flashplugin-nonfree: Version 7,0,61,0 released to fix CVE-2005-2628

Debian Bug report logs - #339290
flashplugin-nonfree: Version 7,0,61,0 released to fix CVE-2005-2628

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Håkan Lindqvist <lindqvist@netstar.se>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: flashplugin-nonfree: Version 7,0,61,0 released to fix CVE-2005-2628

Date: Tue, 15 Nov 2005 09:10:32 +0100

Package: flashplugin-nonfree
Version: 7.0.25-5
Severity: grave
Tags: security
Justification: user security hole


Macromedia has released version 7,0,61,0 to fix CVE-2005-2628 (buffer
overflow).


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)

Versions of packages flashplugin-nonfree depends on:
ii  debconf                       1.4.59     Debian configuration management sy
ii  libruby                       1.8.2-1    Libraries necessary to run Ruby 1.
ii  ruby                          1.8.2-1    An interpreter of object-oriented 

Versions of packages flashplugin-nonfree recommends:
pn  gsfonts-x11                   <none>     (no description available)
pn  libstdc++2.10-glibc2.2        <none>     (no description available)

-- debconf information excluded

Message #10 received at 339290-close@bugs.debian.org (full text, mbox, reply):

From: Takuo KITAME <kitame@debian.org>

To: Håkan Lindqvist <lindqvist@netstar.se>, 339290-close@bugs.debian.org

Subject: Re: Bug#339290: flashplugin-nonfree: Version 7,0,61,0 released to fix CVE-2005-2628

Date: Thu, 17 Nov 2005 15:42:56 +0900

2005-11-15 (火) の 09:10 +0100 に Håkan Lindqvist さんは書きました:
> Package: flashplugin-nonfree
> Version: 7.0.25-5
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> 
> Macromedia has released version 7,0,61,0 to fix CVE-2005-2628 (buffer
> overflow).

try update-flashplugin.
And this package is just a installer. 

-- 
Takuo KITAME

Message #15 received at 339290@bugs.debian.org (full text, mbox, reply):

From: Håkan Lindqvist <lindqvist@netstar.se>

To: Takuo KITAME <kitame@debian.org>

Cc: 339290@bugs.debian.org

Subject: Re: Bug#339290: flashplugin-nonfree: Version 7,0,61,0 released to fix CVE-2005-2628

Date: Thu, 17 Nov 2005 10:36:39 +0100

[Message part 1 (text/plain, inline)]

On tor, 2005-11-17 at 15:42 +0900, Takuo KITAME wrote:
> > Macromedia has released version 7,0,61,0 to fix CVE-2005-2628 (buffer
> > overflow).
> 
> try update-flashplugin.
> And this package is just a installer. 


While I realise that the package is just an installer, I would have
found it reasonable to bump the version number (if that's all that is
required) in order to get the security fixed software installed for
those who have used this installer package.


Best regards,
Håkan Lindqvist

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #20 received at 339290@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 339290@bugs.debian.org, control@bugs.debian.org

Subject: update to secure flash-version does not work

Date: Tue, 22 Nov 2005 21:14:00 +0100

package flashplugin-nonfree
reopen 339290
thanks

the configured mirror sites don't work any more and 
the --local-file option does not work.

While it is possible to update by entering

    "fpdownload.macromedia.com" => "/get/flashplayer/current/",

into /etc/update-flashplugin.conf.rb and using 

update-flashplugin -f

this is not a sensible way to do critical security updates.

Message #27 received at 339290@bugs.debian.org (full text, mbox, reply):

From: Stefan Potyra <sistpoty@ubuntu.com>

To: 339290@bugs.debian.org

Subject: problem with fpdownload.macromedia.com

Date: Wed, 30 Nov 2005 00:49:56 +0100

[Message part 1 (text/plain, inline)]

Hi,

thanks for maintaining this package.

the problem with fpdownload.macromedia.com is, that it doesn't provide 
gpg-md5sum.txt, so checking for updates is not trivial.

I just uploaded a modified version of your package to ubuntu (multiverse), 
which uses fpdownload.macromedia.com and sets @force to true, however I don't 
think this is a solution to the problem.

Cheers,
	Stefan.

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 339290@bugs.debian.org (full text, mbox, reply):

From: Vincent McIntyre <Vince.McIntyre@atnf.csiro.au>

To: 339290@bugs.debian.org

Subject: additional info

Date: Tue, 13 Dec 2005 09:14:05 +1100 (EST)

Package: update-flashplugin


Hi

a little more info, hope this helps.

I have a sarge system in which I tried hacking
  /etc/update-flashplugin.conf.rb
as noted above. This was the result.

# cat /etc/update-flashplugin.conf.rb
# -*- ruby -*-
#

module UpdateFlashPluginConf
  SITES = {
#    "sluglug.ucsc.edu" => "/macromedia/tarball/debian/",
    "ruslug.rutgers.edu " => "/macromedia/tarball/debian/",
    "macromedia.mplug.org" => "/tarball/debian/",
    "macromedia.rediris.es" => "/tarball/debian/",
    "fpdownload.macromedia.com" => "/get/flashplayer/current/",
  }
end


# update-flashplugin -f
Checking new upstream release...
I: checking http://macromedia.rediris.es/tarball/debian/...
No new version is detected. ( = not installed)
Updating flashplugin...
getting install_flash_player_7_linux.tar.gz [322/0 (inf%)]

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: install_flash_player_7_linux/libflashplayer.so: Not found in archive
tar: Error exit delayed from previous errors

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: install_flash_player_7_linux/flashplayer.xpt: Not found in archive
tar: Error exit delayed from previous errors
/usr/sbin/update-flashplugin:208:in `chdir': No such file or directory - 
/tmp/flashupdater5639.0/install_flash_player_7_linux (Errno::ENOENT)
        from /usr/sbin/update-flashplugin:208:in `install'
        from /usr/sbin/update-flashplugin:220:in `update'
        from /usr/sbin/update-flashplugin:428


# file /tmp/flashupdater5639.0/install_flash_player_7_linux.tar.gz
/tmp/flashupdater5639.0/install_flash_player_7_linux.tar.gz: HTML document 
text

# cat /tmp/flashupdater5639.0/install_flash_player_7_linux.tar.gz
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /tarball/debian/install_flash_player_7_linux.tar.gz was 
not fo
und on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at macromedia.rediris.es Port 80</ADDRESS>
</BODY></HTML>



I was able to successfully install the player if I commented out all
other entries, ie.

# -*- ruby -*-
#

module UpdateFlashPluginConf
  SITES = {
##    "sluglug.ucsc.edu" => "/macromedia/tarball/debian/",
#    "ruslug.rutgers.edu " => "/macromedia/tarball/debian/",
#    "macromedia.mplug.org" => "/tarball/debian/",
#    "macromedia.rediris.es" => "/tarball/debian/",
    "fpdownload.macromedia.com" => "/get/flashplayer/current/",
  }
end

The files installed are not known to the package management system.
  # dpkg -S /usr/lib/flashplugin-nonfree/flashplayer.xpt
  dpkg: /usr/lib/flashplugin-nonfree/flashplayer.xpt not found.

Were they ever? It seems like the /usr/lib/flashplugin-nonfree directory
should be, but this was not created when I apt-get installed the package.
I did not specify a tarball location or proxy during installation.
Please let me know if you want this filed separately.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Message #37 received at 339290@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bart.martens@advalvas.be>

To: 339290@bugs.debian.org

Subject: fixed in unstable

Date: Thu, 22 Dec 2005 19:13:28 +0100

Version 7.0.61-1 works for me.  I suggest to release that version as a
security fix for sarge, if there are no more reasons to wait.

Message #44 received at 339290-quiet@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bart.martens@advalvas.be>

To: 339290-quiet@bugs.debian.org

Subject: Re: Bug#339290: NMU flashplugin-nonfree 7.0.61-1.1 fixed CVE-2005-2628

Date: Tue, 31 Jan 2006 19:23:51 +0100

On Tue, Jan 31, 2006 at 10:29:22PM +1100, Aníbal Monsalve Salazar wrote:
> CVE-2005-2628 is fixed in NMU flashplugin-nonfree 7.0.61-1.1.

To be exact, Takuo Kitame fixed CVE-2005-2628 in 7.0.61-1 on 29 Nov
2005.  I'm not sure whether Takuo had a reason not to close this bug
yet.

Message #51 received at 339290-done@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bart.martens@advalvas.be>

To: 339290-done@bugs.debian.org

Subject: flashplugin-nonfree: Version 7,0,61,0 released to fix CVE-2005-2628

Date: Fri, 10 Mar 2006 07:51:25 +0100

The previous maintainer fixed CVE-2005-2628 in 7.0.61-1 on 29 Nov
2005.  Closing this bug without further action.  Feel free to reopen and
explain why.

Send a report that this bug log contains spam.