Debian Bug report logs -
#649384
gnash creates world-readable cookies under /tmp with predictable filenames
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 20 Nov 2011 14:42:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Kurtz <kurtz.alex@googlemail.com>
:
New Bug report received and forwarded. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 20 Nov 2011 14:42:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: gnash
Version: 0.8.10~git20111001-1
Tags: security
Severity: critical
Justification: Introduces a new security hole
Hi,
after watching videos on YouTube I found this in /tmp:
$ ls -l /tmp/gnash*
-rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032
$
Please note that the file is world-readable. This enables things like:
$ sudo -u nobody cat /tmp/gnash-cookies.31032
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw
Set-Cookie: VISITOR_INFO1_LIVE=WEbeevRfDNo
Set-Cookie: recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4
Set-Cookie: GEO=0bf89ff87b12d82d91e10ddf1da36d95cwsAAAAzREVUmagnTskNGQ==
Set-Cookie: PREF=f1=40000000&fv=10.1.999
$
Since gnash is installed per default and also starts playing as soon as
flash content is detected, this can be a serious security/privacy issue
on multi-user systems. Gnash should either use $HOME for storing cookies
or create them with sane permissions (0600).
Best regards
Alexander Kurtz
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 20 Nov 2011 17:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Gabriele Giacone <1o5g4r8o@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 20 Nov 2011 17:03:03 GMT) (full text, mbox, link).
Message #10 received at 649384@bugs.debian.org (full text, mbox, reply):
tags 649384 fixed-upstream
thanks
On Sun, Nov 20, 2011 at 03:39:36PM +0100, Alexander Kurtz wrote:
> or create them with sane permissions (0600).
http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55
Added tag(s) fixed-upstream.
Request was from Gabriele Giacone <1o5g4r8o@gmail.com>
to control@bugs.debian.org
.
(Sun, 20 Nov 2011 17:09:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 20 Nov 2011 18:18:36 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Kurtz <kurtz.alex@googlemail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 20 Nov 2011 18:18:36 GMT) (full text, mbox, link).
Message #17 received at 649384@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 649384 gnash creates world-readable cookies under /tmp with predictable filenames
thanks
On Sun, 2011-11-20 at 18:01 +0100, Gabriele Giacone wrote:
> tags 649384 fixed-upstream
> thanks
>
> On Sun, Nov 20, 2011 at 03:39:36PM +0100, Alexander Kurtz wrote:
> > or create them with sane permissions (0600).
>
> http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55
I don't think this fixes the underlying problem: An attacker would still
be able to read the cookie if he managed to win the race-condition and
opens the file before the chmod(). If you agree, please remove the
"fixed-upstream" tag.
Furthermore, I took a quick look at the code and noticed this:
1105 gnash::log_debug("The Cookie for %s is %s", url, ncookie);
1106 std::ofstream cookiefile;
1107 std::stringstream ss;
1108 ss << "/tmp/gnash-cookies." << getpid();
1109
1110 cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
1111 chmod (ss.str().c_str(), 0600);
I might be wrong, but I very strongly suspect a possible symlink attack
here which would enable an attacker to overwrite arbitrary files and
(with your patch) change their permissions.
Best regards
Alexander Kurtz
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'gnash creates world-readable cookies under /tmp with predictable filenames' from 'gnash creates world-readable cookies under /tmp'
Request was from Alexander Kurtz <kurtz.alex@googlemail.com>
to control@bugs.debian.org
.
(Sun, 20 Nov 2011 18:18:42 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 20 Nov 2011 20:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Francesco Poli <invernomuto@paranoici.org>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 20 Nov 2011 20:15:05 GMT) (full text, mbox, link).
Message #24 received at 649384@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 20 Nov 2011 15:39:36 +0100 Alexander Kurtz wrote:
[...]
> Hi,
>
> after watching videos on YouTube I found this in /tmp:
>
> $ ls -l /tmp/gnash*
> -rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032
> $
Hi!
I am a user of the gnash package and I am experiencing the same issue.
>
> Please note that the file is world-readable.
[...]
> Since gnash is installed per default and also starts playing as soon as
> flash content is detected, this can be a serious security/privacy issue
> on multi-user systems. Gnash should either use $HOME for storing cookies
> or create them with sane permissions (0600).
I would add the following consideration: why does gnash create cookies
at all?
I thought I managed to disable flash cookies long time ago with the
following setting:
$ grep SOLSafeDir /etc/gnashrc
set SOLSafeDir /dev/null
but it seems that this option is not (or no longer?) enough to prevent
gnash from creating/storing cookies.
Could someone please tell me where is the option to disable cookies?
I think there should be one, but I seem to be unable to find it...
Thanks for your time!
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 20 Nov 2011 20:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Kurtz <kurtz.alex@googlemail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 20 Nov 2011 20:24:03 GMT) (full text, mbox, link).
Message #29 received at 649384@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 2011-11-20 at 21:12 +0100, Francesco Poli wrote:
> I would add the following consideration: why does gnash create cookies
> at all?
Good question.
> Could someone please tell me where is the option to disable cookies?
> I think there should be one, but I seem to be unable to find it...
I configured this via the gnash GUI:
$ grep -i sol ~/.gnashpluginrc
set solReadOnly true
set solLocalDomain false
set SOLSafeDir /home/alexander/.gnash/SharedObjects
$
Hope this helps!
Alexander Kurtz
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 20 Nov 2011 20:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Francesco Poli <invernomuto@paranoici.org>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 20 Nov 2011 20:45:03 GMT) (full text, mbox, link).
Message #34 received at 649384@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 20 Nov 2011 21:21:39 +0100 Alexander Kurtz wrote:
> On Sun, 2011-11-20 at 21:12 +0100, Francesco Poli wrote:
> > I would add the following consideration: why does gnash create cookies
> > at all?
>
> Good question.
Thanks! ;-)
>
> > Could someone please tell me where is the option to disable cookies?
> > I think there should be one, but I seem to be unable to find it...
>
> I configured this via the gnash GUI:
>
> $ grep -i sol ~/.gnashpluginrc
> set solReadOnly true
> set solLocalDomain false
> set SOLSafeDir /home/alexander/.gnash/SharedObjects
> $
And did gnash stop creating cookies in /tmp after that configuration
change?
Also, does it refrain from creating cookies in your
~/.gnash/SharedObjects directory?
>
> Hope this helps!
Maybe, but thanks for your prompt reply anyway! :-)
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 20 Nov 2011 20:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Kurtz <kurtz.alex@googlemail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 20 Nov 2011 20:51:08 GMT) (full text, mbox, link).
Message #39 received at 649384@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 2011-11-20 at 21:43 +0100, Francesco Poli wrote:
> And did gnash stop creating cookies in /tmp after that configuration
> change?
Nope.
> Also, does it refrain from creating cookies in your
> ~/.gnash/SharedObjects directory?
Yes. It still created some subdirectories, but no actual cookies.
Best regards
Alexander Kurtz
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 20 Nov 2011 23:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Francesco Poli <invernomuto@paranoici.org>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 20 Nov 2011 23:15:03 GMT) (full text, mbox, link).
Message #44 received at 649384@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 20 Nov 2011 21:49:08 +0100 Alexander Kurtz wrote:
> On Sun, 2011-11-20 at 21:43 +0100, Francesco Poli wrote:
> > And did gnash stop creating cookies in /tmp after that configuration
> > change?
>
> Nope.
>
> > Also, does it refrain from creating cookies in your
> > ~/.gnash/SharedObjects directory?
>
> Yes. It still created some subdirectories, but no actual cookies.
So, it seems that so-called Flash shared objects and gnash-cookies (the
ones created by Gnash in /tmp) are different things.
The former may be disabled via the gnash GUI, as you did, or,
equivalently, by editing (user-specific or system-wide) configuration
files, as I did.
What about the latter?
We still have to figure out whether they can be disabled...
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 20 Nov 2011 23:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Gabriele Giacone <1o5g4r8o@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 20 Nov 2011 23:57:05 GMT) (full text, mbox, link).
