gnash creates world-readable cookies under /tmp with predictable filenames

Debian Bug report logs - #649384
gnash creates world-readable cookies under /tmp with predictable filenames

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alexander Kurtz <kurtz.alex@googlemail.com>

To: submit@bugs.debian.org

Cc: debian-security@lists.debian.org

Subject: gnash creates world-readable cookies under /tmp

Date: Sun, 20 Nov 2011 15:39:36 +0100

[Message part 1 (text/plain, inline)]

Package: gnash
Version: 0.8.10~git20111001-1
Tags: security
Severity: critical
Justification: Introduces a new security hole

Hi,

after watching videos on YouTube I found this in /tmp:

	$ ls -l /tmp/gnash*
	-rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032
	$ 

Please note that the file is world-readable. This enables things like:

	$ sudo -u nobody cat /tmp/gnash-cookies.31032 
	Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw
	Set-Cookie:  VISITOR_INFO1_LIVE=WEbeevRfDNo
	Set-Cookie:  recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4
	Set-Cookie:  GEO=0bf89ff87b12d82d91e10ddf1da36d95cwsAAAAzREVUmagnTskNGQ==
	Set-Cookie:  PREF=f1=40000000&fv=10.1.999
	$

Since gnash is installed per default and also starts playing as soon as
flash content is detected, this can be a serious security/privacy issue
on multi-user systems. Gnash should either use $HOME for storing cookies
or create them with sane permissions (0600).

Best regards

Alexander Kurtz

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Gabriele Giacone <1o5g4r8o@gmail.com>

To: Alexander Kurtz <kurtz.alex@googlemail.com>, 649384@bugs.debian.org

Subject: Re: Bug#649384: gnash creates world-readable cookies under /tmp

Date: Sun, 20 Nov 2011 18:01:19 +0100

tags 649384 fixed-upstream
thanks

On Sun, Nov 20, 2011 at 03:39:36PM +0100, Alexander Kurtz wrote:
> or create them with sane permissions (0600).

http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55

Message #17 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Alexander Kurtz <kurtz.alex@googlemail.com>

To: Gabriele Giacone <1o5g4r8o@gmail.com>

Cc: 649384@bugs.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#649384: gnash creates world-readable cookies under /tmp

Date: Sun, 20 Nov 2011 19:11:10 +0100

[Message part 1 (text/plain, inline)]

retitle 649384 gnash creates world-readable cookies under /tmp with predictable filenames
thanks

On Sun, 2011-11-20 at 18:01 +0100, Gabriele Giacone wrote:
> tags 649384 fixed-upstream
> thanks
> 
> On Sun, Nov 20, 2011 at 03:39:36PM +0100, Alexander Kurtz wrote:
> > or create them with sane permissions (0600).
> 
> http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55

I don't think this fixes the underlying problem: An attacker would still
be able to read the cookie if he managed to win the race-condition and
opens the file before the chmod(). If you agree, please remove the
"fixed-upstream" tag.

Furthermore, I took a quick look at the code and noticed this:

	1105     gnash::log_debug("The Cookie for %s is %s", url, ncookie);
	1106     std::ofstream cookiefile;
	1107     std::stringstream ss;
	1108     ss << "/tmp/gnash-cookies." << getpid();
	1109 
	1110     cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
	1111     chmod (ss.str().c_str(), 0600);

I might be wrong, but I very strongly suspect a possible symlink attack
here which would enable an attacker to overwrite arbitrary files and
(with your patch) change their permissions.

Best regards

Alexander Kurtz

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Francesco Poli <invernomuto@paranoici.org>

To: Alexander Kurtz <kurtz.alex@googlemail.com>

Cc: 649384@bugs.debian.org, debian-security@lists.debian.org

Subject: Re: gnash creates world-readable cookies under /tmp

Date: Sun, 20 Nov 2011 21:12:10 +0100

[Message part 1 (text/plain, inline)]

On Sun, 20 Nov 2011 15:39:36 +0100 Alexander Kurtz wrote:

[...]
> Hi,
> 
> after watching videos on YouTube I found this in /tmp:
> 
> 	$ ls -l /tmp/gnash*
> 	-rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032
> 	$

Hi!
I am a user of the gnash package and I am experiencing the same issue.

> 
> Please note that the file is world-readable.
[...]
> Since gnash is installed per default and also starts playing as soon as
> flash content is detected, this can be a serious security/privacy issue
> on multi-user systems. Gnash should either use $HOME for storing cookies
> or create them with sane permissions (0600).

I would add the following consideration: why does gnash create cookies
at all?

I thought I managed to disable flash cookies long time ago with the
following setting:

  $ grep SOLSafeDir /etc/gnashrc
  set SOLSafeDir /dev/null

but it seems that this option is not (or no longer?) enough to prevent
gnash from creating/storing cookies.

Could someone please tell me where is the option to disable cookies?
I think there should be one, but I seem to be unable to find it...

Thanks for your time!


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

[Message part 2 (application/pgp-signature, inline)]

Message #29 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Alexander Kurtz <kurtz.alex@googlemail.com>

To: Francesco Poli <invernomuto@paranoici.org>

Cc: 649384@bugs.debian.org

Subject: Re: gnash creates world-readable cookies under /tmp

Date: Sun, 20 Nov 2011 21:21:39 +0100

[Message part 1 (text/plain, inline)]

On Sun, 2011-11-20 at 21:12 +0100, Francesco Poli wrote:
> I would add the following consideration: why does gnash create cookies
> at all?

Good question.

> Could someone please tell me where is the option to disable cookies?
> I think there should be one, but I seem to be unable to find it...

I configured this via the gnash GUI:

	$ grep -i sol ~/.gnashpluginrc 
	set solReadOnly true
	set solLocalDomain false
	set SOLSafeDir /home/alexander/.gnash/SharedObjects
	$

Hope this helps!

Alexander Kurtz

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Francesco Poli <invernomuto@paranoici.org>

To: Alexander Kurtz <kurtz.alex@googlemail.com>

Cc: 649384@bugs.debian.org

Subject: Re: gnash creates world-readable cookies under /tmp

Date: Sun, 20 Nov 2011 21:43:36 +0100

[Message part 1 (text/plain, inline)]

On Sun, 20 Nov 2011 21:21:39 +0100 Alexander Kurtz wrote:

> On Sun, 2011-11-20 at 21:12 +0100, Francesco Poli wrote:
> > I would add the following consideration: why does gnash create cookies
> > at all?
> 
> Good question.

Thanks!   ;-)

> 
> > Could someone please tell me where is the option to disable cookies?
> > I think there should be one, but I seem to be unable to find it...
> 
> I configured this via the gnash GUI:
> 
> 	$ grep -i sol ~/.gnashpluginrc 
> 	set solReadOnly true
> 	set solLocalDomain false
> 	set SOLSafeDir /home/alexander/.gnash/SharedObjects
> 	$

And did gnash stop creating cookies in /tmp after that configuration
change?
Also, does it refrain from creating cookies in your
~/.gnash/SharedObjects directory?

> 
> Hope this helps!

Maybe, but thanks for your prompt reply anyway!   :-)

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

[Message part 2 (application/pgp-signature, inline)]

Message #39 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Alexander Kurtz <kurtz.alex@googlemail.com>

To: Francesco Poli <invernomuto@paranoici.org>

Cc: 649384@bugs.debian.org

Subject: Re: gnash creates world-readable cookies under /tmp

Date: Sun, 20 Nov 2011 21:49:08 +0100

[Message part 1 (text/plain, inline)]

On Sun, 2011-11-20 at 21:43 +0100, Francesco Poli wrote:
> And did gnash stop creating cookies in /tmp after that configuration
> change?

Nope.

> Also, does it refrain from creating cookies in your
> ~/.gnash/SharedObjects directory?

Yes. It still created some subdirectories, but no actual cookies.

Best regards

Alexander Kurtz

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Francesco Poli <invernomuto@paranoici.org>

To: Alexander Kurtz <kurtz.alex@googlemail.com>

Cc: 649384@bugs.debian.org

Subject: Re: gnash creates world-readable cookies under /tmp

Date: Mon, 21 Nov 2011 00:12:44 +0100

[Message part 1 (text/plain, inline)]

On Sun, 20 Nov 2011 21:49:08 +0100 Alexander Kurtz wrote:

> On Sun, 2011-11-20 at 21:43 +0100, Francesco Poli wrote:
> > And did gnash stop creating cookies in /tmp after that configuration
> > change?
> 
> Nope.
> 
> > Also, does it refrain from creating cookies in your
> > ~/.gnash/SharedObjects directory?
> 
> Yes. It still created some subdirectories, but no actual cookies.

So, it seems that so-called Flash shared objects and gnash-cookies (the
ones created by Gnash in /tmp) are different things.

The former may be disabled via the gnash GUI, as you did, or,
equivalently, by editing (user-specific or system-wide) configuration
files, as I did.

What about the latter?
We still have to figure out whether they can be disabled...



-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

[Message part 2 (application/pgp-signature, inline)]

Message #49 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Gabriele Giacone <1o5g4r8o@gmail.com>

To: Francesco Poli <invernomuto@paranoici.org>, 649384@bugs.debian.org

Cc: Alexander Kurtz <kurtz.alex@googlemail.com>, Development mailing list <gnash-dev@gnu.org>

Subject: Re: Bug#649384: gnash creates world-readable cookies under /tmp

Date: Mon, 21 Nov 2011 00:56:29 +0100

[CCing gnash-dev ml to be contradicted]

On 11/21/2011 12:12 AM, Francesco Poli wrote:
> On Sun, 20 Nov 2011 21:49:08 +0100 Alexander Kurtz wrote:
>
>> On Sun, 2011-11-20 at 21:43 +0100, Francesco Poli wrote:
>>> And did gnash stop creating cookies in /tmp after that configuration
>>> change?
>>
>> Nope.
>>
>>> Also, does it refrain from creating cookies in your
>>> ~/.gnash/SharedObjects directory?
>>
>> Yes. It still created some subdirectories, but no actual cookies.
>
> So, it seems that so-called Flash shared objects and gnash-cookies (the
> ones created by Gnash in /tmp) are different things.

22:19 < gg0> what's the difference between /tmp/gnash-cookies* and stuff 
under ~/.gnash/SharedObjects?
22:20 < strk> SharedObjects are flash-specific "cookies" while 
/tmp/gnash-cookies* are common HTTP ones

> The former may be disabled via the gnash GUI, as you did, or,
> equivalently, by editing (user-specific or system-wide) configuration
> files, as I did.
>
> What about the latter?
> We still have to figure out whether they can be disabled...

IIRC they contain essential info to make yt working. So we can't move 
them under SOLSafeDir because if you set it to /dev/null or make it 
read-only, it'll break yt.
I'd move them under ~/.gnash [0], although I don't know what could 
remove them at the end without introducing new rc options.

Any developers alive?

[0] http://paste.debian.net/plain/146441
-- 
Gabriele

Message #54 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Rob Savoye <rob@welcomehome.org>

Cc: Francesco Poli <invernomuto@paranoici.org>, 649384@bugs.debian.org, Development mailing list <gnash-dev@gnu.org>, Alexander Kurtz <kurtz.alex@googlemail.com>

Subject: Re: [Gnash-dev] Bug#649384: gnash creates world-readable cookies under /tmp

Date: Sun, 20 Nov 2011 17:16:22 -0700

On 11/20/11 16:56, Gabriele Giacone wrote:

> 22:19 < gg0> what's the difference between /tmp/gnash-cookies* and stuff
> under ~/.gnash/SharedObjects?
> 22:20 < strk> SharedObjects are flash-specific "cookies" while
> /tmp/gnash-cookies* are common HTTP ones

  Correct. The /tmp/gnash-cookies* are standard HTTP cookies, which are
required to make many sites work, including YouTube. SharedObjects are
often called Flash Cookies, and a potential privacy issue. Gnash has a
utility called soldumper that'll dump all the SharedObject data to the
terminal so you can see what's being stored.

> IIRC they contain essential info to make yt working. So we can't move
> them under SOLSafeDir because if you set it to /dev/null or make it
> read-only, it'll break yt.

  YouTube needs the HTTP cookies, so it can get the redirect to a
geographically closer server. It should work without the SharedObjects,
if not, it's a bug. Here's what's in the three SharedObjects used by
YouTube:

Dumping SOL file
The file name is: ./videostats.sol
The size of the file is: 199
The name of the object is: videostats
perf:

Dumping SOL file
The file name is: ./soundData.sol
The size of the file is: 49
The name of the object is: soundData
volume: 1.01501e-319

Dumping SOL file
The file name is: ./hdTooltipClue2.sol
The size of the file is: 53
The name of the object is: hdTooltipClue2
count: 4.33197e-320

There's a little more info on SharedObjects on our web site:
http://www.gnashdev.org/?q=node/62

	- rob -

Message #59 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Sandro Santilli <strk@keybit.net>

To: Gabriele Giacone <1o5g4r8o@gmail.com>

Cc: Francesco Poli <invernomuto@paranoici.org>, 649384@bugs.debian.org, Development mailing list <gnash-dev@gnu.org>, Alexander Kurtz <kurtz.alex@googlemail.com>

Subject: Re: [Gnash-dev] Bug#649384: gnash creates world-readable cookies under /tmp

Date: Mon, 21 Nov 2011 10:05:16 +0100

On Mon, Nov 21, 2011 at 12:56:29AM +0100, Gabriele Giacone wrote:

> I'd move them under ~/.gnash [0], although I don't know what could
> remove them at the end without introducing new rc options.
> 
> Any developers alive?
> 
> [0] http://paste.debian.net/plain/146441

We want to keep cookies alive when we requested to create a launcher.
This is because the launcher will reference the cookie file.

I don't think we implement that but libcurl also supports
reading cookies back in, which would allow us to send cookies
obtained by Gnash http requests back to the browser if the plugin
code takes care of doing that part.

In any case, the plugin should know if we want or not a launcher
(only way to it is an env variable, and is the plugin itself creating
the launcher) so you could cleanup the cookies if no launcher was
requested...

A safe way to put them in /tmp/ is still preferrable to me.
They are not really meant to survive a single instance of the
standalone player (except for the launcher case).

--strk; 

  ()   Free GIS & Flash consultant/developer
  /\   http://strk.keybit.net/services.html

Message #70 received at 649384-close@bugs.debian.org (full text, mbox, reply):

From: Gabriele Giacone <1o5g4r8o@gmail.com>

To: 649384-close@bugs.debian.org

Subject: Bug#649384: fixed in gnash 0.8.10-1

Date: Wed, 08 Feb 2012 03:17:59 +0000

Source: gnash
Source-Version: 0.8.10-1

We believe that the bug you reported is fixed in the latest version of
gnash, which is due to be installed in the Debian FTP archive:

browser-plugin-gnash_0.8.10-1_amd64.deb
  to main/g/gnash/browser-plugin-gnash_0.8.10-1_amd64.deb
gnash-common-opengl_0.8.10-1_all.deb
  to main/g/gnash/gnash-common-opengl_0.8.10-1_all.deb
gnash-common_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-common_0.8.10-1_amd64.deb
gnash-cygnal_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-cygnal_0.8.10-1_amd64.deb
gnash-dbg_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-dbg_0.8.10-1_amd64.deb
gnash-dev_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-dev_0.8.10-1_amd64.deb
gnash-doc_0.8.10-1_all.deb
  to main/g/gnash/gnash-doc_0.8.10-1_all.deb
gnash-ext-fileio_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-ext-fileio_0.8.10-1_amd64.deb
gnash-ext-lirc_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-ext-lirc_0.8.10-1_amd64.deb
gnash-ext-mysql_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-ext-mysql_0.8.10-1_amd64.deb
gnash-opengl_0.8.10-1_all.deb
  to main/g/gnash/gnash-opengl_0.8.10-1_all.deb
gnash-tools_0.8.10-1_amd64.deb
  to main/g/gnash/gnash-tools_0.8.10-1_amd64.deb
gnash_0.8.10-1.debian.tar.gz
  to main/g/gnash/gnash_0.8.10-1.debian.tar.gz
gnash_0.8.10-1.dsc
  to main/g/gnash/gnash_0.8.10-1.dsc
gnash_0.8.10-1_amd64.deb
  to main/g/gnash/gnash_0.8.10-1_amd64.deb
gnash_0.8.10.orig.tar.gz
  to main/g/gnash/gnash_0.8.10.orig.tar.gz
klash-opengl_0.8.10-1_all.deb
  to main/g/gnash/klash-opengl_0.8.10-1_all.deb
klash_0.8.10-1_amd64.deb
  to main/g/gnash/klash_0.8.10-1_amd64.deb
konqueror-plugin-gnash_0.8.10-1_amd64.deb
  to main/g/gnash/konqueror-plugin-gnash_0.8.10-1_amd64.deb
mozilla-plugin-gnash_0.8.10-1_all.deb
  to main/g/gnash/mozilla-plugin-gnash_0.8.10-1_all.deb
python-gtk-gnash_0.8.10-1_amd64.deb
  to main/g/gnash/python-gtk-gnash_0.8.10-1_amd64.deb
swfdec-gnome_0.8.10-1_all.deb
  to main/g/gnash/swfdec-gnome_0.8.10-1_all.deb
swfdec-mozilla_0.8.10-1_all.deb
  to main/g/gnash/swfdec-mozilla_0.8.10-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 649384@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gabriele Giacone <1o5g4r8o@gmail.com> (supplier of updated gnash package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 08 Feb 2012 03:48:11 +0100
Source: gnash
Binary: gnash-common gnash klash gnash-tools gnash-cygnal browser-plugin-gnash konqueror-plugin-gnash python-gtk-gnash gnash-ext-fileio gnash-ext-mysql gnash-ext-lirc gnash-dev gnash-dbg gnash-doc gnash-common-opengl gnash-opengl klash-opengl swfdec-mozilla swfdec-gnome mozilla-plugin-gnash
Architecture: source amd64 all
Version: 0.8.10-1
Distribution: unstable
Urgency: low
Maintainer: Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
Changed-By: Gabriele Giacone <1o5g4r8o@gmail.com>
Description: 
 browser-plugin-gnash - GNU Shockwave Flash (SWF) player - Plugin for Mozilla and derivat
 gnash      - GNU Shockwave Flash (SWF) player
 gnash-common - GNU Shockwave Flash (SWF) player - Common files/libraries
 gnash-common-opengl - dummy package for gnash-common-opengl removal
 gnash-cygnal - GNU Shockwave Flash (SWF) player - Media server
 gnash-dbg  - GNU Shockwave Flash (SWF) player - Debug symbols
 gnash-dev  - GNU Shockwave Flash (SWF) player - Development files
 gnash-doc  - GNU Shockwave Flash (SWF) player - API documentation
 gnash-ext-fileio - GNU Shockwave Flash (SWF) player - Fileio extension
 gnash-ext-lirc - GNU Shockwave Flash (SWF) player - LIRC extension
 gnash-ext-mysql - GNU Shockwave Flash (SWF) player - MySQL extension
 gnash-opengl - dummy package for gnash-opengl removal
 gnash-tools - GNU Shockwave Flash (SWF) player - Command-line Tools
 klash      - GNU Shockwave Flash (SWF) player - Standalone player for KDE
 klash-opengl - dummy package for klash-opengl removal
 konqueror-plugin-gnash - GNU Shockwave Flash (SWF) player - Plugin for Konqueror
 mozilla-plugin-gnash - dummy package for renaming to browser-plugin-gnash
 python-gtk-gnash - GNU Shockwave Flash (SWF) player - Python bindings
 swfdec-gnome - dummy package for transition to Gnash
 swfdec-mozilla - dummy package for transition to browser-plugin-gnash
Closes: 634867 640107 649384
Changes: 
 gnash (0.8.10-1) unstable; urgency=low
 .
   * New upstream release.
     + Fix CVE-2011-4328 (Closes: #649384).
     + Fix parsing of lossless 15bit bitmaps (Closes: #634867).
   * Add Gnome 3 thumbnailer.
   * Add libboost-iostreams-dev and libgconf2-dev build deps.
   * Transition to dh_python2.
   * Fix d/copyright according to DEP-5.
   * Remove dash escaping in manpages (Closes: #640107).
   * Add noapidoc and nocheck build options.
   * Move cygnal-only libs to cygnal package.
   * Add revno.h generation to get-source target.
   * Replace upstream changelog with upstream NEWS.
Checksums-Sha1: 
 a6717bd24ae184013875656e1320b979d92809f9 3225 gnash_0.8.10-1.dsc
 6e7e046c029134fd1294c6a68b423f1f02de9d7b 6177166 gnash_0.8.10.orig.tar.gz
 bb4ecd115ecf41fb884e320eec47532931cc61fc 34582 gnash_0.8.10-1.debian.tar.gz
 0b4ae41b8165cf10337afff900627a5a444c3090 3710814 gnash-common_0.8.10-1_amd64.deb
 1ff483e31db1183d0fd8dd1cb395e6a609996ce2 333644 gnash_0.8.10-1_amd64.deb
 6cb8464ff0959063c91bb9485d3ae461c5732c9e 338322 klash_0.8.10-1_amd64.deb
 b1f1a44b7b44fea3bb64aeb934999dcf62c041ef 243750 gnash-tools_0.8.10-1_amd64.deb
 2ea052998ff65af297a456809e95d1c8134ae39a 988052 gnash-cygnal_0.8.10-1_amd64.deb
 984bbc471533ce295cedce88ebd370fcda74e756 185596 browser-plugin-gnash_0.8.10-1_amd64.deb
 6efb65176ccb4303a1b7835a25cfc4060f56b393 55294 konqueror-plugin-gnash_0.8.10-1_amd64.deb
 3979bb0eebf54da9ec5769a22d49fec299e0283d 133416 python-gtk-gnash_0.8.10-1_amd64.deb
 7c516212ac42e37bfafb98f6dbbc6a333643b2ae 87186 gnash-ext-fileio_0.8.10-1_amd64.deb
 dd5ed2bac52f046b16c0e15e3e51cd6c7fe507bd 104380 gnash-ext-mysql_0.8.10-1_amd64.deb
 7a6f6c665c3a48b9dff87289061a7c78034f4768 81940 gnash-ext-lirc_0.8.10-1_amd64.deb
 47ee5881bd728da1e41f707ce2279fcd9fc70b06 261266 gnash-dev_0.8.10-1_amd64.deb
 525f25c3382835caf77de960438467eba50fe5e2 1844314 gnash-dbg_0.8.10-1_amd64.deb
 c808d20c1b5d6e6e650672f6f30553f03900823a 5130370 gnash-doc_0.8.10-1_all.deb
 50c036b4a578e7bd1c8d11394ba2009afd5dc0f5 26774 gnash-common-opengl_0.8.10-1_all.deb
 dc0575ccc2316f8e46935ad5315277d1d7efa6ed 26768 gnash-opengl_0.8.10-1_all.deb
 b152fae2f2c4740126bf491a03b4367f52d0c38d 26770 klash-opengl_0.8.10-1_all.deb
 f790b02b09d0acf736e5cc84fb76c63b59adf24d 26790 swfdec-mozilla_0.8.10-1_all.deb
 a6241624240f6d57850f6942b859855bb1737ed0 26770 mozilla-plugin-gnash_0.8.10-1_all.deb
 04be7085f40b037384acdc918ccc3ad93cc4f18b 26780 swfdec-gnome_0.8.10-1_all.deb
Checksums-Sha256: 
 64483a22e08e76dddcde03c1bbf10cabadb567f39de57ce0366d15cb0b7da90a 3225 gnash_0.8.10-1.dsc
 0758c8ce41a8361fac11d16f3afef2465c7f9722077313f5e531c9e6200f6218 6177166 gnash_0.8.10.orig.tar.gz
 f225e2f82197689d29290f8bdb7c960f7bf9848054d4be75ee8e5ff9cb033acd 34582 gnash_0.8.10-1.debian.tar.gz
 7cce37e250d1992c7a96258bec20db3d17022ffc6f7df31825e0c2992cc953a8 3710814 gnash-common_0.8.10-1_amd64.deb
 5a9fa83c5dd4737b98c84caf2b0cf6ba7979ebb33f4d474c240a6dedbf8950af 333644 gnash_0.8.10-1_amd64.deb
 629f322ffa30143d1f911beb08cb9e4fcbfb661f72cbb9b09fc604c0bbdfea32 338322 klash_0.8.10-1_amd64.deb
 2deafb15b360192ff5f61b4ead628d75e4502a90acc8cdcdc0562f106b596cc0 243750 gnash-tools_0.8.10-1_amd64.deb
 4dacd3c76a19cfa40b2826e5309e1f5f33e6ad90a6f8bcd7b8796cc1ea0c7be9 988052 gnash-cygnal_0.8.10-1_amd64.deb
 ab95b42f09bea44d5c3dd69dd73ef92ab95f0ad77041cf4fd1b20cd1a9dc7e6c 185596 browser-plugin-gnash_0.8.10-1_amd64.deb
 202835b1e7eb8abfa61caacc249b0da0a1d792ce8c52babe3d968316ec0ae112 55294 konqueror-plugin-gnash_0.8.10-1_amd64.deb
 0b1b86199e0ee0c8406da2ef5d89e3e3afc1de666094a7333bc9f5aa567d91e7 133416 python-gtk-gnash_0.8.10-1_amd64.deb
 60e6a7ac4774e7dfb8777fc72a5ade6f2c777c3bc19b99d8f819ff8f61b534ed 87186 gnash-ext-fileio_0.8.10-1_amd64.deb
 6d2263694eb91eae244bd28151d81c0716113d4dc271a1d0aef7362c6906d2c9 104380 gnash-ext-mysql_0.8.10-1_amd64.deb
 4c07686fc4e6768ca010bb4c9ca5fdbfb4bb1f068ba5ff99f77e0fe61188ff11 81940 gnash-ext-lirc_0.8.10-1_amd64.deb
 5ec85c6f916388617934aa3332135848d10c7f3d3ed41cc4d58dbdd73c789b7a 261266 gnash-dev_0.8.10-1_amd64.deb
 333e7daad8334330f120c5f5fe6597644bc62cf779004979e07d04f7c33961eb 1844314 gnash-dbg_0.8.10-1_amd64.deb
 8a0d84edf63c0d506248fc925f4e4aa8e59f3187fc6e86883153ad9e501f821e 5130370 gnash-doc_0.8.10-1_all.deb
 a6e1bf4d4bfc8760ab823f35e71857178d31d6ca11cf58822ba60762b92c258b 26774 gnash-common-opengl_0.8.10-1_all.deb
 284e1fc62a2efb023b2f2ee5d13f5bd38b8c15e1fcf75f48deab680f45343ff2 26768 gnash-opengl_0.8.10-1_all.deb
 bb33bbbbcaf04bf75d07002f9f448bed6ee789c18f09c7ded6ccd0c39e187a87 26770 klash-opengl_0.8.10-1_all.deb
 9f011df25c47fbaf0f11d2942743f95309becaeabab197774abb0088ff28a66a 26790 swfdec-mozilla_0.8.10-1_all.deb
 8e0bb59dfdbf6c7b86e70bfd3d1d5d2c550e3bd6e3f825a9849a8dd33486e805 26770 mozilla-plugin-gnash_0.8.10-1_all.deb
 536d2ef06ccd25b653a2750aa04ebd2a058daa9eb461b5286e2b7e60c219abd7 26780 swfdec-gnome_0.8.10-1_all.deb
Files: 
 68a78096399cf98f1ca1747910faa2ba 3225 video optional gnash_0.8.10-1.dsc
 be2f0608cfe2e37ceb892742e66c894e 6177166 video optional gnash_0.8.10.orig.tar.gz
 44f214ad2bf87fe5d913ec4bab4bf30f 34582 video optional gnash_0.8.10-1.debian.tar.gz
 023c368a78bee74f2358a72e64fe8a80 3710814 video optional gnash-common_0.8.10-1_amd64.deb
 cd9f2e76e15130512fc6d356b8b2f7ae 333644 video optional gnash_0.8.10-1_amd64.deb
 00e756b4cc1bf58343eba0298e0d9050 338322 video optional klash_0.8.10-1_amd64.deb
 e7cf890978332f02fea3369e260d3289 243750 video optional gnash-tools_0.8.10-1_amd64.deb
 c82d252c4770d3ee65ea6b3d2d290e77 988052 video optional gnash-cygnal_0.8.10-1_amd64.deb
 25374a896297482047006e5d6de0d985 185596 video optional browser-plugin-gnash_0.8.10-1_amd64.deb
 0a3d37a0570581e17c1643d7b752d5b9 55294 video optional konqueror-plugin-gnash_0.8.10-1_amd64.deb
 1690bca75e981323971bf9f7e1fc85b5 133416 python optional python-gtk-gnash_0.8.10-1_amd64.deb
 53e4934dda4b2cc0cb452716b261f58f 87186 video optional gnash-ext-fileio_0.8.10-1_amd64.deb
 69fc659ca90bf45512ded4d3dad751a3 104380 video optional gnash-ext-mysql_0.8.10-1_amd64.deb
 bb5cb43f18b1b720381d2ca5b3d319b3 81940 video optional gnash-ext-lirc_0.8.10-1_amd64.deb
 283570e5b3a54cb4f2e9457cac094237 261266 libdevel optional gnash-dev_0.8.10-1_amd64.deb
 08fc09bebe2a4f0136afaaef49d26f56 1844314 debug extra gnash-dbg_0.8.10-1_amd64.deb
 5198d62dd6e5cb8b0734f7c40cf9491e 5130370 doc optional gnash-doc_0.8.10-1_all.deb
 153562f907289517d8a2447ce82ae1fb 26774 oldlibs extra gnash-common-opengl_0.8.10-1_all.deb
 b33612841d44460635e5c8c526772dc3 26768 oldlibs extra gnash-opengl_0.8.10-1_all.deb
 aace547295544fef72784a9424f81671 26770 oldlibs extra klash-opengl_0.8.10-1_all.deb
 7c2abcbf0e0432ae5a3e15126a7c4cc0 26790 oldlibs extra swfdec-mozilla_0.8.10-1_all.deb
 c9f97fc9eeff389ce6d4084bc661e52d 26770 oldlibs extra mozilla-plugin-gnash_0.8.10-1_all.deb
 4e715680d969140b245acb542a5bd58f 26780 oldlibs extra swfdec-gnome_0.8.10-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8x42MACgkQp3cdCbVcnCssZwCeLTIxbWGtPr8RNK+cNvtz6CN8
NZoAn0/fotfNR1ly4CjDZcNMOgI76UVi
=QWwv
-----END PGP SIGNATURE-----

