageia 5, but the update will also be submitted to Cauldron.

Advisory:
============
Adobe Flash Player 24.0.0.186 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-7892 exists in the wild, and is being used in limited, targeted attacks against users running Internet Explorer (32-bit) on Windows.

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-7872, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7892). 

This update resolves buffer overflow vulnerabilities that could lead to code execution (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-7871, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876).

This update resolves a security bypass vulnerability (CVE-2016-7890).

Note that Adobe has dropped Adobe Access DRM support from all their Linux releases since their 11.2 release series (which no longer gets security updates), so any Flash content protected with Adobe Access will no longer work.

This update contains the PPAPI variant of Adobe Flash Player, while including a freshpluginplayer wrapper so that the plugin also works in NPAPI browsers as before. This variant does not contain the separate application for modifying Adobe Flash Player preferences and the flash-player-plugin-kde subpackage no longer exists.

References:
https://helpx.adobe.com/security/products/flash-player/apsb16-39.html
============

Updated Flash Player packages have been submitted to mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-24.0.0.186-1.mga5.nonfree

Binary packages:
flash-player-plugin


Testing notes:
============
This package contains two major changes:
- jumped from Flash 12.1 to 24.0.
- switched from NPAPI version to PPAPI version.

So testing should maybe be a bit more thorough than usual as the chance of regressions is relatively higher.
============

Keywords: (none) => Security
URL: (none) => https://helpx.adobe.com/security/products/flash-player/apsb16-39.html
CC: (none) => anssi.hannula
CVE: (none) => CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7890, CVE-2016-7892
Version: Cauldron => 5
Assignee: anssi.hannula => qa-bugs
Whiteboard: MGA5TOO => (none)

MGA5-64 and MGA5-32 real hardware

Package update :

Version 11.2.202.644 to 24.0.0.186

Installation goes fine.

I played some videos and flash-coded online games to check, it's running fine.
The performance is fine, there is no regression for me.

I OK the update but maybe more test should be done on different hardware.

Mine is AMD graphics and processor, one pc with 32 arch and another with 64.

CC: (none) => youpburden
Whiteboard: (none) => MGA5-32-OK MGA5-64-OK

Testing mga5 64

Confirmed correct version installed and flash-player-plugin-kde removed.

Played a few flash videos in firefox and confirmed version info correct at http://www.adobe.com/software/flash/about/

Looking at the source changes to this package:

This package shouldn't include the freshplayerplugin sources itself, we already have that packaged.  flash-player-plugin only need include PPAPI Flash itself and require freshplayerplugin (which is available on mga5 and mga6).

Also, it should install the Flash files in /opt/google/chrome/PepperFlash, so that both freshplayerplugin and chromium-browser-stable will pick it up automatically.

Whiteboard: MGA5-32-OK MGA5-64-OK => feedback

Well, that was an adventure.

Installed the 64-bit version on my Athlon X2 machine, which uses the nvidia 340 driver. I have NOT yet attempted the kernel or driver updates currently under QA test. That version seems to work well, no regressions.

My 32-bit update was a different story. This machine has a Sempron 3100+ processor and uses the nvidia 304 video driver. It has NOT yet been updated for either the kernel or nvidia driver currently under QA test.

After the update, flash videos in Mageia's Firefox would play, but the video was black. Sound was OK. An attempt to revert back to the last 11.2 flashplayer failed, as the scripts on our repositories no longer work, presumably because Adobe has removed the older players from the download site. (We should remove those scripts from the repositories, since they no longer work.)

Downloading and installing the last 11.2 player from Adobe's archives also did not work, as Firefox refuses to even consider using it.

Next I downloaded the rpm directly from Adobe, the recommended version being the APAPI version. That one installed and works perfectly. No regressions, though admittedly I only attempted to play one video that was black before, a local TV weather forecast.

CC: (none) => andrewsfarm

64-bit version installed on two sets of Intel-based hardware, one i3, the other P4, both with KDE4. Both are looking good, no regressions noted.

I don't know if it makes a difference, but in case it does I forgot to mention in Comment #7 that the install that failed uses the 32-bit server kernel.

I don't think switching the flash package to ppapi/freshplayer is such a good idea. I tried it several time on several hardware and always had a glitch or another that made me go back to npapi version for firefox.