Message #49 received at 649384@bugs.debian.org (full text, mbox, reply):
[CCing gnash-dev ml to be contradicted]
On 11/21/2011 12:12 AM, Francesco Poli wrote:
> On Sun, 20 Nov 2011 21:49:08 +0100 Alexander Kurtz wrote:
>
>> On Sun, 2011-11-20 at 21:43 +0100, Francesco Poli wrote:
>>> And did gnash stop creating cookies in /tmp after that configuration
>>> change?
>>
>> Nope.
>>
>>> Also, does it refrain from creating cookies in your
>>> ~/.gnash/SharedObjects directory?
>>
>> Yes. It still created some subdirectories, but no actual cookies.
>
> So, it seems that so-called Flash shared objects and gnash-cookies (the
> ones created by Gnash in /tmp) are different things.
22:19 < gg0> what's the difference between /tmp/gnash-cookies* and stuff
under ~/.gnash/SharedObjects?
22:20 < strk> SharedObjects are flash-specific "cookies" while
/tmp/gnash-cookies* are common HTTP ones
> The former may be disabled via the gnash GUI, as you did, or,
> equivalently, by editing (user-specific or system-wide) configuration
> files, as I did.
>
> What about the latter?
> We still have to figure out whether they can be disabled...
IIRC they contain essential info to make yt working. So we can't move
them under SOLSafeDir because if you set it to /dev/null or make it
read-only, it'll break yt.
I'd move them under ~/.gnash [0], although I don't know what could
remove them at the end without introducing new rc options.
Any developers alive?
[0] http://paste.debian.net/plain/146441
--
Gabriele
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Mon, 21 Nov 2011 01:21:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Rob Savoye <rob@welcomehome.org>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Mon, 21 Nov 2011 01:21:12 GMT) (full text, mbox, link).
Message #54 received at 649384@bugs.debian.org (full text, mbox, reply):
On 11/20/11 16:56, Gabriele Giacone wrote:
> 22:19 < gg0> what's the difference between /tmp/gnash-cookies* and stuff
> under ~/.gnash/SharedObjects?
> 22:20 < strk> SharedObjects are flash-specific "cookies" while
> /tmp/gnash-cookies* are common HTTP ones
Correct. The /tmp/gnash-cookies* are standard HTTP cookies, which are
required to make many sites work, including YouTube. SharedObjects are
often called Flash Cookies, and a potential privacy issue. Gnash has a
utility called soldumper that'll dump all the SharedObject data to the
terminal so you can see what's being stored.
> IIRC they contain essential info to make yt working. So we can't move
> them under SOLSafeDir because if you set it to /dev/null or make it
> read-only, it'll break yt.
YouTube needs the HTTP cookies, so it can get the redirect to a
geographically closer server. It should work without the SharedObjects,
if not, it's a bug. Here's what's in the three SharedObjects used by
YouTube:
Dumping SOL file
The file name is: ./videostats.sol
The size of the file is: 199
The name of the object is: videostats
perf:
Dumping SOL file
The file name is: ./soundData.sol
The size of the file is: 49
The name of the object is: soundData
volume: 1.01501e-319
Dumping SOL file
The file name is: ./hdTooltipClue2.sol
The size of the file is: 53
The name of the object is: hdTooltipClue2
count: 4.33197e-320
There's a little more info on SharedObjects on our web site:
http://www.gnashdev.org/?q=node/62
- rob -
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Mon, 21 Nov 2011 09:09:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Sandro Santilli <strk@keybit.net>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Mon, 21 Nov 2011 09:09:12 GMT) (full text, mbox, link).
Message #59 received at 649384@bugs.debian.org (full text, mbox, reply):
On Mon, Nov 21, 2011 at 12:56:29AM +0100, Gabriele Giacone wrote:
> I'd move them under ~/.gnash [0], although I don't know what could
> remove them at the end without introducing new rc options.
>
> Any developers alive?
>
> [0] http://paste.debian.net/plain/146441
We want to keep cookies alive when we requested to create a launcher.
This is because the launcher will reference the cookie file.
I don't think we implement that but libcurl also supports
reading cookies back in, which would allow us to send cookies
obtained by Gnash http requests back to the browser if the plugin
code takes care of doing that part.
In any case, the plugin should know if we want or not a launcher
(only way to it is an env variable, and is the plugin itself creating
the launcher) so you could cleanup the cookies if no launcher was
requested...
