Debian Bug report logs -
#339290
flashplugin-nonfree: Version 7,0,61,0 released to fix CVE-2005-2628
Reported by: Håkan Lindqvist <lindqvist@netstar.se>
Date: Tue, 15 Nov 2005 08:18:02 UTC
Severity: grave
Tags: security
Found in version flashplugin-nonfree/7.0.25-5
Done: Bart Martens <bart.martens@advalvas.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Takuo KITAME <kitame@debian.org>
:
Bug#339290
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Håkan Lindqvist <lindqvist@netstar.se>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Takuo KITAME <kitame@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: flashplugin-nonfree
Version: 7.0.25-5
Severity: grave
Tags: security
Justification: user security hole
Macromedia has released version 7,0,61,0 to fix CVE-2005-2628 (buffer
overflow).
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Versions of packages flashplugin-nonfree depends on:
ii debconf 1.4.59 Debian configuration management sy
ii libruby 1.8.2-1 Libraries necessary to run Ruby 1.
ii ruby 1.8.2-1 An interpreter of object-oriented
Versions of packages flashplugin-nonfree recommends:
pn gsfonts-x11 <none> (no description available)
pn libstdc++2.10-glibc2.2 <none> (no description available)
-- debconf information excluded
Reply sent to Takuo KITAME <kitame@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Håkan Lindqvist <lindqvist@netstar.se>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 339290-close@bugs.debian.org (full text, mbox, reply):
2005-11-15 (火) の 09:10 +0100 に Håkan Lindqvist さんは書きました:
> Package: flashplugin-nonfree
> Version: 7.0.25-5
> Severity: grave
> Tags: security
> Justification: user security hole
>
>
> Macromedia has released version 7,0,61,0 to fix CVE-2005-2628 (buffer
> overflow).
try update-flashplugin.
And this package is just a installer.
--
Takuo KITAME
Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>
:
Bug#339290
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Håkan Lindqvist <lindqvist@netstar.se>
:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>
.
(full text, mbox, link).
Message #15 received at 339290@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On tor, 2005-11-17 at 15:42 +0900, Takuo KITAME wrote:
> > Macromedia has released version 7,0,61,0 to fix CVE-2005-2628 (buffer
> > overflow).
>
> try update-flashplugin.
> And this package is just a installer.
While I realise that the package is just an installer, I would have
found it reasonable to bump the version number (if that's all that is
required) in order to get the security fixed software installed for
those who have used this installer package.
Best regards,
Håkan Lindqvist
[smime.p7s (application/x-pkcs7-signature, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>
:
Bug#339290
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>
.
(full text, mbox, link).
Message #20 received at 339290@bugs.debian.org (full text, mbox, reply):
package flashplugin-nonfree
reopen 339290
thanks
the configured mirror sites don't work any more and
the --local-file option does not work.
While it is possible to update by entering
"fpdownload.macromedia.com" => "/get/flashplayer/current/",
into /etc/update-flashplugin.conf.rb and using
update-flashplugin -f
this is not a sensible way to do critical security updates.
Bug reopened, originator not changed.
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>
:
Bug#339290
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Stefan Potyra <sistpoty@ubuntu.com>
:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>
.
(full text, mbox, link).
Message #27 received at 339290@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
thanks for maintaining this package.
the problem with fpdownload.macromedia.com is, that it doesn't provide
gpg-md5sum.txt, so checking for updates is not trivial.
I just uploaded a modified version of your package to ubuntu (multiverse),
which uses fpdownload.macromedia.com and sets @force to true, however I don't
think this is a solution to the problem.
Cheers,
Stefan.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>
:
Bug#339290
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Vincent McIntyre <Vince.McIntyre@atnf.csiro.au>
:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>
.
(full text, mbox, link).
Message #32 received at 339290@bugs.debian.org (full text, mbox, reply):
Package: update-flashplugin
Hi
a little more info, hope this helps.
I have a sarge system in which I tried hacking
/etc/update-flashplugin.conf.rb
as noted above. This was the result.