Right now, on 32bit server, while ppapi work fine on chromium, on firefox with freshplayer, videos have glitch if hardware acceleration is allowed and more importantly xorg have a kind of "memory leak". A massive one, more than 30%. Memory is not freed, even after closing firefox. That doesn't happen with chromium/ppapi or firefox/npapi so the problem seem to be freshplugin. 

So imho the Flash package and the freshplayer should remain two different things.
I haven't yet tried the npapi v24 from adobe server because i'm little afraid of strugling to get back to older version if there is a problem. But it's probably better that the flash package stay linked with the latest npapi version.

And since the older (11.x) is now blocked by default by firefox, i think that the typical update to the latest npapi version is the fastest, more sensible option.

CC: (none) => dag42

The symptoms I described in Comment 7 are documented as a known issue with freshplayer on https://github.com/i-rinat/freshplayerplugin/blob/master/doc/known-issues.md

Specifically, it says this:

Black screen with sound only

3d is enabled by default at the moment, and requiring working OpenGL ES 2.0. With some video adapters 3d doesn't work as intended for some reason. If you have the issue, disable 3d by adding enable_3d = 0 line to ~/.config/freshwrapper.conf. If 3d generally works, but fails only for some instances, try to disable 3d for transparent movies by adding enable_3d_transparent = 0 to ~/.config/freshwrapper.conf.

The particular card in this machine uses the nvidia 304 driver, and has not yet been updated to the server kernel or driver currently under test. It may be that updating the kernel and driver will help, but then the card is old and may not. I will try it tomorrow and see.

Old cards are to be expected in older 32-bit machines like this one, and I would say that most people who hang onto a machine like this would not be comfortable with implementing the above "fix" themselves. Is there some way of us making the change for them, if an old card like this one is detected?

We can't make a change in their home directory, but we can have a README.urpmi that would give that information, which might help.

While there may be some downsides to the PPAPI version, there are downsides from continuing to use the NPAPI version, so I think we have to take the good with the bad either way, and that it's best to move forward with the PPAPI version.

CC: (none) => qa-bugs
Assignee: qa-bugs => anssi.hannula

Well that's interesting. A search of the files on this 64-bit machine with the PPAPI update installed reveals NO file named "freshwrapper.conf ANYWHERE. Even after making sure the new plugin has been used.

Any idea what I'm missing? Am I supposed to just make a file with that one line in it? I thought at first that our freshplayer package might have it, but I see that's just the plugin itself and a couple of doc files.

It doesn't install a default freshwapper.conf, though my freshplayerplugin package (which this one should be switched to use) does install an example one in /usr/share/doc/freshplayerplugin/.  Note that as you pointed out in Comment 11, it looks for that file in your home directory (though it will also look for it in /etc), so you'll need to create it there if needed.

(In reply to David Walser from comment #12)
> We can't make a change in their home directory, but we can have a
> README.urpmi that would give that information, which might help.
> 
> While there may be some downsides to the PPAPI version, there are downsides
> from continuing to use the NPAPI version, so I think we have to take the
> good with the bad either way, and that it's best to move forward with the
> PPAPI version.

But the ppapi version require the wrapper. That introduce another layer of potential bugs. Like i said in comment 10, freshplugin (in conjuction with latest ppapi directly from adobe) seem responsible for a weird "memory leak" effect in X.

Of course it's maybe also linked to a combination of drivers / firefox addons.
If I'm the only one suffering from this, well... to bad for me, right.
But I've seen too many glitch with freshplugin on different computers to consider it fully functional.

So for the moment the official (npapi) version for firefox & co seem to be a more logical choice for the main flash package.
Forcing, with an update, a switch from an official version to a wrapped one with potential third party bugs, seems counter-productive and quite "aggressive".  

A good alternative would be to have both in clearly stated package name !

ps : for the record : my setup is running 32bit server with nvidia current (gt450)

(In reply to David Walser from comment #14)
> It doesn't install a default freshwapper.conf, though my freshplayerplugin
> package (which this one should be switched to use) does install an example
> one in /usr/share/doc/freshplayerplugin/.  Note that as you pointed out in
> Comment 11, it looks for that file in your home directory (though it will
> also look for it in /etc), so you'll need to create it there if needed.