A safe way to put them in /tmp/ is still preferrable to me.
They are not really meant to survive a single instance of the
standalone player (except for the launcher case).
--strk;
() Free GIS & Flash consultant/developer
/\ http://strk.keybit.net/services.html
Removed tag(s) fixed-upstream.
Request was from Gabriele Giacone <1o5g4r8o@gmail.com>
to control@bugs.debian.org
.
(Sat, 26 Nov 2011 03:51:10 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org
.
(Thu, 15 Dec 2011 16:42:27 GMT) (full text, mbox, link).
Reply sent
to Gabriele Giacone <1o5g4r8o@gmail.com>
:
You have taken responsibility.
(Wed, 08 Feb 2012 03:21:11 GMT) (full text, mbox, link).
Notification sent
to Alexander Kurtz <kurtz.alex@googlemail.com>
:
Bug acknowledged by developer.
(Wed, 08 Feb 2012 03:21:11 GMT) (full text, mbox, link).
Message #70 received at 649384-close@bugs.debian.org (full text, mbox, reply):
Source: gnash
Source-Version: 0.8.10-1
We believe that the bug you reported is fixed in the latest version of
gnash, which is due to be installed in the Debian FTP archive:
browser-plugin-gnash_0.8.10-1_amd64.deb
to main/g/gnash/browser-plugin-gnash_0.8.10-1_amd64.deb
gnash-common-opengl_0.8.10-1_all.deb
to main/g/gnash/gnash-common-opengl_0.8.10-1_all.deb
gnash-common_0.8.10-1_amd64.deb
to main/g/gnash/gnash-common_0.8.10-1_amd64.deb
gnash-cygnal_0.8.10-1_amd64.deb
to main/g/gnash/gnash-cygnal_0.8.10-1_amd64.deb
gnash-dbg_0.8.10-1_amd64.deb
to main/g/gnash/gnash-dbg_0.8.10-1_amd64.deb
gnash-dev_0.8.10-1_amd64.deb
to main/g/gnash/gnash-dev_0.8.10-1_amd64.deb
gnash-doc_0.8.10-1_all.deb
to main/g/gnash/gnash-doc_0.8.10-1_all.deb
gnash-ext-fileio_0.8.10-1_amd64.deb
to main/g/gnash/gnash-ext-fileio_0.8.10-1_amd64.deb
gnash-ext-lirc_0.8.10-1_amd64.deb
to main/g/gnash/gnash-ext-lirc_0.8.10-1_amd64.deb
gnash-ext-mysql_0.8.10-1_amd64.deb
to main/g/gnash/gnash-ext-mysql_0.8.10-1_amd64.deb
gnash-opengl_0.8.10-1_all.deb
to main/g/gnash/gnash-opengl_0.8.10-1_all.deb
gnash-tools_0.8.10-1_amd64.deb
to main/g/gnash/gnash-tools_0.8.10-1_amd64.deb
gnash_0.8.10-1.debian.tar.gz
to main/g/gnash/gnash_0.8.10-1.debian.tar.gz
gnash_0.8.10-1.dsc
to main/g/gnash/gnash_0.8.10-1.dsc
gnash_0.8.10-1_amd64.deb
to main/g/gnash/gnash_0.8.10-1_amd64.deb
gnash_0.8.10.orig.tar.gz
to main/g/gnash/gnash_0.8.10.orig.tar.gz
klash-opengl_0.8.10-1_all.deb
to main/g/gnash/klash-opengl_0.8.10-1_all.deb
klash_0.8.10-1_amd64.deb
to main/g/gnash/klash_0.8.10-1_amd64.deb
konqueror-plugin-gnash_0.8.10-1_amd64.deb
to main/g/gnash/konqueror-plugin-gnash_0.8.10-1_amd64.deb
mozilla-plugin-gnash_0.8.10-1_all.deb
to main/g/gnash/mozilla-plugin-gnash_0.8.10-1_all.deb
python-gtk-gnash_0.8.10-1_amd64.deb
to main/g/gnash/python-gtk-gnash_0.8.10-1_amd64.deb
swfdec-gnome_0.8.10-1_all.deb
to main/g/gnash/swfdec-gnome_0.8.10-1_all.deb
