Bug 21224 - Security update request for flash-player-plugin, to 26.0.0.137
Summary: Security update request for flash-player-plugin, to 26.0.0.137
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://helpx.adobe.com/security/prod...
Whiteboard: advisory MGA5TOO MGA5-64-OK MGA5-32-O...
Keywords: Security, validated_update
Depends on:
Blocks:
 
Reported: 2017-07-11 16:48 CEST by Anssi Hannula
Modified: 2017-07-22 11:00 CEST (History)
5 users (show)

See Also:
Source RPM: flash-player-plugin
CVE: CVE-2017-3080, CVE-2017-3099, CVE-2017-3100
Status comment:


Attachments

Description Anssi Hannula 2017-07-11 16:48:10 CEST
Advisory:
============
Adobe Flash Player 26.0.0.137 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.

This update resolves security bypass and memory corruption vulnerabilities that could lead to information disclosure or code execution (CVE-2017-3080, CVE-2017-3099, CVE-2017-3100).

References:
https://helpx.adobe.com/security/products/flash-player/apsb17-21.html
============

Updated Flash Player packages have been submitted to mga5 nonfree/updates_testing.

Source packages:
flash-player-plugin-26.0.0.137-1.mga5.nonfree

Binary packages:
flash-player-plugin
flash-player-plugin-kde
Comment 1 Dave Hodgins 2017-07-13 04:12:30 CEST
Usual flash testing, including http://get.adobe.com/flashplayer/about/
and checking the player settings under the tools menu.

Validating the update.
Comment 2 Rémi Verschelde 2017-07-13 09:37:37 CEST
It needs to be pushed and validated for Mageia 6 too before we can get it in Mageia 5, otherwise it will break the upgrade path.
Comment 3 Rémi Verschelde 2017-07-13 09:38:13 CEST
Note that as announced by Thomas on the dev@ ML, we can now use updates_testing for cauldron/mga6 to test and validate normal updates for the stable Mageia 6.
Comment 4 Anssi Hannula 2017-07-13 13:00:22 CEST
I've submitted updated Flash Player packages now into mga6/cauldron nonfree/updates_testing as well.
Comment 5 Thomas Andrews 2017-07-14 00:52:49 CEST
FWIW, OK for me on 32-bit install on real Intel motherboard, Core 2 Duo, and graphics.
Comment 6 Len Lawrence 2017-07-16 19:00:44 CEST
mga6  x86_64  Mate

Installed flash-player-plugin-26.0.0.137-1.mga6.nonfree
Restarted firefox
Visited get.adobe.com and played some of the corporate videos.
Checked bubbleshooter.com but it hung every time, so free play must be disabled now.
The plugin is working anyway.
Comment 7 Len Lawrence 2017-07-16 23:19:24 CEST
On a new installation of mageia 6 flash-player-plugin was updated to version 26.0.0.137 (see comment 6) but in firefox -> tools -> plugins this is what is registered:
Shockwave Flash 26.0.0.126 - last updated 2 May 2017

/usr/share/doc/flash-player-plugin/README.mageia says:
This package does not contain the Flash Player itself. The software is
automatically downloaded from Adobe during package installation.

This package requires the freshplayerplugin wrapper in
/usr/lib64/mozilla/plugins/libfreshwrapper-flashplayer.so which allows
the PPAPI plugin to be used on NPAPI browsers (e.g. Firefox) as well.

From `ls -l /usr/lib64/mozilla/plugins`
-rwxr-xr-x 1 root root 1088312 May  2 11:29 libfreshwrapper-flashplayer.so
/var/lib/flash-player-plugin/ contains
flash-player-ppapi-26.0.0.137-release.x86_64.rpm

flash-player-plugin]$ sudo urpmi --test flash-player-ppapi-26.0.0.137-release.x86_64.rpm
The following package has to be removed for others to be upgraded:
flash-player-plugin-26.0.0.137-1.mga6.nonfree.x86_64
 (due to conflicts with flash-player-ppapi)
(test only, removal will not be actually done) (y/N) 

This is all very confusing.  What should we expect to see?
Comment 8 Rémi Verschelde 2017-07-16 23:27:42 CEST
(In reply to Len Lawrence from comment #7)
> On a new installation of mageia 6 flash-player-plugin was updated to version
> 26.0.0.137 (see comment 6) but in firefox -> tools -> plugins this is what
> is registered:
> Shockwave Flash 26.0.0.126 - last updated 2 May 2017

Did you restart Firefox?

---

Testing on Mageia 6 x86_64, works fine.
Comment 9 Anssi Hannula 2017-07-16 23:38:55 CEST
Hmm, I think a "touch" for libfreshwrapper*so is missing from %post of flash-player-plugin, to make Firefox detect the new version.

This was discussed before and David had already added the prequisite %verify(not mtime) tag in freshplayerplugin.

I'll submit a new flash-player-plugin for mga6 testing within a day.
Comment 10 David Walser 2017-07-16 23:41:13 CEST
Len, you shouldn't be trying to install the adobe package directly.  Sometimes when you upgrade Flash you have to kill the plugin-container process (or restart Firefox) for it to use the new version.
Comment 11 Len Lawrence 2017-07-17 01:28:29 CEST
@Rémi - re comment 8 - yes I remembered to restart the browser.

@David - re comment 10 - I only tried that as a test to see what it would try to do - had no intention of running the command for real.  Just curious about the different version numbers.
Comment 12 Herman Viaene 2017-07-17 14:49:04 CEST
MGA6-32 on Asus A6000VM MATE
Installation: I did not find flash-player-plugin-kde in the repo
Checked with Adobe website, checked plugin in Firefox and run www.classiccomposers.org (press "Live" to play). OK for me.
Comment 13 Anssi Hannula 2017-07-17 23:54:00 CEST
Updated Flash Player packages have been submitted to mga6 nonfree/updates_testing that should fix Len Lawrence's issue in comment #7.

Specifically, Firefox should now see the new version number after upgrading from mga6 version 26.0.0.126.

No change in advisory. Mageia 5 packages were not affected.

Source packages:
flash-player-plugin-26.0.0.137-1.1.mga6.nonfree

Binary packages:
flash-player-plugin
Comment 14 Rémi Verschelde 2017-07-18 00:03:51 CEST
Advisory updated.
Comment 15 Len Lawrence 2017-07-18 02:49:43 CEST
x86_64

Yep, that has fixed it.  And Adobe's own showcase videos run fine.
Comment 16 Rémi Verschelde 2017-07-19 09:00:20 CEST
Works fine here too, validating.
Comment 17 Mageia Robot 2017-07-22 11:00:47 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0211.html

Note You need to log in before you can comment on or make changes to this bug.