Debian has issued this advisory on March 19: http://www.debian.org/security/2012/dsa-2435 The first CVE is fixed in 0.8.10, the second in post-0.8.10 git. More info: https://bugzilla.redhat.com/show_bug.cgi?id=755518 https://bugzilla.redhat.com/show_bug.cgi?id=803443 Cauldron is also vulnerable.
CC: (none) => fundawang
CC: (none) => thierry.vignaud
Blocks: (none) => 5046
For Cauldron, gnash has been updated to 0.8.10 in SVN, but it was never pushed to the build system. Either it needs a freeze push or it needs to be reverted. It also needs the patch for CVE-2012-1175.
Created attachment 2054 [details] gnash-0.8.9-CVE-2011-4328.diff
Created attachment 2055 [details] gnash-0.8.10-CVE-2012-1175.diff
Reverted to 0.8.9 and patched in Cauldron.
Blocks: 5046 => (none)
This won't build in Mageia 1 updates_testing because xulrunner 10.0.3 is causing a problem.
CC: (none) => dmorganec
Here is the error: /bin/sh ../../libtool --silent --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -I../.. -DPLUGIN_TRACE -DGNASHBINDIR=\"/usr/bin\" -DSYSCONFDIR=\"/etc\" -I../../libcore -I../../libcore/parser -I../../libbase -I../../librender -I./mozilla-sdk -I/usr/include/xulrunner-10.0.3 -DXP_UNIX -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -DXP_UNIX -DMOZ_X11 -fvisibility=hidden -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -W -Wall -Wcast-align -Wcast-qual -Wpointer-arith -Wreturn-type -Wnon-virtual-dtor -Wunused -fvisibility-inlines-hidden -c -o libgnashplugin_la-external.lo `test -f 'external.cpp' || echo './'`external.cpp mozilla-sdk/npp_gate.cpp:59:9: warning: unused parameter 'save' mozilla-sdk/np_entry.cpp: In function 'char* NP_GetMIMEDescription()': mozilla-sdk/np_entry.cpp:242:27: error: new declaration 'char* NP_GetMIMEDescription()' /usr/include/xulrunner-10.0.3/npfunctions.h:307:24: error: ambiguates old declaration 'const char* NP_GetMIMEDescription()' mozilla-sdk/np_entry.cpp:244:35: error: invalid conversion from 'const char*' to 'char*' make[4]: *** [libgnashplugin_la-np_entry.lo] Error 1 make[4]: *** Waiting for unfinished jobs.... plugin.cpp: In function 'char* NPP_GetMIMEDescription()': plugin.cpp:134:28: error: new declaration 'char* NPP_GetMIMEDescription()' /usr/include/xulrunner-10.0.3/npapi.h:794:13: error: ambiguates old declaration 'const char* NPP_GetMIMEDescription()' make[4]: *** [libgnashplugin_la-plugin.lo] Error 1 make[4]: Leaving directory `/home/iurt/rpm/BUILD/gnash-0.8.9/plugin/npapi'
Blocks: (none) => 4405
Used a patch from Cauldron to fix the build. Patched package uploaded. Note to QA: This is built against xulrunner 10 in updates_testing, so please test that it works with our current FF 9.0.1. Advisory: ======================== Updated gnash packages fix security vulnerabilities: Tielei Wang from Georgia Tech Information Security Center discovered a vulnerability in GNU Gnash which is caused due to an integer overflow error and can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted SWF file (CVE-2012-1175). Alexander Kurtz discovered an unsafe management of HTTP cookies. Cookie files are stored under /tmp and have predictable names, and the vulnerability allows a local attacker to overwrite arbitrary files the users has write permissions for, and are also world-readable which may cause information leak (CVE-2011-4328). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4328 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1175 http://www.debian.org/security/2012/dsa-2435 ======================== Updated packages in core/updates_testing: ======================== gnash-0.8.9-2.1.mga1 libgnash0-0.8.9-2.1.mga1 libgnash-devel-0.8.9-2.1.mga1 gnash-firefox-plugin-0.8.9-2.1.mga1 klash-0.8.9-2.1.mga1 gnash-cygnal-0.8.9-2.1.mga1 gnash-tools-0.8.9-2.1.mga1 python-gnash-0.8.9-2.1.mga1 gnash-extension-fileio-0.8.9-2.1.mga1 gnash-extension-lirc-0.8.9-2.1.mga1 gnash-extension-dejagnu-0.8.9-2.1.mga1 gnash-extension-mysql-0.8.9-2.1.mga1 from gnash-0.8.9-2.1.mga1.src.rpm
Assignee: bugsquad => qa-bugs
Blocks: 4405 => (none)
Testing with firefox 10, as it's now been validated. http://www.totallytom.com/MadCow.swf plays with gnash-firefox-plugin, and using gnash to play a locally saved copy. The klash konqueror plugin doesn't seem to be working at the same site. The firefox-plugin is not working with opera. gnash-qt-launcher doesn't have the option to open a file while gnash-gtk-launcher does. gnash only seems to support some support some swf files. It won't load flv files. I'll have to test with the prior version to see if these are regressions or not.
CC: (none) => davidwhodgins
Testing x86_64 Using the same file as Dave. Tested OK with cli, firefox and konqueror. It doesn't work in opera x86_64 either although it does find the plugin in /usr/lib64/mozilla/plugins While gnash-gtk-launcher does have an option to open a file it doesn't seem to do anything when it is used and an swf selected. Checked a couple of the gnash-tools too OK. I don't think the opera problem should block the update so I'll validate this one
Please see comment 7 for advisory and srpm Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
Update pushed. https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0108
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED