Package: gnash Version: 0.8.10~git20111001-1 Tags: security Severity: critical Justification: Introduces a new security hole
Hi,
after watching videos on YouTube I found this in /tmp:
$ ls -l /tmp/gnash*
-rw-r--r-- 1 alexander alexander 329 Nov 20 15:22
/tmp/gnash-cookies.31032
$
Please note that the file is world-readable. This enables things like:
$ sudo -u nobody cat /tmp/gnash-cookies.31032
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw
Set-Cookie: VISITOR_INFO1_LIVE=WEbeevRfDNo
Set-Cookie:
recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4
Set-Cookie:
GEO=0bf89ff87b12d82d91e10ddf1da36d95cwsAAAAzREVUmagnTskNGQ==
Set-Cookie: PREF=f1=40000000&fv=10.1.999
$
Since gnash is installed per default and also starts playing as soon as
flash content is detected, this can be a serious security/privacy issue
on multi-user systems. Gnash should either use $HOME for storing cookies
or create them with sane permissions (0600).
Best regards
Alexander Kurtz
signature.asc
Description: This is a digitally signed message part
