Bug#649384: marked as done (gnash creates world-readable cookies under /tmp with predictable filenames)

[Debian Bug Tracking System]

Your message dated Wed, 08 Feb 2012 03:17:59 +0000
with message-id <e1ruy2h-0000ka...@franck.debian.org>
and subject line Bug#649384: fixed in gnash 0.8.10-1
has caused the Debian Bug report #649384,
regarding gnash creates world-readable cookies under /tmp with predictable 
filenames
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
649384: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649384
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: gnash
Version: 0.8.10~git20111001-1
Tags: security
Severity: critical
Justification: Introduces a new security hole

Hi,

after watching videos on YouTube I found this in /tmp:

        $ ls -l /tmp/gnash*
        -rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 
/tmp/gnash-cookies.31032
        $ 

Please note that the file is world-readable. This enables things like:

        $ sudo -u nobody cat /tmp/gnash-cookies.31032 
        Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw
        Set-Cookie:  VISITOR_INFO1_LIVE=WEbeevRfDNo
        Set-Cookie:  
recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4
        Set-Cookie:  
GEO=0bf89ff87b12d82d91e10ddf1da36d95cwsAAAAzREVUmagnTskNGQ==
        Set-Cookie:  PREF=f1=40000000&fv=10.1.999
        $

Since gnash is installed per default and also starts playing as soon as
flash content is detected, this can be a serious security/privacy issue
on multi-user systems. Gnash should either use $HOME for storing cookies
or create them with sane permissions (0600).

Best regards

Alexander Kurtz

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Source: gnash
Source-Version: 0.8.10-1

We believe that the bug you reported is fixed in the latest version of
gnash, which is due to be installed in the Debian FTP archive:

browser-plugin-gnash_0.8.10-1_amd64.deb
  to main/g/gnash/browser-plugin-gnash_0.8.10-1_amd64.deb
gnash-common-opengl_0.8.10-1_all.deb
  to main/g/gnash/gnash-common-opengl_0.8.10-1_all.deb
gnash-common_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-common_0.8.10-1_amd64.deb
gnash-cygnal_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-cygnal_0.8.10-1_amd64.deb
gnash-dbg_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-dbg_0.8.10-1_amd64.deb
gnash-dev_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-dev_0.8.10-1_amd64.deb
gnash-doc_0.8.10-1_all.deb
  to main/g/gnash/gnash-doc_0.8.10-1_all.deb
gnash-ext-fileio_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-ext-fileio_0.8.10-1_amd64.deb
gnash-ext-lirc_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-ext-lirc_0.8.10-1_amd64.deb
gnash-ext-mysql_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-ext-mysql_0.8.10-1_amd64.deb
gnash-opengl_0.8.10-1_all.deb
  to main/g/gnash/gnash-opengl_0.8.10-1_all.deb
gnash-tools_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-tools_0.8.10-1_amd64.deb
gnash_0.8.10-1.debian.tar.gz
  to main/g/gnash/gnash_0.8.10-1.debian.tar.gz
gnash_0.8.10-1.dsc
  to main/g/gnash/gnash_0.8.10-1.dsc
gnash_0.8.10-1_amd64.deb
  to main/g/gnash/gnash_0.8.10-1_amd64.deb
gnash_0.8.10.orig.tar.gz
  to main/g/gnash/gnash_0.8.10.orig.tar.gz
klash-opengl_0.8.10-1_all.deb
  to main/g/gnash/klash-opengl_0.8.10-1_all.deb
klash_0.8.10-1_amd64.deb
  to main/g/gnash/klash_0.8.10-1_amd64.deb
konqueror-plugin-gnash_0.8.10-1_amd64.deb
  to main/g/gnash/konqueror-plugin-gnash_0.8.10-1_amd64.deb
mozilla-plugin-gnash_0.8.10-1_all.deb
  to main/g/gnash/mozilla-plugin-gnash_0.8.10-1_all.deb
python-gtk-gnash_0.8.10-1_amd64.deb
  to main/g/gnash/python-gtk-gnash_0.8.10-1_amd64.deb
swfdec-gnome_0.8.10-1_all.deb
  to main/g/gnash/swfdec-gnome_0.8.10-1_all.deb
swfdec-mozilla_0.8.10-1_all.deb
  to main/g/gnash/swfdec-mozilla_0.8.10-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 649...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gabriele Giacone <1o5g4...@gmail.com> (supplier of updated gnash package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 08 Feb 2012 03:48:11 +0100
Source: gnash
Binary: gnash-common gnash klash gnash-tools gnash-cygnal browser-plugin-gnash 
konqueror-plugin-gnash python-gtk-gnash gnash-ext-fileio gnash-ext-mysql 
gnash-ext-lirc gnash-dev gnash-dbg gnash-doc gnash-common-opengl gnash-opengl 
klash-opengl swfdec-mozilla swfdec-gnome mozilla-plugin-gnash
Architecture: source amd64 all
Version: 0.8.10-1
Distribution: unstable
Urgency: low
Maintainer: Debian Flash Team <pkg-flash-de...@lists.alioth.debian.org>
Changed-By: Gabriele Giacone <1o5g4...@gmail.com>
Description: 
 browser-plugin-gnash - GNU Shockwave Flash (SWF) player - Plugin for Mozilla 
and derivat
 gnash      - GNU Shockwave Flash (SWF) player
 gnash-common - GNU Shockwave Flash (SWF) player - Common files/libraries
 gnash-common-opengl - dummy package for gnash-common-opengl removal
 gnash-cygnal - GNU Shockwave Flash (SWF) player - Media server
 gnash-dbg  - GNU Shockwave Flash (SWF) player - Debug symbols
 gnash-dev  - GNU Shockwave Flash (SWF) player - Development files
 gnash-doc  - GNU Shockwave Flash (SWF) player - API documentation
 gnash-ext-fileio - GNU Shockwave Flash (SWF) player - Fileio extension
 gnash-ext-lirc - GNU Shockwave Flash (SWF) player - LIRC extension
 gnash-ext-mysql - GNU Shockwave Flash (SWF) player - MySQL extension
 gnash-opengl - dummy package for gnash-opengl removal
 gnash-tools - GNU Shockwave Flash (SWF) player - Command-line Tools
 klash      - GNU Shockwave Flash (SWF) player - Standalone player for KDE
 klash-opengl - dummy package for klash-opengl removal
