Your message dated Wed, 08 Feb 2012 03:17:59 +0000 with message-id <e1ruy2h-0000ka...@franck.debian.org> and subject line Bug#649384: fixed in gnash 0.8.10-1 has caused the Debian Bug report #649384, regarding gnash creates world-readable cookies under /tmp with predictable filenames to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 649384: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649384 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gnash Version: 0.8.10~git20111001-1 Tags: security Severity: critical Justification: Introduces a new security hole Hi, after watching videos on YouTube I found this in /tmp: $ ls -l /tmp/gnash* -rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032 $ Please note that the file is world-readable. This enables things like: $ sudo -u nobody cat /tmp/gnash-cookies.31032 Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw Set-Cookie: VISITOR_INFO1_LIVE=WEbeevRfDNo Set-Cookie: recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4 Set-Cookie: GEO=0bf89ff87b12d82d91e10ddf1da36d95cwsAAAAzREVUmagnTskNGQ== Set-Cookie: PREF=f1=40000000&fv=10.1.999 $ Since gnash is installed per default and also starts playing as soon as flash content is detected, this can be a serious security/privacy issue on multi-user systems. Gnash should either use $HOME for storing cookies or create them with sane permissions (0600). Best regards Alexander Kurtzsignature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: gnash Source-Version: 0.8.10-1 We believe that the bug you reported is fixed in the latest version of gnash, which is due to be installed in the Debian FTP archive: browser-plugin-gnash_0.8.10-1_amd64.deb to main/g/gnash/browser-plugin-gnash_0.8.10-1_amd64.deb gnash-common-opengl_0.8.10-1_all.deb to main/g/gnash/gnash-common-opengl_0.8.10-1_all.deb gnash-common_0.8.10-1_amd64.deb to main/g/gnash/gnash-common_0.8.10-1_amd64.deb gnash-cygnal_0.8.10-1_amd64.deb to main/g/gnash/gnash-cygnal_0.8.10-1_amd64.deb gnash-dbg_0.8.10-1_amd64.deb to main/g/gnash/gnash-dbg_0.8.10-1_amd64.deb gnash-dev_0.8.10-1_amd64.deb to main/g/gnash/gnash-dev_0.8.10-1_amd64.deb gnash-doc_0.8.10-1_all.deb to main/g/gnash/gnash-doc_0.8.10-1_all.deb gnash-ext-fileio_0.8.10-1_amd64.deb to main/g/gnash/gnash-ext-fileio_0.8.10-1_amd64.deb gnash-ext-lirc_0.8.10-1_amd64.deb to main/g/gnash/gnash-ext-lirc_0.8.10-1_amd64.deb gnash-ext-mysql_0.8.10-1_amd64.deb to main/g/gnash/gnash-ext-mysql_0.8.10-1_amd64.deb gnash-opengl_0.8.10-1_all.deb to main/g/gnash/gnash-opengl_0.8.10-1_all.deb gnash-tools_0.8.10-1_amd64.deb to main/g/gnash/gnash-tools_0.8.10-1_amd64.deb gnash_0.8.10-1.debian.tar.gz to main/g/gnash/gnash_0.8.10-1.debian.tar.gz gnash_0.8.10-1.dsc to main/g/gnash/gnash_0.8.10-1.dsc gnash_0.8.10-1_amd64.deb to main/g/gnash/gnash_0.8.10-1_amd64.deb gnash_0.8.10.orig.tar.gz to main/g/gnash/gnash_0.8.10.orig.tar.gz klash-opengl_0.8.10-1_all.deb to main/g/gnash/klash-opengl_0.8.10-1_all.deb klash_0.8.10-1_amd64.deb to main/g/gnash/klash_0.8.10-1_amd64.deb konqueror-plugin-gnash_0.8.10-1_amd64.deb to main/g/gnash/konqueror-plugin-gnash_0.8.10-1_amd64.deb mozilla-plugin-gnash_0.8.10-1_all.deb to main/g/gnash/mozilla-plugin-gnash_0.8.10-1_all.deb python-gtk-gnash_0.8.10-1_amd64.deb to main/g/gnash/python-gtk-gnash_0.8.10-1_amd64.deb swfdec-gnome_0.8.10-1_all.deb to main/g/gnash/swfdec-gnome_0.8.10-1_all.deb swfdec-mozilla_0.8.10-1_all.deb to main/g/gnash/swfdec-mozilla_0.8.10-1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 649...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gabriele Giacone <1o5g4...@gmail.com> (supplier of updated gnash package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 08 Feb 2012 03:48:11 +0100 Source: gnash Binary: gnash-common gnash klash gnash-tools gnash-cygnal browser-plugin-gnash konqueror-plugin-gnash python-gtk-gnash gnash-ext-fileio gnash-ext-mysql gnash-ext-lirc gnash-dev gnash-dbg gnash-doc gnash-common-opengl gnash-opengl klash-opengl swfdec-mozilla swfdec-gnome mozilla-plugin-gnash Architecture: source amd64 all Version: 0.8.10-1 Distribution: unstable Urgency: low Maintainer: Debian Flash Team <pkg-flash-de...@lists.alioth.debian.org> Changed-By: Gabriele Giacone <1o5g4...@gmail.com> Description: browser-plugin-gnash - GNU Shockwave Flash (SWF) player - Plugin for Mozilla and derivat gnash - GNU Shockwave Flash (SWF) player gnash-common - GNU Shockwave Flash (SWF) player - Common files/libraries gnash-common-opengl - dummy package for gnash-common-opengl removal gnash-cygnal - GNU Shockwave Flash (SWF) player - Media server gnash-dbg - GNU Shockwave Flash (SWF) player - Debug symbols gnash-dev - GNU Shockwave Flash (SWF) player - Development files gnash-doc - GNU Shockwave Flash (SWF) player - API documentation gnash-ext-fileio - GNU Shockwave Flash (SWF) player - Fileio extension gnash-ext-lirc - GNU Shockwave Flash (SWF) player - LIRC extension gnash-ext-mysql - GNU Shockwave Flash (SWF) player - MySQL extension gnash-opengl - dummy package for gnash-opengl removal gnash-tools - GNU Shockwave Flash (SWF) player - Command-line Tools klash - GNU Shockwave Flash (SWF) player - Standalone player for KDE klash-opengl - dummy package for klash-opengl removal konqueror-plugin-gnash - GNU Shockwave Flash (SWF) player - Plugin for Konqueror mozilla-plugin-gnash - dummy package for renaming to browser-plugin-gnash python-gtk-gnash - GNU Shockwave Flash (SWF) player - Python bindings swfdec-gnome - dummy package for transition to Gnash swfdec-mozilla - dummy package for transition to browser-plugin-gnash Closes: 634867 640107 649384 Changes: gnash (0.8.10-1) unstable; urgency=low . * New upstream release. + Fix CVE-2011-4328 (Closes: #649384). + Fix parsing of lossless 15bit bitmaps (Closes: #634867). * Add Gnome 3 thumbnailer. * Add libboost-iostreams-dev and libgconf2-dev build deps. * Transition to dh_python2. * Fix d/copyright according to DEP-5. * Remove dash escaping in manpages (Closes: #640107). * Add noapidoc and nocheck build options. * Move cygnal-only libs to cygnal package. * Add revno.h generation to get-source target. * Replace upstream changelog with upstream NEWS. Checksums-Sha1: a6717bd24ae184013875656e1320b979d92809f9 3225 gnash_0.8.10-1.dsc 6e7e046c029134fd1294c6a68b423f1f02de9d7b 6177166 gnash_0.8.10.orig.tar.gz bb4ecd115ecf41fb884e320eec47532931cc61fc 34582 gnash_0.8.10-1.debian.tar.gz 0b4ae41b8165cf10337afff900627a5a444c3090 3710814 gnash-common_0.8.10-1_amd64.deb 1ff483e31db1183d0fd8dd1cb395e6a609996ce2 333644 gnash_0.8.10-1_amd64.deb 6cb8464ff0959063c91bb9485d3ae461c5732c9e 338322 klash_0.8.10-1_amd64.deb b1f1a44b7b44fea3bb64aeb934999dcf62c041ef 243750 gnash-tools_0.8.10-1_amd64.deb 2ea052998ff65af297a456809e95d1c8134ae39a 988052 gnash-cygnal_0.8.10-1_amd64.deb 984bbc471533ce295cedce88ebd370fcda74e756 185596 browser-plugin-gnash_0.8.10-1_amd64.deb 6efb65176ccb4303a1b7835a25cfc4060f56b393 55294 konqueror-plugin-gnash_0.8.10-1_amd64.deb 3979bb0eebf54da9ec5769a22d49fec299e0283d 133416 python-gtk-gnash_0.8.10-1_amd64.deb 7c516212ac42e37bfafb98f6dbbc6a333643b2ae 87186 gnash-ext-fileio_0.8.10-1_amd64.deb dd5ed2bac52f046b16c0e15e3e51cd6c7fe507bd 104380 gnash-ext-mysql_0.8.10-1_amd64.deb 7a6f6c665c3a48b9dff87289061a7c78034f4768 81940 gnash-ext-lirc_0.8.10-1_amd64.deb 47ee5881bd728da1e41f707ce2279fcd9fc70b06 261266 gnash-dev_0.8.10-1_amd64.deb 525f25c3382835caf77de960438467eba50fe5e2 1844314 gnash-dbg_0.8.10-1_amd64.deb c808d20c1b5d6e6e650672f6f30553f03900823a 5130370 gnash-doc_0.8.10-1_all.deb 50c036b4a578e7bd1c8d11394ba2009afd5dc0f5 26774 gnash-common-opengl_0.8.10-1_all.deb dc0575ccc2316f8e46935ad5315277d1d7efa6ed 26768 gnash-opengl_0.8.10-1_all.deb b152fae2f2c4740126bf491a03b4367f52d0c38d 26770 klash-opengl_0.8.10-1_all.deb f790b02b09d0acf736e5cc84fb76c63b59adf24d 26790 swfdec-mozilla_0.8.10-1_all.deb a6241624240f6d57850f6942b859855bb1737ed0 26770 mozilla-plugin-gnash_0.8.10-1_all.deb 04be7085f40b037384acdc918ccc3ad93cc4f18b 26780 swfdec-gnome_0.8.10-1_all.deb Checksums-Sha256: 64483a22e08e76dddcde03c1bbf10cabadb567f39de57ce0366d15cb0b7da90a 3225 gnash_0.8.10-1.dsc 0758c8ce41a8361fac11d16f3afef2465c7f9722077313f5e531c9e6200f6218 6177166 gnash_0.8.10.orig.tar.gz f225e2f82197689d29290f8bdb7c960f7bf9848054d4be75ee8e5ff9cb033acd 34582 gnash_0.8.10-1.debian.tar.gz 7cce37e250d1992c7a96258bec20db3d17022ffc6f7df31825e0c2992cc953a8 3710814 gnash-common_0.8.10-1_amd64.deb 5a9fa83c5dd4737b98c84caf2b0cf6ba7979ebb33f4d474c240a6dedbf8950af 333644 gnash_0.8.10-1_amd64.deb 629f322ffa30143d1f911beb08cb9e4fcbfb661f72cbb9b09fc604c0bbdfea32 338322 klash_0.8.10-1_amd64.deb 2deafb15b360192ff5f61b4ead628d75e4502a90acc8cdcdc0562f106b596cc0 243750 gnash-tools_0.8.10-1_amd64.deb 4dacd3c76a19cfa40b2826e5309e1f5f33e6ad90a6f8bcd7b8796cc1ea0c7be9 988052 gnash-cygnal_0.8.10-1_amd64.deb ab95b42f09bea44d5c3dd69dd73ef92ab95f0ad77041cf4fd1b20cd1a9dc7e6c 185596 browser-plugin-gnash_0.8.10-1_amd64.deb 202835b1e7eb8abfa61caacc249b0da0a1d792ce8c52babe3d968316ec0ae112 55294 konqueror-plugin-gnash_0.8.10-1_amd64.deb 0b1b86199e0ee0c8406da2ef5d89e3e3afc1de666094a7333bc9f5aa567d91e7 133416 python-gtk-gnash_0.8.10-1_amd64.deb 60e6a7ac4774e7dfb8777fc72a5ade6f2c777c3bc19b99d8f819ff8f61b534ed 87186 gnash-ext-fileio_0.8.10-1_amd64.deb 6d2263694eb91eae244bd28151d81c0716113d4dc271a1d0aef7362c6906d2c9 104380 gnash-ext-mysql_0.8.10-1_amd64.deb 4c07686fc4e6768ca010bb4c9ca5fdbfb4bb1f068ba5ff99f77e0fe61188ff11 81940 gnash-ext-lirc_0.8.10-1_amd64.deb 5ec85c6f916388617934aa3332135848d10c7f3d3ed41cc4d58dbdd73c789b7a 261266 gnash-dev_0.8.10-1_amd64.deb 333e7daad8334330f120c5f5fe6597644bc62cf779004979e07d04f7c33961eb 1844314 gnash-dbg_0.8.10-1_amd64.deb 8a0d84edf63c0d506248fc925f4e4aa8e59f3187fc6e86883153ad9e501f821e 5130370 gnash-doc_0.8.10-1_all.deb a6e1bf4d4bfc8760ab823f35e71857178d31d6ca11cf58822ba60762b92c258b 26774 gnash-common-opengl_0.8.10-1_all.deb 284e1fc62a2efb023b2f2ee5d13f5bd38b8c15e1fcf75f48deab680f45343ff2 26768 gnash-opengl_0.8.10-1_all.deb bb33bbbbcaf04bf75d07002f9f448bed6ee789c18f09c7ded6ccd0c39e187a87 26770 klash-opengl_0.8.10-1_all.deb 9f011df25c47fbaf0f11d2942743f95309becaeabab197774abb0088ff28a66a 26790 swfdec-mozilla_0.8.10-1_all.deb 8e0bb59dfdbf6c7b86e70bfd3d1d5d2c550e3bd6e3f825a9849a8dd33486e805 26770 mozilla-plugin-gnash_0.8.10-1_all.deb 536d2ef06ccd25b653a2750aa04ebd2a058daa9eb461b5286e2b7e60c219abd7 26780 swfdec-gnome_0.8.10-1_all.deb Files: 68a78096399cf98f1ca1747910faa2ba 3225 video optional gnash_0.8.10-1.dsc be2f0608cfe2e37ceb892742e66c894e 6177166 video optional gnash_0.8.10.orig.tar.gz 44f214ad2bf87fe5d913ec4bab4bf30f 34582 video optional gnash_0.8.10-1.debian.tar.gz 023c368a78bee74f2358a72e64fe8a80 3710814 video optional gnash-common_0.8.10-1_amd64.deb cd9f2e76e15130512fc6d356b8b2f7ae 333644 video optional gnash_0.8.10-1_amd64.deb 00e756b4cc1bf58343eba0298e0d9050 338322 video optional klash_0.8.10-1_amd64.deb e7cf890978332f02fea3369e260d3289 243750 video optional gnash-tools_0.8.10-1_amd64.deb c82d252c4770d3ee65ea6b3d2d290e77 988052 video optional gnash-cygnal_0.8.10-1_amd64.deb 25374a896297482047006e5d6de0d985 185596 video optional browser-plugin-gnash_0.8.10-1_amd64.deb 0a3d37a0570581e17c1643d7b752d5b9 55294 video optional konqueror-plugin-gnash_0.8.10-1_amd64.deb 1690bca75e981323971bf9f7e1fc85b5 133416 python optional python-gtk-gnash_0.8.10-1_amd64.deb 53e4934dda4b2cc0cb452716b261f58f 87186 video optional gnash-ext-fileio_0.8.10-1_amd64.deb 69fc659ca90bf45512ded4d3dad751a3 104380 video optional gnash-ext-mysql_0.8.10-1_amd64.deb bb5cb43f18b1b720381d2ca5b3d319b3 81940 video optional gnash-ext-lirc_0.8.10-1_amd64.deb 283570e5b3a54cb4f2e9457cac094237 261266 libdevel optional gnash-dev_0.8.10-1_amd64.deb 08fc09bebe2a4f0136afaaef49d26f56 1844314 debug extra gnash-dbg_0.8.10-1_amd64.deb 5198d62dd6e5cb8b0734f7c40cf9491e 5130370 doc optional gnash-doc_0.8.10-1_all.deb 153562f907289517d8a2447ce82ae1fb 26774 oldlibs extra gnash-common-opengl_0.8.10-1_all.deb b33612841d44460635e5c8c526772dc3 26768 oldlibs extra gnash-opengl_0.8.10-1_all.deb aace547295544fef72784a9424f81671 26770 oldlibs extra klash-opengl_0.8.10-1_all.deb 7c2abcbf0e0432ae5a3e15126a7c4cc0 26790 oldlibs extra swfdec-mozilla_0.8.10-1_all.deb c9f97fc9eeff389ce6d4084bc661e52d 26770 oldlibs extra mozilla-plugin-gnash_0.8.10-1_all.deb 4e715680d969140b245acb542a5bd58f 26780 oldlibs extra swfdec-gnome_0.8.10-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk8x42MACgkQp3cdCbVcnCssZwCeLTIxbWGtPr8RNK+cNvtz6CN8 NZoAn0/fotfNR1ly4CjDZcNMOgI76UVi =QWwv -----END PGP SIGNATURE-----
--- End Message ---