Bug 8071 - nspluginwrapper new security issue CVE-2011-2486
: nspluginwrapper new security issue CVE-2011-2486
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/524705/
: MGA1-64-OK MGA1-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-14 00:32 CET by David Walser
Modified: 2012-11-21 21:03 CET (History)
4 users (show)

See Also:
Source RPM: nspluginwrapper-1.3.0-7.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-11-14 00:32:52 CET
RedHat has issued an advisory today (November 13):
https://rhn.redhat.com/errata/RHSA-2012-1459.html

Mageia 2 and Cauldron should be affected, as they contain the same version as RHEL6.  It is not clear if Mageia 1 is affected.

The upstream commit to fix this is linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=715384
Comment 1 David Walser 2012-11-14 13:52:46 CET
The fixed code is already present in 1.4.4, which RedHat upgraded to from 1.3.0.

Mageia 2 and Cauldron are therefore unaffected.

1.3.0 fails to build with the upstream patch applied, so I guess we should just upgrade Mageia 1 to 1.4.4 as well.
Comment 2 David Walser 2012-11-16 19:52:20 CET
Updated package uploaded for Mageia 1.

Advisory:
========================

Updated nspluginwrapper package fixes security vulnerability:

It was not possible for plug-ins wrapped by nspluginwrapper to discover
whether the browser was running in Private Browsing mode. This flaw could
lead to plug-ins wrapped by nspluginwrapper using normal mode while they
were expected to run in Private Browsing mode (CVE-2011-2486).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2486
https://rhn.redhat.com/errata/RHSA-2012-1459.html
========================

Updated packages in core/updates_testing:
========================
nspluginwrapper-1.4.4-1.mga1

from nspluginwrapper-1.4.4-1.mga1.src.rpm
Comment 3 Dave Hodgins 2012-11-20 01:28:03 CET
Testing complete on Mageia 1.

For testing, on x86-64, I installed the old version, created the directory
/usr/lib/mozilla/plugins, installed adobe reader, ran
/opt/Adobe/Reader9/Browser/install_browser_plugin -global 
and then ran
# nspluginwrapper -i /usr/lib/mozilla/plugins/nppdf.so

Confirmed firefox could view a pdf file using the plugin, installed the
update, and confirmed it still works.

For i586, just confirmed the package installed cleanly, since it's of
no real use on a 32 bit system.

Could someone from the sysadmin team push the srpm
nspluginwrapper-1.4.4-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated nspluginwrapper package fixes security vulnerability:

It was not possible for plug-ins wrapped by nspluginwrapper to discover
whether the browser was running in Private Browsing mode. This flaw could
lead to plug-ins wrapped by nspluginwrapper using normal mode while they
were expected to run in Private Browsing mode (CVE-2011-2486).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2486
https://rhn.redhat.com/errata/RHSA-2012-1459.html

https://bugs.mageia.org/show_bug.cgi?id=8071
Comment 4 Thomas Backlund 2012-11-21 21:03:23 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0336

Note You need to log in before you can comment on or make changes to this bug.