 konqueror-plugin-gnash - GNU Shockwave Flash (SWF) player - Plugin for 
Konqueror
 mozilla-plugin-gnash - dummy package for renaming to browser-plugin-gnash
 python-gtk-gnash - GNU Shockwave Flash (SWF) player - Python bindings
 swfdec-gnome - dummy package for transition to Gnash
 swfdec-mozilla - dummy package for transition to browser-plugin-gnash
Closes: 634867 640107 649384
Changes: 
 gnash (0.8.10-1) unstable; urgency=low
 .
   * New upstream release.
     + Fix CVE-2011-4328 (Closes: #649384).
     + Fix parsing of lossless 15bit bitmaps (Closes: #634867).
   * Add Gnome 3 thumbnailer.
   * Add libboost-iostreams-dev and libgconf2-dev build deps.
   * Transition to dh_python2.
   * Fix d/copyright according to DEP-5.
   * Remove dash escaping in manpages (Closes: #640107).
   * Add noapidoc and nocheck build options.
   * Move cygnal-only libs to cygnal package.
   * Add revno.h generation to get-source target.
   * Replace upstream changelog with upstream NEWS.
Checksums-Sha1: 
 a6717bd24ae184013875656e1320b979d92809f9 3225 gnash_0.8.10-1.dsc
 6e7e046c029134fd1294c6a68b423f1f02de9d7b 6177166 gnash_0.8.10.orig.tar.gz
 bb4ecd115ecf41fb884e320eec47532931cc61fc 34582 gnash_0.8.10-1.debian.tar.gz
 0b4ae41b8165cf10337afff900627a5a444c3090 3710814 
gnash-common_0.8.10-1_amd64.deb
 1ff483e31db1183d0fd8dd1cb395e6a609996ce2 333644 gnash_0.8.10-1_amd64.deb
 6cb8464ff0959063c91bb9485d3ae461c5732c9e 338322 klash_0.8.10-1_amd64.deb
 b1f1a44b7b44fea3bb64aeb934999dcf62c041ef 243750 gnash-tools_0.8.10-1_amd64.deb
 2ea052998ff65af297a456809e95d1c8134ae39a 988052 gnash-cygnal_0.8.10-1_amd64.deb
 984bbc471533ce295cedce88ebd370fcda74e756 185596 
browser-plugin-gnash_0.8.10-1_amd64.deb
 6efb65176ccb4303a1b7835a25cfc4060f56b393 55294 
konqueror-plugin-gnash_0.8.10-1_amd64.deb
 3979bb0eebf54da9ec5769a22d49fec299e0283d 133416 
python-gtk-gnash_0.8.10-1_amd64.deb
 7c516212ac42e37bfafb98f6dbbc6a333643b2ae 87186 
gnash-ext-fileio_0.8.10-1_amd64.deb
 dd5ed2bac52f046b16c0e15e3e51cd6c7fe507bd 104380 
gnash-ext-mysql_0.8.10-1_amd64.deb
 7a6f6c665c3a48b9dff87289061a7c78034f4768 81940 
gnash-ext-lirc_0.8.10-1_amd64.deb
 47ee5881bd728da1e41f707ce2279fcd9fc70b06 261266 gnash-dev_0.8.10-1_amd64.deb
 525f25c3382835caf77de960438467eba50fe5e2 1844314 gnash-dbg_0.8.10-1_amd64.deb
 c808d20c1b5d6e6e650672f6f30553f03900823a 5130370 gnash-doc_0.8.10-1_all.deb
 50c036b4a578e7bd1c8d11394ba2009afd5dc0f5 26774 
gnash-common-opengl_0.8.10-1_all.deb
 dc0575ccc2316f8e46935ad5315277d1d7efa6ed 26768 gnash-opengl_0.8.10-1_all.deb
 b152fae2f2c4740126bf491a03b4367f52d0c38d 26770 klash-opengl_0.8.10-1_all.deb
 f790b02b09d0acf736e5cc84fb76c63b59adf24d 26790 swfdec-mozilla_0.8.10-1_all.deb
 a6241624240f6d57850f6942b859855bb1737ed0 26770 
mozilla-plugin-gnash_0.8.10-1_all.deb
 04be7085f40b037384acdc918ccc3ad93cc4f18b 26780 swfdec-gnome_0.8.10-1_all.deb
Checksums-Sha256: 
 64483a22e08e76dddcde03c1bbf10cabadb567f39de57ce0366d15cb0b7da90a 3225 
gnash_0.8.10-1.dsc
 0758c8ce41a8361fac11d16f3afef2465c7f9722077313f5e531c9e6200f6218 6177166 
gnash_0.8.10.orig.tar.gz
 f225e2f82197689d29290f8bdb7c960f7bf9848054d4be75ee8e5ff9cb033acd 34582 
gnash_0.8.10-1.debian.tar.gz
 7cce37e250d1992c7a96258bec20db3d17022ffc6f7df31825e0c2992cc953a8 3710814 
gnash-common_0.8.10-1_amd64.deb
 5a9fa83c5dd4737b98c84caf2b0cf6ba7979ebb33f4d474c240a6dedbf8950af 333644 
gnash_0.8.10-1_amd64.deb
 629f322ffa30143d1f911beb08cb9e4fcbfb661f72cbb9b09fc604c0bbdfea32 338322 
klash_0.8.10-1_amd64.deb
 2deafb15b360192ff5f61b4ead628d75e4502a90acc8cdcdc0562f106b596cc0 243750 
gnash-tools_0.8.10-1_amd64.deb
 4dacd3c76a19cfa40b2826e5309e1f5f33e6ad90a6f8bcd7b8796cc1ea0c7be9 988052 
gnash-cygnal_0.8.10-1_amd64.deb
 ab95b42f09bea44d5c3dd69dd73ef92ab95f0ad77041cf4fd1b20cd1a9dc7e6c 185596 