swfdec-mozilla_0.8.10-1_all.deb
to main/g/gnash/swfdec-mozilla_0.8.10-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 649384@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gabriele Giacone <1o5g4r8o@gmail.com> (supplier of updated gnash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 08 Feb 2012 03:48:11 +0100
Source: gnash
Binary: gnash-common gnash klash gnash-tools gnash-cygnal browser-plugin-gnash konqueror-plugin-gnash python-gtk-gnash gnash-ext-fileio gnash-ext-mysql gnash-ext-lirc gnash-dev gnash-dbg gnash-doc gnash-common-opengl gnash-opengl klash-opengl swfdec-mozilla swfdec-gnome mozilla-plugin-gnash
Architecture: source amd64 all
Version: 0.8.10-1
Distribution: unstable
Urgency: low
Maintainer: Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
Changed-By: Gabriele Giacone <1o5g4r8o@gmail.com>
Description:
browser-plugin-gnash - GNU Shockwave Flash (SWF) player - Plugin for Mozilla and derivat
gnash - GNU Shockwave Flash (SWF) player
gnash-common - GNU Shockwave Flash (SWF) player - Common files/libraries
gnash-common-opengl - dummy package for gnash-common-opengl removal
gnash-cygnal - GNU Shockwave Flash (SWF) player - Media server
gnash-dbg - GNU Shockwave Flash (SWF) player - Debug symbols
gnash-dev - GNU Shockwave Flash (SWF) player - Development files
gnash-doc - GNU Shockwave Flash (SWF) player - API documentation
gnash-ext-fileio - GNU Shockwave Flash (SWF) player - Fileio extension
gnash-ext-lirc - GNU Shockwave Flash (SWF) player - LIRC extension
gnash-ext-mysql - GNU Shockwave Flash (SWF) player - MySQL extension
gnash-opengl - dummy package for gnash-opengl removal
gnash-tools - GNU Shockwave Flash (SWF) player - Command-line Tools
klash - GNU Shockwave Flash (SWF) player - Standalone player for KDE
klash-opengl - dummy package for klash-opengl removal
konqueror-plugin-gnash - GNU Shockwave Flash (SWF) player - Plugin for Konqueror
mozilla-plugin-gnash - dummy package for renaming to browser-plugin-gnash
python-gtk-gnash - GNU Shockwave Flash (SWF) player - Python bindings
swfdec-gnome - dummy package for transition to Gnash
swfdec-mozilla - dummy package for transition to browser-plugin-gnash
Closes: 634867 640107 649384
Changes:
gnash (0.8.10-1) unstable; urgency=low
.
* New upstream release.
+ Fix CVE-2011-4328 (Closes: #649384).
+ Fix parsing of lossless 15bit bitmaps (Closes: #634867).
* Add Gnome 3 thumbnailer.
* Add libboost-iostreams-dev and libgconf2-dev build deps.
* Transition to dh_python2.
* Fix d/copyright according to DEP-5.
* Remove dash escaping in manpages (Closes: #640107).
* Add noapidoc and nocheck build options.
* Move cygnal-only libs to cygnal package.
* Add revno.h generation to get-source target.
* Replace upstream changelog with upstream NEWS.