I attempted to install our freshplayer plugin to get a look at that conf file, but it wasn't allowed because it conflicted with the freshplayer plugin already installed from this update. Anybody who happens to have the freshplayer already installed before they attempt this update is going to run into the same conflict. 

However, after downloading Adobe's PPAPI version of Flashplayer, removing this update, installing our freshplayer, and then installing Adobe's flash, I was able to look at it and try it out. It works, on this 64-bit machine, anyway. (I'm running out of time to try much more with my brother's computer before Christmas.)

Loading the sample into an editor, changing it according to instructions from the freshplayer site if needed, and saving the result in the ,config folder is a basic operation, and shouldn't be beyond the capabilities of any but the very newest of users. BUT, that sample .conf file must be easy to find for that to happen, and it isn't as the flashplayer package is offered now.

That's one of the reasons I've assigned this back to Anssi.  It needs to be changed to use our packaged freshplayerplugin and not bundle its own.

On the freshplayerplugin site there is thread about a bug quite similar to what i've experienced : https://github.com/i-rinat/freshplayerplugin/issues/284

Seriously ??? Is no one concerned that at least some people will have to give up the repository package? It's not a really a big deal for me, i'll take my flash directly from adobe. But it' still an inconvenience. 

And some people will end up having a setup that loose much of it's memory, having to restart X to get it back and not knowing where it's come from !!!

So those who test that package should have a look to what happen to their memory.

I say it again : please give the choice between npapi and ppapi and don't force the switch. I really doubt my setup is an exception, so a forced switch is recipe for disaster.

Like I said, there are downsides either way, but I believe it's the best way forward.  The upstream issue you linked clearly indicates that it's a problem with either Flash itself or the particular Flash application the user was running, and would happen even with NPAPI Flash.  Anyway, it is not a general issue with freshplayerplugin or PPAPI Flash.  I have used freshplayerplugin extensively for two years, even for a pretty heavy VMWare vSphere web interface in a production environment at work, and it works fine.  Several other users have made extensive usage of it as well.  Fortunately less and less sites are using Flash every day.

Neither NPAPI v24 on firefox or PPAPI v24 on chromium have those problems.
The video glitchs could be solved with the .conf but the real problem is the massive memory black hole.
Good for you if you are happy with freshplayer, but unless my setup is a weird one of a kind (and there is really nothing special about it), some will suffer.
I fail to see how forcing that third party wrapper, and his own set of bugs in addition to those of flash itself, is "going forward"...
Now that adobe have resumed upgrades of NPAPI, the missing parts over what PPAPI have are what? DRM content? More hardware acceleration? 
Not sure it's worth letting some will not even now what hit them, and those who do know have to regularly manually update from adobe.

Oups.. my last sentence have gone wrong after an edit.
Anyway a separate PPAPI package would nice for chromium.

(In reply to DaG42 from comment #18)
> On the freshplayerplugin site there is thread about a bug quite similar to
> what i've experienced :
> https://github.com/i-rinat/freshplayerplugin/issues/284
> 
I went to the example cited in the above link, and played the videos, watching memory usage in ksysguard. I was using around 1.6-1.7 GB of my 8GB while the videos played, using Adobe's PPAPI Flashplayer 24.x and our freshplayer plugin.

My system, for comparison purposes, is 64-bit Mga5 with an Athlon X2 7750 processor and Geforce 9800GT (nvidia 340) graphics.

Perhaps it's a 32-bit problem, or perhaps the problem has been fixed with this latest Flash or Firefox. Have you tried it in the last few days, and if so and it still happens could you post a link to the offending site? I'd like to take a look.

Forgot to mention that I'm running the server kernel. (Sometimes I really wish you could edit comments here.)

fwiw it appears that there is some sort of install problem with the Flash
installer for both M5 & M6. I've encountered this on both installs in the
last weeks or so. Not sure if it's related to this bug.