browser-plugin-gnash_0.8.10-1_amd64.deb
 202835b1e7eb8abfa61caacc249b0da0a1d792ce8c52babe3d968316ec0ae112 55294 
konqueror-plugin-gnash_0.8.10-1_amd64.deb
 0b1b86199e0ee0c8406da2ef5d89e3e3afc1de666094a7333bc9f5aa567d91e7 133416 
python-gtk-gnash_0.8.10-1_amd64.deb
 60e6a7ac4774e7dfb8777fc72a5ade6f2c777c3bc19b99d8f819ff8f61b534ed 87186 
gnash-ext-fileio_0.8.10-1_amd64.deb
 6d2263694eb91eae244bd28151d81c0716113d4dc271a1d0aef7362c6906d2c9 104380 
gnash-ext-mysql_0.8.10-1_amd64.deb
 4c07686fc4e6768ca010bb4c9ca5fdbfb4bb1f068ba5ff99f77e0fe61188ff11 81940 
gnash-ext-lirc_0.8.10-1_amd64.deb
 5ec85c6f916388617934aa3332135848d10c7f3d3ed41cc4d58dbdd73c789b7a 261266 
gnash-dev_0.8.10-1_amd64.deb
 333e7daad8334330f120c5f5fe6597644bc62cf779004979e07d04f7c33961eb 1844314 
gnash-dbg_0.8.10-1_amd64.deb
 8a0d84edf63c0d506248fc925f4e4aa8e59f3187fc6e86883153ad9e501f821e 5130370 
gnash-doc_0.8.10-1_all.deb
 a6e1bf4d4bfc8760ab823f35e71857178d31d6ca11cf58822ba60762b92c258b 26774 
gnash-common-opengl_0.8.10-1_all.deb
 284e1fc62a2efb023b2f2ee5d13f5bd38b8c15e1fcf75f48deab680f45343ff2 26768 
gnash-opengl_0.8.10-1_all.deb
 bb33bbbbcaf04bf75d07002f9f448bed6ee789c18f09c7ded6ccd0c39e187a87 26770 
klash-opengl_0.8.10-1_all.deb
 9f011df25c47fbaf0f11d2942743f95309becaeabab197774abb0088ff28a66a 26790 
swfdec-mozilla_0.8.10-1_all.deb
 8e0bb59dfdbf6c7b86e70bfd3d1d5d2c550e3bd6e3f825a9849a8dd33486e805 26770 
mozilla-plugin-gnash_0.8.10-1_all.deb
 536d2ef06ccd25b653a2750aa04ebd2a058daa9eb461b5286e2b7e60c219abd7 26780 
swfdec-gnome_0.8.10-1_all.deb
Files: 
 68a78096399cf98f1ca1747910faa2ba 3225 video optional gnash_0.8.10-1.dsc
 be2f0608cfe2e37ceb892742e66c894e 6177166 video optional 
gnash_0.8.10.orig.tar.gz
 44f214ad2bf87fe5d913ec4bab4bf30f 34582 video optional 
gnash_0.8.10-1.debian.tar.gz
 023c368a78bee74f2358a72e64fe8a80 3710814 video optional 
gnash-common_0.8.10-1_amd64.deb
 cd9f2e76e15130512fc6d356b8b2f7ae 333644 video optional gnash_0.8.10-1_amd64.deb
 00e756b4cc1bf58343eba0298e0d9050 338322 video optional klash_0.8.10-1_amd64.deb
 e7cf890978332f02fea3369e260d3289 243750 video optional 
gnash-tools_0.8.10-1_amd64.deb
 c82d252c4770d3ee65ea6b3d2d290e77 988052 video optional 
gnash-cygnal_0.8.10-1_amd64.deb
 25374a896297482047006e5d6de0d985 185596 video optional 
browser-plugin-gnash_0.8.10-1_amd64.deb
 0a3d37a0570581e17c1643d7b752d5b9 55294 video optional 
konqueror-plugin-gnash_0.8.10-1_amd64.deb
 1690bca75e981323971bf9f7e1fc85b5 133416 python optional 
python-gtk-gnash_0.8.10-1_amd64.deb
 53e4934dda4b2cc0cb452716b261f58f 87186 video optional 
gnash-ext-fileio_0.8.10-1_amd64.deb
 69fc659ca90bf45512ded4d3dad751a3 104380 video optional 
gnash-ext-mysql_0.8.10-1_amd64.deb
 bb5cb43f18b1b720381d2ca5b3d319b3 81940 video optional 
gnash-ext-lirc_0.8.10-1_amd64.deb
 283570e5b3a54cb4f2e9457cac094237 261266 libdevel optional 
gnash-dev_0.8.10-1_amd64.deb
 08fc09bebe2a4f0136afaaef49d26f56 1844314 debug extra 
gnash-dbg_0.8.10-1_amd64.deb
 5198d62dd6e5cb8b0734f7c40cf9491e 5130370 doc optional 
gnash-doc_0.8.10-1_all.deb
 153562f907289517d8a2447ce82ae1fb 26774 oldlibs extra 
gnash-common-opengl_0.8.10-1_all.deb
 b33612841d44460635e5c8c526772dc3 26768 oldlibs extra 
gnash-opengl_0.8.10-1_all.deb
 aace547295544fef72784a9424f81671 26770 oldlibs extra 
klash-opengl_0.8.10-1_all.deb
 7c2abcbf0e0432ae5a3e15126a7c4cc0 26790 oldlibs extra 
swfdec-mozilla_0.8.10-1_all.deb
 c9f97fc9eeff389ce6d4084bc661e52d 26770 oldlibs extra 
mozilla-plugin-gnash_0.8.10-1_all.deb
 4e715680d969140b245acb542a5bd58f 26780 oldlibs extra 
swfdec-gnome_0.8.10-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8x42MACgkQp3cdCbVcnCssZwCeLTIxbWGtPr8RNK+cNvtz6CN8
NZoAn0/fotfNR1ly4CjDZcNMOgI76UVi
=QWwv
-----END PGP SIGNATURE-----

--- End Message ---