# cat /etc/update-flashplugin.conf.rb
# -*- ruby -*-
#
module UpdateFlashPluginConf
SITES = {
# "sluglug.ucsc.edu" => "/macromedia/tarball/debian/",
"ruslug.rutgers.edu " => "/macromedia/tarball/debian/",
"macromedia.mplug.org" => "/tarball/debian/",
"macromedia.rediris.es" => "/tarball/debian/",
"fpdownload.macromedia.com" => "/get/flashplayer/current/",
}
end
# update-flashplugin -f
Checking new upstream release...
I: checking http://macromedia.rediris.es/tarball/debian/...
No new version is detected. ( = not installed)
Updating flashplugin...
getting install_flash_player_7_linux.tar.gz [322/0 (inf%)]
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: install_flash_player_7_linux/libflashplayer.so: Not found in archive
tar: Error exit delayed from previous errors
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: install_flash_player_7_linux/flashplayer.xpt: Not found in archive
tar: Error exit delayed from previous errors
/usr/sbin/update-flashplugin:208:in `chdir': No such file or directory -
/tmp/flashupdater5639.0/install_flash_player_7_linux (Errno::ENOENT)
from /usr/sbin/update-flashplugin:208:in `install'
from /usr/sbin/update-flashplugin:220:in `update'
from /usr/sbin/update-flashplugin:428
# file /tmp/flashupdater5639.0/install_flash_player_7_linux.tar.gz
/tmp/flashupdater5639.0/install_flash_player_7_linux.tar.gz: HTML document
text
# cat /tmp/flashupdater5639.0/install_flash_player_7_linux.tar.gz
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /tarball/debian/install_flash_player_7_linux.tar.gz was
not fo
und on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at macromedia.rediris.es Port 80</ADDRESS>
</BODY></HTML>
I was able to successfully install the player if I commented out all
other entries, ie.
# -*- ruby -*-
#
module UpdateFlashPluginConf
SITES = {
## "sluglug.ucsc.edu" => "/macromedia/tarball/debian/",
# "ruslug.rutgers.edu " => "/macromedia/tarball/debian/",
# "macromedia.mplug.org" => "/tarball/debian/",
# "macromedia.rediris.es" => "/tarball/debian/",
"fpdownload.macromedia.com" => "/get/flashplayer/current/",
}
end
The files installed are not known to the package management system.
# dpkg -S /usr/lib/flashplugin-nonfree/flashplayer.xpt
dpkg: /usr/lib/flashplugin-nonfree/flashplayer.xpt not found.
Were they ever? It seems like the /usr/lib/flashplugin-nonfree directory
should be, but this was not created when I apt-get installed the package.
I did not specify a tarball location or proxy during installation.
Please let me know if you want this filed separately.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>
:
Bug#339290
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Bart Martens <bart.martens@advalvas.be>
:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>
.
(full text, mbox, link).
Message #37 received at 339290@bugs.debian.org (full text, mbox, reply):
Version 7.0.61-1 works for me. I suggest to release that version as a
security fix for sarge, if there are no more reasons to wait.
Tags added: fixed
Request was from Aníbal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information stored:
Bug#339290
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Bart Martens <bart.martens@advalvas.be>
:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
Message #44 received at 339290-quiet@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 31, 2006 at 10:29:22PM +1100, Aníbal Monsalve Salazar wrote:
> CVE-2005-2628 is fixed in NMU flashplugin-nonfree 7.0.61-1.1.
To be exact, Takuo Kitame fixed CVE-2005-2628 in 7.0.61-1 on 29 Nov
2005. I'm not sure whether Takuo had a reason not to close this bug
yet.
Tags removed: fixed
Request was from Bart Martens <bart.martens@advalvas.be>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Bart Martens <bart.martens@advalvas.be>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Håkan Lindqvist <lindqvist@netstar.se>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #51 received at 339290-done@bugs.debian.org (full text, mbox, reply):
The previous maintainer fixed CVE-2005-2628 in 7.0.61-1 on 29 Nov
2005. Closing this bug without further action. Feel free to reopen and
explain why.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 19 Jun 2007 00:35:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:11:11 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.