CC: (none) => wilcal.int

(In reply to Thomas Andrews from comment #22)

> Perhaps it's a 32-bit problem, or perhaps the problem has been fixed with
> this latest Flash or Firefox. Have you tried it in the last few days, and if
> so and it still happens could you post a link to the offending site? I'd
> like to take a look.

i'm on mga5 and update as soon as something come, so :
firefox 45.6.0
the fresplugin package from repository
ppapi : i have the libpepflashplayer.so 24.0.0.186 from adobe site

I will not be surprised if the 32bit server have the problem and not 64bit since memory is managed differently.

I've read somewhere that some older version of chrome/chromium (it was solved by 54.something) where having a memory problem with Xorg server, although not as quick and maybe not related to ppapi. Maybe the freshplugin project took some faulty code from that ???

No need for a specific site to test : when freshplugin in use, any flash content (game, video...) triggered the problem and in a matter of minutes nearly all memory is taken. Only restarting X server free the memory.
And to be clear, only freshplugin create such a condition.

Any thoughts on this Anssi please?

CC: (none) => eeeemail

It's been a month now. For something marked "critical" and that could have been solved by the usual link to new npapi version, that is quite a long time.
I have advised my clients to update manually from adobe. Many had already done that on their own.
The faq strongly recommend not doing so and to stick with repository, but considering the situation, it's not like there is a choice.

(In reply to David Walser from comment #6)
> This package shouldn't include the freshplayerplugin sources itself, we
> already have that packaged.  flash-player-plugin only need include PPAPI
> Flash itself and require freshplayerplugin (which is available on mga5 and
> mga6).

Agreed.

> Also, it should install the Flash files in /opt/google/chrome/PepperFlash,
> so that both freshplayerplugin and chromium-browser-stable will pick it up
> automatically.

I'm not really comfortable with adding files under /opt/google/chrome, those would conflict with some previous Chrome versions and possibly (though unlikely) future Chrome versions.

In my opinion it should instead be added in one of the other directories natively handled by freshplayerplugin (outside /opt/google), and the Mageia-specific chromium-browser startup script /usr/bin/chromium-browser should be updated to look for Flash in the new location.


However, regarding the NPAPI => PPAPI switch, I have to agree with Thomas Andrews and DaG42 that it does not seem appropriate to do the switch at all for old distribution versions with the regressions mentioned here, considering that the NPAPI plugin is still being updated and is now even in version sync with the PPAPI variant (though with reduced features).

For a future version, maybe, but not for stable.

Anssi,

Check what I just committed to Cauldron SVN.  It fixes it to require the packaged freshplayerplugin and just installs the flash files like before, and I changed it to use %{_libdir}/chromium-browser/PepperFlash which freshplayerplugin will find (but yes chromium will still need to be modified to look there).

(In reply to David Walser from comment #29)
> Anssi,
> 
> Check what I just committed to Cauldron SVN.  It fixes it to require the
> packaged freshplayerplugin and just installs the flash files like before,
> and I changed it to use %{_libdir}/chromium-browser/PepperFlash which
> freshplayerplugin will find (but yes chromium will still need to be modified
> to look there).

Looks OK, though I guess we are still missing some fix for Giuseppe's comment here (firefox does not see flash upgrade if pepperflash is not updated): https://bugs.mageia.org/show_bug.cgi?id=18993#c26

What are your thoughts about Flash on MGA5?

I was just preparing today's Flash update and just going back to NPAPI to get the update out...

It's not the Firefox doesn't see it, it just doesn't know the version changed, which I suppose could be a problem if blocking the plugin based on version.  Maybe it just could have a %post to touch libfreshwrapper-flashplayer.so?

As for mga5, yeah you could go with NPAPI for this update since it's so delayed and we could revisit PPAPI afterward.  I really think concerns with it are overblown (and it looks Thomas got it working fine after getting it installed right) as it has been working fine for me and others for a couple of years.

(In reply to David Walser from comment #31)
> It's not the Firefox doesn't see it, it just doesn't know the version
> changed, which I suppose could be a problem if blocking the plugin based on
> version.  Maybe it just could have a %post to touch
> libfreshwrapper-flashplayer.so?

Possibly, but I believe that would cause RPM verification (rpm -V) warning as the mtime now differs from packaged.
Maybe there is some RPM file attribute we could use in freshplayerplugin.spec to ignore mtime, though.