Message #79 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 649384@bugs.debian.org

Subject: Re: gnash creates world-readable cookies under /tmp with predictable filenames

Date: Sun, 08 Jul 2012 19:15:06 -0000

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/649384/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #84 received at 649384@bugs.debian.org (full text, mbox, reply):

From: Gabriele Giacone <1o5g4r8o@gmail.com>

To: Jonathan Wiltshire <jmw@debian.org>, 649384@bugs.debian.org

Subject: Re: Bug#649384: gnash creates world-readable cookies under /tmp with predictable filenames

Date: Mon, 09 Jul 2012 01:13:39 +0200

On 07/08/2012 09:15 PM, Jonathan Wiltshire wrote:
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
> 
> squeeze (6.0.6) - use target "stable"

False positive, your radar didn't detect DSA-2435 [CVE-2011-4328] has
been created for such issue and fixed through security updates first,
then shipped with 6.0.5.

http://security-tracker.debian.org/tracker/CVE-2011-4328
http://www.debian.org/security/2012/dsa-2435


-- 
Gabriele

Message #85 received at 649384-done@bugs.debian.org (full text, mbox, reply):

From: Didier Raboud <odyx@debian.org>

To: Gabriele Giacone <1o5g4r8o@gmail.com>, 649384-done@bugs.debian.org

Cc: Jonathan Wiltshire <jmw@debian.org>

Subject: Re: Bug#649384: gnash creates world-readable cookies under /tmp with predictable filenames

Date: Sun, 8 Jul 2012 17:45:06 -0600

[Message part 1 (text/plain, inline)]

Le dimanche, 8 juillet 2012 17.13:39, Gabriele Giacone a écrit :
> On 07/08/2012 09:15 PM, Jonathan Wiltshire wrote:
> > Recently you fixed one or more security problems and as a result you
> > closed this bug. These problems were not serious enough for a Debian
> > Security Advisory, so they are now on my radar for fixing in the
> > following suites through point releases:
> > 
> > squeeze (6.0.6) - use target "stable"
> 
> False positive, your radar didn't detect DSA-2435 [CVE-2011-4328] has
> been created for such issue and fixed through security updates first,
> then shipped with 6.0.5.

-done then.

OdyX

[signature.asc (application/pgp-signature, inline)]

Message #90 received at 649384-done@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: Didier Raboud <odyx@debian.org>, Gabriele Giacone <1o5g4r8o@gmail.com>

Cc: <649384-done@bugs.debian.org>

Subject: Re: Bug#649384: gnash creates world-readable cookies under /tmp with predictable filenames

Date: Mon, 09 Jul 2012 09:38:44 +0100

Version: 0.8.8-5+squeeze1

On 2012-07-09 00:45, Didier Raboud wrote:
> Le dimanche, 8 juillet 2012 17.13:39, Gabriele Giacone a écrit :
>> On 07/08/2012 09:15 PM, Jonathan Wiltshire wrote:
>> > Recently you fixed one or more security problems and as a result 
>> you
>> > closed this bug. These problems were not serious enough for a 
>> Debian
>> > Security Advisory, so they are now on my radar for fixing in the
>> > following suites through point releases:
>> >
>> > squeeze (6.0.6) - use target "stable"
>>
>> False positive, your radar didn't detect DSA-2435 [CVE-2011-4328] 
>> has
>> been created for such issue and fixed through security updates 
>> first,
>> then shipped with 6.0.5.
>
> -done then.
>
> OdyX

Thanks, tracker updated. In fact the bug was already closed (this 
triggers
the notification) but the BTS doesn't have correct version information.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.