Checksums-Sha1:
a6717bd24ae184013875656e1320b979d92809f9 3225 gnash_0.8.10-1.dsc
6e7e046c029134fd1294c6a68b423f1f02de9d7b 6177166 gnash_0.8.10.orig.tar.gz
bb4ecd115ecf41fb884e320eec47532931cc61fc 34582 gnash_0.8.10-1.debian.tar.gz
0b4ae41b8165cf10337afff900627a5a444c3090 3710814 gnash-common_0.8.10-1_amd64.deb
1ff483e31db1183d0fd8dd1cb395e6a609996ce2 333644 gnash_0.8.10-1_amd64.deb
6cb8464ff0959063c91bb9485d3ae461c5732c9e 338322 klash_0.8.10-1_amd64.deb
b1f1a44b7b44fea3bb64aeb934999dcf62c041ef 243750 gnash-tools_0.8.10-1_amd64.deb
2ea052998ff65af297a456809e95d1c8134ae39a 988052 gnash-cygnal_0.8.10-1_amd64.deb
984bbc471533ce295cedce88ebd370fcda74e756 185596 browser-plugin-gnash_0.8.10-1_amd64.deb
6efb65176ccb4303a1b7835a25cfc4060f56b393 55294 konqueror-plugin-gnash_0.8.10-1_amd64.deb
3979bb0eebf54da9ec5769a22d49fec299e0283d 133416 python-gtk-gnash_0.8.10-1_amd64.deb
7c516212ac42e37bfafb98f6dbbc6a333643b2ae 87186 gnash-ext-fileio_0.8.10-1_amd64.deb
dd5ed2bac52f046b16c0e15e3e51cd6c7fe507bd 104380 gnash-ext-mysql_0.8.10-1_amd64.deb
7a6f6c665c3a48b9dff87289061a7c78034f4768 81940 gnash-ext-lirc_0.8.10-1_amd64.deb
47ee5881bd728da1e41f707ce2279fcd9fc70b06 261266 gnash-dev_0.8.10-1_amd64.deb
525f25c3382835caf77de960438467eba50fe5e2 1844314 gnash-dbg_0.8.10-1_amd64.deb
c808d20c1b5d6e6e650672f6f30553f03900823a 5130370 gnash-doc_0.8.10-1_all.deb
50c036b4a578e7bd1c8d11394ba2009afd5dc0f5 26774 gnash-common-opengl_0.8.10-1_all.deb
dc0575ccc2316f8e46935ad5315277d1d7efa6ed 26768 gnash-opengl_0.8.10-1_all.deb
b152fae2f2c4740126bf491a03b4367f52d0c38d 26770 klash-opengl_0.8.10-1_all.deb
f790b02b09d0acf736e5cc84fb76c63b59adf24d 26790 swfdec-mozilla_0.8.10-1_all.deb
a6241624240f6d57850f6942b859855bb1737ed0 26770 mozilla-plugin-gnash_0.8.10-1_all.deb
04be7085f40b037384acdc918ccc3ad93cc4f18b 26780 swfdec-gnome_0.8.10-1_all.deb
Checksums-Sha256:
64483a22e08e76dddcde03c1bbf10cabadb567f39de57ce0366d15cb0b7da90a 3225 gnash_0.8.10-1.dsc
0758c8ce41a8361fac11d16f3afef2465c7f9722077313f5e531c9e6200f6218 6177166 gnash_0.8.10.orig.tar.gz
f225e2f82197689d29290f8bdb7c960f7bf9848054d4be75ee8e5ff9cb033acd 34582 gnash_0.8.10-1.debian.tar.gz
7cce37e250d1992c7a96258bec20db3d17022ffc6f7df31825e0c2992cc953a8 3710814 gnash-common_0.8.10-1_amd64.deb
5a9fa83c5dd4737b98c84caf2b0cf6ba7979ebb33f4d474c240a6dedbf8950af 333644 gnash_0.8.10-1_amd64.deb
629f322ffa30143d1f911beb08cb9e4fcbfb661f72cbb9b09fc604c0bbdfea32 338322 klash_0.8.10-1_amd64.deb
2deafb15b360192ff5f61b4ead628d75e4502a90acc8cdcdc0562f106b596cc0 243750 gnash-tools_0.8.10-1_amd64.deb
4dacd3c76a19cfa40b2826e5309e1f5f33e6ad90a6f8bcd7b8796cc1ea0c7be9 988052 gnash-cygnal_0.8.10-1_amd64.deb
ab95b42f09bea44d5c3dd69dd73ef92ab95f0ad77041cf4fd1b20cd1a9dc7e6c 185596 browser-plugin-gnash_0.8.10-1_amd64.deb
202835b1e7eb8abfa61caacc249b0da0a1d792ce8c52babe3d968316ec0ae112 55294 konqueror-plugin-gnash_0.8.10-1_amd64.deb
0b1b86199e0ee0c8406da2ef5d89e3e3afc1de666094a7333bc9f5aa567d91e7 133416 python-gtk-gnash_0.8.10-1_amd64.deb
60e6a7ac4774e7dfb8777fc72a5ade6f2c777c3bc19b99d8f819ff8f61b534ed 87186 gnash-ext-fileio_0.8.10-1_amd64.deb
6d2263694eb91eae244bd28151d81c0716113d4dc271a1d0aef7362c6906d2c9 104380 gnash-ext-mysql_0.8.10-1_amd64.deb