> As for mga5, yeah you could go with NPAPI for this update since it's so
> delayed and we could revisit PPAPI afterward.  I really think concerns with
> it are overblown (and it looks Thomas got it working fine after getting it
> installed right) as it has been working fine for me and others for a couple
> of years.

OK.

(In reply to Anssi Hannula from comment #32)
> (In reply to David Walser from comment #31)
> > It's not the Firefox doesn't see it, it just doesn't know the version
> > changed, which I suppose could be a problem if blocking the plugin based on
> > version.  Maybe it just could have a %post to touch
> > libfreshwrapper-flashplayer.so?
> 
> Possibly, but I believe that would cause RPM verification (rpm -V) warning
> as the mtime now differs from packaged.
> Maybe there is some RPM file attribute we could use in
> freshplayerplugin.spec to ignore mtime, though.

I was thinking the exact same thing, and I think there is some way we can get it to ignore it.  I don't know exactly how to do it off the top of my head, but feel free to let me know if you (or someone) figures it out and I can implement it in freshplayerplugin.

Updated advisory:
============
Adobe Flash Player 24.0.0.194 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-7892 exists in the wild, and is being used in limited, targeted attacks against users running Internet Explorer (32-bit) on Windows.

This update resolves security bypass vulnerabilities (CVE-2016-7890, CVE-2017-2938).

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2016-7872, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7892, CVE-2017-2932, CVE-2017-2936, CVE-2017-2937). 

This update resolves buffer overflow vulnerabilities that could lead to code execution (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2017-2927, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2016-7871, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876, CVE-2017-2925, CVE-2017-2926, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).

Note that Adobe has dropped Adobe Access DRM support from all their Linux releases since their 11.2 release series (which no longer gets security updates), so any Flash content protected with Adobe Access will no longer work.

References:
https://helpx.adobe.com/security/products/flash-player/apsb16-39.html
https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
============

CVEs: CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7890, CVE-2016-7892, CVE-2017-2925, CVE-2017-2926, CVE-2017-2927, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931, CVE-2017-2932, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935, CVE-2017-2936, CVE-2017-2937, CVE-2017-2938

Updated Flash Player packages have been submitted to mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-24.0.0.194-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde

CVE: CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7890, CVE-2016-7892 => Does not fit here, see advisory.
Assignee: anssi.hannula => qa-bugs
Summary: flash-player-plugin security update 24.0.0.186 => flash-player-plugin security update 24.0.0.194

(In reply to David Walser from comment #33)
> I was thinking the exact same thing, and I think there is some way we can
> get it to ignore it.  I don't know exactly how to do it off the top of my
> head, but feel free to let me know if you (or someone) figures it out and I
> can implement it in freshplayerplugin.

I think that would be "%verify(not mtime)".

(In reply to David Walser from comment #31)

> As for mga5, yeah you could go with NPAPI for this update since it's so
> delayed and we could revisit PPAPI afterward.  I really think concerns with
> it are overblown (and it looks Thomas got it working fine after getting it
> installed right) as it has been working fine for me and others for a couple
> of years.

Actually, what I did on the 32-bit machine where I had the problem was to install the NPAPI version from Adobe. That is my brother's computer, and he wouldn't have the patience to wait while I played around with it if I didn't need to. 

My 64-bit install were all OK with the earlier version.

(In reply to Anssi Hannula from comment #35)
> (In reply to David Walser from comment #33)
> > I was thinking the exact same thing, and I think there is some way we can
> > get it to ignore it.  I don't know exactly how to do it off the top of my
> > head, but feel free to let me know if you (or someone) figures it out and I
> > can implement it in freshplayerplugin.
> 
> I think that would be "%verify(not mtime)".

Thanks, I added that, plus patches to update the reported version to 24 and the accepted paths to include the ones Adobe installs to (that you originally had in your package).

Flash isn't used for much anymore but it is still used for Ticketmaster's seating selection.  The about page works too:
http://www.adobe.com/software/flash/about/

OK for Mageia 5 x86_64.

CC: qa-bugs => (none)
Whiteboard: feedback => MGA5-64-OK

OK on Mageia 5 32 bits.

Some online games still use flash so it can be used to test.
Also at work, we use a weather website which requires flash plugin, I didn't notice any regression for now.

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Advisory from Comment 34 uploaded. Update validated.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0014.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED