flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)

Debian Bug report logs - #402822
flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-5330: HTTP header injection vulnerabilities

Date: Tue, 12 Dec 2006 21:30:17 +0000

Package: flashplugin-nonfree
Version: 9.0.21.78.3
Severity: important
Tags: security

According to the upstream security bulletin
<http://www.adobe.com/support/security/bulletins/apsb06-18.html>:

"Adobe has provided a Flash Player updates to resolve potential
vulnerabilities in Adobe Flash Player. These vulnerabilities could
allow remote attackers to modify HTTP headers of client requests and
conduct HTTP Request Splitting attacks."

Adobe classifies this as "important", meaning that it could be
exploited to "compromise data security, potentially allowing access to
confidential data, or could compromise processing resources in a
user's computer."

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages flashplugin-nonfree depends on:
ii  debconf [debconf-2.0]         1.5.8      Debian configuration management sy
ii  gsfonts-x11                   0.20       Make Ghostscript fonts available t
ii  libxext6                      1:1.0.1-2  X11 miscellaneous extension librar
ii  libxmu6                       1:1.0.2-2  X11 miscellaneous utility library
ii  libxt6                        1:1.0.2-2  X11 toolkit intrinsics library
ii  wget                          1.10.2-2   retrieves files from the web

Versions of packages flashplugin-nonfree recommends:
pn  xfs                           <none>     (no description available)

-- debconf information excluded

Message #10 received at 402822@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 402822@bugs.debian.org

Subject: Re: CVE-2006-5330: HTTP header injection vulnerabilities

Date: Tue, 12 Dec 2006 22:50:57 +0000

[Message part 1 (text/plain, inline)]

According to Adobe's bulletin, the following versions are vulnerable:

Flash Player 9.0.20.0 and earlier
Flash Professional 8 [prior to 8.0.34.0]
Flash Player 7.0.68.0 and earlier

Therefore, although Adobe recommends upgrading to 9.0.28.0, I believe
only sarge needs to be updated.

The advisory at <http://www.rapid7.com/advisories/R7-0026.jsp> is more
explicit about the vulnerability: a Flash script can specify values for
Content-Type or custom (non-standard) headers in HTTP requests it makes
and these are not restricted from including CR and LF characters.  This
means that the 'header values' can include additional header lines and
even (if the server supports pipelining) entire requests.

The advisory includes a script fragment that demonstrates the exploit.
A complete example file would be helpful in verifying that etch and sid
are not vulnerable.

Ben.

-- 
Ben Hutchings
Computers are not intelligent.  They only think they are.

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 402822@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@knars.be>

To: Ben Hutchings <ben@decadent.org.uk>, 402822@bugs.debian.org

Subject: Re: Bug#402822: CVE-2006-5330: HTTP header injection vulnerabilities

Date: Wed, 13 Dec 2006 07:17:30 +0100

[Message part 1 (text/plain, inline)]

notfound 402822 9.0.21.78.3
stop

On Tue, 2006-12-12 at 21:30 +0000, Ben Hutchings wrote:
> According to the upstream security bulletin
> <http://www.adobe.com/support/security/bulletins/apsb06-18.html>:
> 

According to this bulletin version 9.0.21.78 is not affected.  Also,
version 9.0.28.0 does not seem to be available for Linux (I don't find
it).

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 402822@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@knars.be>

To: Ben Hutchings <ben@decadent.org.uk>

Cc: 402822@bugs.debian.org

Subject: Re: Bug#402822: CVE-2006-5330: HTTP header injection vulnerabilities

Date: Wed, 13 Dec 2006 07:19:46 +0100

[Message part 1 (text/plain, inline)]

found 402822 9.0.21.78.3
stop

On Wed, 2006-12-13 at 07:17 +0100, Bart Martens wrote:
> notfound 402822 9.0.21.78.3
> stop
> 
> On Tue, 2006-12-12 at 21:30 +0000, Ben Hutchings wrote:
> > According to the upstream security bulletin
> > <http://www.adobe.com/support/security/bulletins/apsb06-18.html>:
> > 
> 
> According to this bulletin version 9.0.21.78 is not affected.  Also,
> version 9.0.28.0 does not seem to be available for Linux (I don't find
> it).
> 

Oops, "earlier" is not "older" but "newer", so version 9.0.21.78 is
affected.  I can't find 9.0.28.0 for Linux.  Does anyone?

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 402822@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: Bart Martens <bartm@knars.be>

Cc: 402822@bugs.debian.org

Subject: Re: Bug#402822: CVE-2006-5330: HTTP header injection vulnerabilities

Date: Wed, 13 Dec 2006 10:01:35 +0000

[Message part 1 (text/plain, inline)]

On Wed, 2006-12-13 at 07:32 +0100, Bart Martens wrote:
<snip>
> I'm confused now.  Maybe "earlier" does mean "older".  You seem to be
> from the UK, so probably your English is better than mine.

Yes, earlier means older here.

> Is 9.0.21.78 affected or not according to this bulletin?

It is not.  I would prefer to confirm this with a test case though,
since it is between the last-vulnerable and recommended versions.  If
version 9.0.21.78 was only ever released as a beta for Linux it's
possible they could have forgotten to include it in the vulnerable
versions.

Ben.

-- 
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 402822@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@knars.be>

To: team@security.debian.org

Cc: 402822@bugs.debian.org

Subject: flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)

Date: Sat, 03 Feb 2007 10:20:34 +0100

[Message part 1 (text/plain, inline)]

Hi Security-team,

Bug 402822 was tagged "security" on 14 Dec 2006.  I'm not sure whether
your team scans the BTS daily for bugs tagged "security". :)

Any suggestions on how to handle this bug?

New sarge users won't install the insecure plugin, because installing
flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin.  So
removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything
more secure.

Existing sarge users might still be using the insecure plugin.  I could
create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without
installing a new plugin, with a debconf dialog at level "critical"
explaining the removal and suggesting backports.org.

Your opinion?

Regards,

Bart Martens

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 402822@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Bart Martens <bartm@knars.be>

Cc: team@security.debian.org, 402822@bugs.debian.org

Subject: Re: flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)

Date: Sun, 4 Feb 2007 22:20:53 +0100

Bart Martens wrote:
> Bug 402822 was tagged "security" on 14 Dec 2006.  I'm not sure whether
> your team scans the BTS daily for bugs tagged "security". :)
> 
> Any suggestions on how to handle this bug?
> 
> New sarge users won't install the insecure plugin, because installing
> flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin.  So
> removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything
> more secure.
> 
> Existing sarge users might still be using the insecure plugin.  I could
> create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without
> installing a new plugin, with a debconf dialog at level "critical"
> explaining the removal and suggesting backports.org.

non-free/contrib isn't supported by the Security Team. However, it appears
to me as if upgrading Sarge through a stable point update to the latest fixed
upstream (9.?) would be the best solution. It's a rocky upgrade path, but
that's what you have to bear when running proprietary software.

Cheers,
        Moritz

Message #52 received at 402822@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@knars.be>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: team@security.debian.org, 402822@bugs.debian.org

Subject: Re: flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)

Date: Sun, 04 Feb 2007 23:11:56 +0100

[Message part 1 (text/plain, inline)]

On Sun, 2007-02-04 at 22:20 +0100, Moritz Muehlenhoff wrote:
> Bart Martens wrote:
> > Bug 402822 was tagged "security" on 14 Dec 2006.  I'm not sure whether
> > your team scans the BTS daily for bugs tagged "security". :)
> > 
> > Any suggestions on how to handle this bug?
> > 
> > New sarge users won't install the insecure plugin, because installing
> > flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin.  So
> > removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything
> > more secure.
> > 
> > Existing sarge users might still be using the insecure plugin.  I could
> > create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without
> > installing a new plugin, with a debconf dialog at level "critical"
> > explaining the removal and suggesting backports.org.
> 
> non-free/contrib isn't supported by the Security Team. However, it appears
> to me as if upgrading Sarge through a stable point update to the latest fixed
> upstream (9.?) would be the best solution. It's a rocky upgrade path, but
> that's what you have to bear when running proprietary software.

So your advice is to create a package for Sarge to install Flash 9.  Two
questions about that:

1. Must that package be created starting from 7.0.25-5 (ruby), or is it
OK to start from 9.0.31.0.1 (shell scripting) ?

2. Which procedure must be followed, "uploads to the stable
distribution" or "Handling security-related bugs" ?
http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-upload-stable
http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-bug-security

Regards,

Bart Martens

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 402822@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Bart Martens <bartm@knars.be>

Cc: team@security.debian.org, 402822@bugs.debian.org

Subject: Re: flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)

Date: Mon, 5 Feb 2007 21:30:59 +0100

On Sun, Feb 04, 2007 at 11:11:56PM +0100, Bart Martens wrote:
> On Sun, 2007-02-04 at 22:20 +0100, Moritz Muehlenhoff wrote:
> > Bart Martens wrote:
> > > Bug 402822 was tagged "security" on 14 Dec 2006.  I'm not sure whether
> > > your team scans the BTS daily for bugs tagged "security". :)
> > > 
> > > Any suggestions on how to handle this bug?
> > > 
> > > New sarge users won't install the insecure plugin, because installing
> > > flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin.  So
> > > removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything
> > > more secure.
> > > 
> > > Existing sarge users might still be using the insecure plugin.  I could
> > > create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without
> > > installing a new plugin, with a debconf dialog at level "critical"
> > > explaining the removal and suggesting backports.org.
> > 
> > non-free/contrib isn't supported by the Security Team. However, it appears
> > to me as if upgrading Sarge through a stable point update to the latest fixed
> > upstream (9.?) would be the best solution. It's a rocky upgrade path, but
> > that's what you have to bear when running proprietary software.
> 
> So your advice is to create a package for Sarge to install Flash 9.  Two
> questions about that:
> 
> 1. Must that package be created starting from 7.0.25-5 (ruby), or is it
> OK to start from 9.0.31.0.1 (shell scripting) ?
> 
> 2. Which procedure must be followed, "uploads to the stable
> distribution" or "Handling security-related bugs" ?
> http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-upload-stable

This one, but you should discuss 1.) with the stable release managers first. It's
their call.

Cheers,
        Moritz

Message #62 received at 402822-quiet@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@knars.be>

To: Martin Zobel-Helas <zobel@ftbfs.de>

Cc: 402822-quiet@bugs.debian.org

Subject: Re: sarge contrib - flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)

Date: Sun, 11 Mar 2007 13:33:15 +0100

On Sun, 2007-03-11 at 13:13 +0100, Martin Zobel-Helas wrote:
> Hi, 
> 
> On Sun Mar 11, 2007 at 13:16:24 +0100, Bart Martens wrote:
> > Hi Stable Release Manager(s),
> > 
> > Any suggestions on how to handle this bug?
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=402822
> 
> upload a fixed version to proposed-updates, mentioning the CVE id in the
> changelog.
> 
> Greetings
> Martin
> 

Hi Martin,

Must that package be created starting from 7.0.25-5 (ruby), or is it OK
to start from 9.0.31.0.x (shell scripting) ?

Regards,

Bart Martens

Message #67 received at 402822-quiet@bugs.debian.org (full text, mbox, reply):

From: Martin Zobel-Helas <zobel@ftbfs.de>

To: Bart Martens <bartm@knars.be>

Cc: 402822-quiet@bugs.debian.org

Subject: Re: sarge contrib - flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)

Date: Sun, 11 Mar 2007 16:59:54 +0100

Hi, 

On Sun Mar 11, 2007 at 13:33:15 +0100, Bart Martens wrote:
> On Sun, 2007-03-11 at 13:13 +0100, Martin Zobel-Helas wrote:
> > Hi, 
> > 
> > On Sun Mar 11, 2007 at 13:16:24 +0100, Bart Martens wrote:
> > > Hi Stable Release Manager(s),
> > > 
> > > Any suggestions on how to handle this bug?
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=402822
> > 
> > upload a fixed version to proposed-updates, mentioning the CVE id in the
> > changelog.
> > 
> > Greetings
> > Martin
> > 
> 
> Hi Martin,
> 
> Must that package be created starting from 7.0.25-5 (ruby), or is it OK
> to start from 9.0.31.0.x (shell scripting) ?

as always for stable: as less changes as possible.

Greetings
Martin

-- 
[root@debian /root]# man real-life
No manual entry for real-life

Message #74 received at 402822-quiet@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@knars.be>

To: 402822-quiet@bugs.debian.org

Subject: Re: Bug#402822: sarge contrib - flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)

Date: Sun, 11 Mar 2007 18:37:05 +0100

[Message part 1 (text/plain, inline)]

tags 402822 help
stop


On Sun, 2007-03-11 at 16:59 +0100, Martin Zobel-Helas wrote:
> On Sun Mar 11, 2007 at 13:33:15 +0100, Bart Martens wrote:
> > Must that package be created starting from 7.0.25-5 (ruby), or is it OK
> > to start from 9.0.31.0.x (shell scripting) ?
> 
> as always for stable: as less changes as possible.
> 

I'll take that as "must start from 7.0.25-5 (ruby)".

I'm tagging this bug "help".  NMU welcome.

[signature.asc (application/pgp-signature, inline)]

Message #81 received at 402822@bugs.debian.org (full text, mbox, reply):

From: Franklin Piat <fpiat@bigfoot.com>

To: Debian Bug Tracking System <402822@bugs.debian.org>

Subject: flashplugin-nonfree: [SECURITY] CVE-2006-5330 HTTP header injection vulnerabilities [Fixed]

Date: Wed, 18 Jul 2007 00:19:10 +0200

Package: flashplugin-nonfree
Followup-For: Bug #402822


According to adobe's advisory regarding the vulnerability APSB06-18,
Flash Player 7.0.69.0 and 9.0.28.0 address security vulnerabilities in 
previous versions.

Therefore i assume this bug can be closed ( stable,testing and 
unstable are shipping 9.0.31+ versions).
(any chance to get a security update for "oldstable" ?).

Franklin Piat

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages flashplugin-nonfree depends on:
ii  debconf [debconf-2.0]     1.5.11         Debian configuration management sy
ii  fontconfig                2.4.2-1.2      generic font configuration library
ii  libatk1.0-0               1.12.4-3       The ATK accessibility toolkit
ii  libc6                     2.3.6.ds1-13   GNU C Library: Shared libraries
ii  libcairo2                 1.2.4-4        The Cairo 2D vector graphics libra
ii  libexpat1                 1.95.8-3.4     XML parsing C library - runtime li
ii  libfontconfig1            2.4.2-1.2      generic font configuration library
ii  libfreetype6              2.2.1-5+etch4  FreeType 2 font engine, shared lib
ii  libglib2.0-0              2.12.4-2       The GLib library of C routines
ii  libgtk2.0-0               2.8.20-7       The GTK+ graphical user interface 
ii  libice6                   1:1.0.1-2      X11 Inter-Client Exchange library
ii  libpango1.0-0             1.14.8-5       Layout and rendering of internatio
ii  libpng12-0                1.2.15~beta5-1 PNG library - runtime
ii  libsm6                    1:1.0.1-3      X11 Session Management library
ii  libx11-6                  2:1.0.3-7      X11 client-side library
ii  libxau6                   1:1.0.1-2      X11 authorisation library
ii  libxcursor1               1.1.7-4        X cursor management library
ii  libxdmcp6                 1:1.0.1-2      X11 Display Manager Control Protoc
ii  libxext6                  1:1.0.1-2      X11 miscellaneous extension librar
ii  libxfixes3                1:4.0.1-5      X11 miscellaneous 'fixes' extensio
ii  libxi6                    1:1.0.1-4      X11 Input extension library
ii  libxinerama1              1:1.0.1-4.1    X11 Xinerama extension library
ii  libxrandr2                2:1.1.0.2-5    X11 RandR extension library
ii  libxrender1               1:0.9.1-3      X Rendering Extension client libra
ii  libxt6                    1:1.0.2-2      X11 toolkit intrinsics library
ii  wget                      1.10.2-2       retrieves files from the web
ii  zlib1g                    1:1.2.3-13     compression library - runtime

Versions of packages flashplugin-nonfree recommends:
ii  xfs                           1:1.0.1-5  X font server

-- debconf information excluded

Message #96 received at 402822-done@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@knars.be>

To: 402822-done@bugs.debian.org, 433687-done@bugs.debian.org, 458522-done@bugs.debian.org

Subject: flashplugin-nonfree: removed from stable and from oldstable

Date: Wed, 02 Apr 2008 19:56:36 +0200

http://packages.qa.debian.org/f/flashplugin-nonfree/news/20080331T151403Z.html
http://packages.qa.debian.org/f/flashplugin-nonfree/news/20080216T124605Z.html

Send a report that this bug log contains spam.