4c07686fc4e6768ca010bb4c9ca5fdbfb4bb1f068ba5ff99f77e0fe61188ff11 81940 gnash-ext-lirc_0.8.10-1_amd64.deb
5ec85c6f916388617934aa3332135848d10c7f3d3ed41cc4d58dbdd73c789b7a 261266 gnash-dev_0.8.10-1_amd64.deb
333e7daad8334330f120c5f5fe6597644bc62cf779004979e07d04f7c33961eb 1844314 gnash-dbg_0.8.10-1_amd64.deb
8a0d84edf63c0d506248fc925f4e4aa8e59f3187fc6e86883153ad9e501f821e 5130370 gnash-doc_0.8.10-1_all.deb
a6e1bf4d4bfc8760ab823f35e71857178d31d6ca11cf58822ba60762b92c258b 26774 gnash-common-opengl_0.8.10-1_all.deb
284e1fc62a2efb023b2f2ee5d13f5bd38b8c15e1fcf75f48deab680f45343ff2 26768 gnash-opengl_0.8.10-1_all.deb
bb33bbbbcaf04bf75d07002f9f448bed6ee789c18f09c7ded6ccd0c39e187a87 26770 klash-opengl_0.8.10-1_all.deb
9f011df25c47fbaf0f11d2942743f95309becaeabab197774abb0088ff28a66a 26790 swfdec-mozilla_0.8.10-1_all.deb
8e0bb59dfdbf6c7b86e70bfd3d1d5d2c550e3bd6e3f825a9849a8dd33486e805 26770 mozilla-plugin-gnash_0.8.10-1_all.deb
536d2ef06ccd25b653a2750aa04ebd2a058daa9eb461b5286e2b7e60c219abd7 26780 swfdec-gnome_0.8.10-1_all.deb
Files:
68a78096399cf98f1ca1747910faa2ba 3225 video optional gnash_0.8.10-1.dsc
be2f0608cfe2e37ceb892742e66c894e 6177166 video optional gnash_0.8.10.orig.tar.gz
44f214ad2bf87fe5d913ec4bab4bf30f 34582 video optional gnash_0.8.10-1.debian.tar.gz
023c368a78bee74f2358a72e64fe8a80 3710814 video optional gnash-common_0.8.10-1_amd64.deb
cd9f2e76e15130512fc6d356b8b2f7ae 333644 video optional gnash_0.8.10-1_amd64.deb
00e756b4cc1bf58343eba0298e0d9050 338322 video optional klash_0.8.10-1_amd64.deb
e7cf890978332f02fea3369e260d3289 243750 video optional gnash-tools_0.8.10-1_amd64.deb
c82d252c4770d3ee65ea6b3d2d290e77 988052 video optional gnash-cygnal_0.8.10-1_amd64.deb
25374a896297482047006e5d6de0d985 185596 video optional browser-plugin-gnash_0.8.10-1_amd64.deb
0a3d37a0570581e17c1643d7b752d5b9 55294 video optional konqueror-plugin-gnash_0.8.10-1_amd64.deb
1690bca75e981323971bf9f7e1fc85b5 133416 python optional python-gtk-gnash_0.8.10-1_amd64.deb
53e4934dda4b2cc0cb452716b261f58f 87186 video optional gnash-ext-fileio_0.8.10-1_amd64.deb
69fc659ca90bf45512ded4d3dad751a3 104380 video optional gnash-ext-mysql_0.8.10-1_amd64.deb
bb5cb43f18b1b720381d2ca5b3d319b3 81940 video optional gnash-ext-lirc_0.8.10-1_amd64.deb
283570e5b3a54cb4f2e9457cac094237 261266 libdevel optional gnash-dev_0.8.10-1_amd64.deb
08fc09bebe2a4f0136afaaef49d26f56 1844314 debug extra gnash-dbg_0.8.10-1_amd64.deb
5198d62dd6e5cb8b0734f7c40cf9491e 5130370 doc optional gnash-doc_0.8.10-1_all.deb
153562f907289517d8a2447ce82ae1fb 26774 oldlibs extra gnash-common-opengl_0.8.10-1_all.deb
b33612841d44460635e5c8c526772dc3 26768 oldlibs extra gnash-opengl_0.8.10-1_all.deb
aace547295544fef72784a9424f81671 26770 oldlibs extra klash-opengl_0.8.10-1_all.deb
7c2abcbf0e0432ae5a3e15126a7c4cc0 26790 oldlibs extra swfdec-mozilla_0.8.10-1_all.deb
c9f97fc9eeff389ce6d4084bc661e52d 26770 oldlibs extra mozilla-plugin-gnash_0.8.10-1_all.deb
4e715680d969140b245acb542a5bd58f 26780 oldlibs extra swfdec-gnome_0.8.10-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8x42MACgkQp3cdCbVcnCssZwCeLTIxbWGtPr8RNK+cNvtz6CN8
NZoAn0/fotfNR1ly4CjDZcNMOgI76UVi
=QWwv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 08 Mar 2012 07:41:03 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org
.
(Sun, 08 Jul 2012 16:22:00 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 08 Jul 2012 20:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 08 Jul 2012 20:33:03 GMT) (full text, mbox, link).
Message #79 received at 649384@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/649384/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
:
Bug#649384
; Package gnash
.
(Sun, 08 Jul 2012 23:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Gabriele Giacone <1o5g4r8o@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>
.
(Sun, 08 Jul 2012 23:15:06 GMT) (full text, mbox, link).
Message #84 received at 649384@bugs.debian.org (full text, mbox, reply):
On 07/08/2012 09:15 PM, Jonathan Wiltshire wrote:
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
>
> squeeze (6.0.6) - use target "stable"
False positive, your radar didn't detect DSA-2435 [CVE-2011-4328] has
been created for such issue and fixed through security updates first,
then shipped with 6.0.5.
http://security-tracker.debian.org/tracker/CVE-2011-4328
http://www.debian.org/security/2012/dsa-2435
--
Gabriele
Message #85 received at 649384-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Le dimanche, 8 juillet 2012 17.13:39, Gabriele Giacone a écrit :
> On 07/08/2012 09:15 PM, Jonathan Wiltshire wrote:
> > Recently you fixed one or more security problems and as a result you
> > closed this bug. These problems were not serious enough for a Debian
> > Security Advisory, so they are now on my radar for fixing in the
> > following suites through point releases:
> >
> > squeeze (6.0.6) - use target "stable"
>
> False positive, your radar didn't detect DSA-2435 [CVE-2011-4328] has
> been created for such issue and fixed through security updates first,
> then shipped with 6.0.5.
-done then.
OdyX
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Jonathan Wiltshire <jmw@debian.org>
:
You have taken responsibility.
(Mon, 09 Jul 2012 08:39:10 GMT) (full text, mbox, link).
Notification sent
to Alexander Kurtz <kurtz.alex@googlemail.com>
:
Bug acknowledged by developer.
(Mon, 09 Jul 2012 08:39:11 GMT) (full text, mbox, link).
Message #90 received at 649384-done@bugs.debian.org (full text, mbox, reply):
Version: 0.8.8-5+squeeze1
On 2012-07-09 00:45, Didier Raboud wrote:
> Le dimanche, 8 juillet 2012 17.13:39, Gabriele Giacone a écrit :
>> On 07/08/2012 09:15 PM, Jonathan Wiltshire wrote:
>> > Recently you fixed one or more security problems and as a result
>> you
>> > closed this bug. These problems were not serious enough for a
>> Debian
>> > Security Advisory, so they are now on my radar for fixing in the
>> > following suites through point releases:
>> >
>> > squeeze (6.0.6) - use target "stable"
>>
>> False positive, your radar didn't detect DSA-2435 [CVE-2011-4328]
>> has
>> been created for such issue and fixed through security updates
>> first,
>> then shipped with 6.0.5.
>
> -done then.
>
> OdyX
Thanks, tracker updated. In fact the bug was already closed (this
triggers
the notification) but the BTS doesn't have correct version information.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 07 Aug 2012 07:38:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:08:15 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.