Debian Bug report logs -
#402822
flashplugin-nonfree: HTTP header injection vulnerabilities (CVE-2006-5330)
Reported by: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 12 Dec 2006 22:33:24 UTC
Severity: grave
Tags: help, security, wontfix
Found in version 7.0.25-5
Fixed in versions flashplugin-nonfree/9.0.31.0.1, flashplugin-nonfree/9.0.31.0.4, flashplugin-nonfree/9.0.48.0.1, flashplugin-nonfree/9.0.48.0.2
Done: Bart Martens <bartm@knars.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Bart Martens <bartm@knars.be>
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Bart Martens <bartm@knars.be>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: flashplugin-nonfree
Version: 9.0.21.78.3
Severity: important
Tags: security
According to the upstream security bulletin
<http://www.adobe.com/support/security/bulletins/apsb06-18.html>:
"Adobe has provided a Flash Player updates to resolve potential
vulnerabilities in Adobe Flash Player. These vulnerabilities could
allow remote attackers to modify HTTP headers of client requests and
conduct HTTP Request Splitting attacks."
Adobe classifies this as "important", meaning that it could be
exploited to "compromise data security, potentially allowing access to
confidential data, or could compromise processing resources in a
user's computer."
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages flashplugin-nonfree depends on:
ii debconf [debconf-2.0] 1.5.8 Debian configuration management sy
ii gsfonts-x11 0.20 Make Ghostscript fonts available t
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxmu6 1:1.0.2-2 X11 miscellaneous utility library
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii wget 1.10.2-2 retrieves files from the web
Versions of packages flashplugin-nonfree recommends:
pn xfs <none> (no description available)
-- debconf information excluded
Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@knars.be>
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>
:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@knars.be>
.
(full text, mbox, link).
Message #10 received at 402822@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
According to Adobe's bulletin, the following versions are vulnerable:
Flash Player 9.0.20.0 and earlier
Flash Professional 8 [prior to 8.0.34.0]
Flash Player 7.0.68.0 and earlier
Therefore, although Adobe recommends upgrading to 9.0.28.0, I believe
only sarge needs to be updated.
The advisory at <http://www.rapid7.com/advisories/R7-0026.jsp> is more
explicit about the vulnerability: a Flash script can specify values for
Content-Type or custom (non-standard) headers in HTTP requests it makes
and these are not restricted from including CR and LF characters. This
means that the 'header values' can include additional header lines and
even (if the server supports pipelining) entire requests.
The advisory includes a script fragment that demonstrates the exploit.
A complete example file would be helpful in verifying that etch and sid
are not vulnerable.
Ben.
--
Ben Hutchings
Computers are not intelligent. They only think they are.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Bart Martens <bartm@knars.be>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #15 received at 402822@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
notfound 402822 9.0.21.78.3
stop
On Tue, 2006-12-12 at 21:30 +0000, Ben Hutchings wrote:
> According to the upstream security bulletin
> <http://www.adobe.com/support/security/bulletins/apsb06-18.html>:
>
According to this bulletin version 9.0.21.78 is not affected. Also,
version 9.0.28.0 does not seem to be available for Linux (I don't find
it).
[signature.asc (application/pgp-signature, inline)]
Bug marked as not found in version 9.0.21.78.3.
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Bart Martens <bartm@knars.be>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #22 received at 402822@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
found 402822 9.0.21.78.3
stop
On Wed, 2006-12-13 at 07:17 +0100, Bart Martens wrote:
> notfound 402822 9.0.21.78.3
> stop
>
> On Tue, 2006-12-12 at 21:30 +0000, Ben Hutchings wrote:
> > According to the upstream security bulletin
> > <http://www.adobe.com/support/security/bulletins/apsb06-18.html>:
> >
>
> According to this bulletin version 9.0.21.78 is not affected. Also,
> version 9.0.28.0 does not seem to be available for Linux (I don't find
> it).
>
Oops, "earlier" is not "older" but "newer", so version 9.0.21.78 is
affected. I can't find 9.0.28.0 for Linux. Does anyone?
[signature.asc (application/pgp-signature, inline)]
Bug marked as found in version 9.0.21.78.3.
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@knars.be>
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>
:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@knars.be>
.
(full text, mbox, link).
Message #29 received at 402822@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, 2006-12-13 at 07:32 +0100, Bart Martens wrote:
<snip>
> I'm confused now. Maybe "earlier" does mean "older". You seem to be
> from the UK, so probably your English is better than mine.
Yes, earlier means older here.
> Is 9.0.21.78 affected or not according to this bulletin?
It is not. I would prefer to confirm this with a test case though,
since it is between the last-vulnerable and recommended versions. If
version 9.0.21.78 was only ever released as a beta for Linux it's
possible they could have forgotten to include it in the vulnerable
versions.
Ben.
--
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.
[signature.asc (application/pgp-signature, inline)]
Bug marked as not found in version 9.0.21.78.3.
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as found in version 7.0.25-5.
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(full text, mbox, link).
Changed Bug title.
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(full text, mbox, link).
Tags added: security
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Bart Martens <bartm@knars.be>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #42 received at 402822@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Security-team,
Bug 402822 was tagged "security" on 14 Dec 2006. I'm not sure whether
your team scans the BTS daily for bugs tagged "security". :)
Any suggestions on how to handle this bug?
New sarge users won't install the insecure plugin, because installing
flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin. So
removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything
more secure.
Existing sarge users might still be using the insecure plugin. I could
create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without
installing a new plugin, with a debconf dialog at level "critical"
explaining the removal and suggesting backports.org.
Your opinion?
Regards,
Bart Martens
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@knars.be>
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@knars.be>
.
(full text, mbox, link).
Message #47 received at 402822@bugs.debian.org (full text, mbox, reply):
Bart Martens wrote:
> Bug 402822 was tagged "security" on 14 Dec 2006. I'm not sure whether
> your team scans the BTS daily for bugs tagged "security". :)
>
> Any suggestions on how to handle this bug?
>
> New sarge users won't install the insecure plugin, because installing
> flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin. So
> removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything
> more secure.
>
> Existing sarge users might still be using the insecure plugin. I could
> create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without
> installing a new plugin, with a debconf dialog at level "critical"
> explaining the removal and suggesting backports.org.
non-free/contrib isn't supported by the Security Team. However, it appears
to me as if upgrading Sarge through a stable point update to the latest fixed
upstream (9.?) would be the best solution. It's a rocky upgrade path, but
that's what you have to bear when running proprietary software.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Bart Martens <bartm@knars.be>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #52 received at 402822@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 2007-02-04 at 22:20 +0100, Moritz Muehlenhoff wrote:
> Bart Martens wrote:
> > Bug 402822 was tagged "security" on 14 Dec 2006. I'm not sure whether
> > your team scans the BTS daily for bugs tagged "security". :)
> >
> > Any suggestions on how to handle this bug?
> >
> > New sarge users won't install the insecure plugin, because installing
> > flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin. So
> > removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything
> > more secure.
> >
> > Existing sarge users might still be using the insecure plugin. I could
> > create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without
> > installing a new plugin, with a debconf dialog at level "critical"
> > explaining the removal and suggesting backports.org.
>
> non-free/contrib isn't supported by the Security Team. However, it appears
> to me as if upgrading Sarge through a stable point update to the latest fixed
> upstream (9.?) would be the best solution. It's a rocky upgrade path, but
> that's what you have to bear when running proprietary software.
So your advice is to create a package for Sarge to install Flash 9. Two
questions about that:
1. Must that package be created starting from 7.0.25-5 (ruby), or is it
OK to start from 9.0.31.0.1 (shell scripting) ?
2. Which procedure must be followed, "uploads to the stable
distribution" or "Handling security-related bugs" ?
http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-upload-stable
http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-bug-security
Regards,
Bart Martens
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Bart Martens <bartm@knars.be>
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Bart Martens <bartm@knars.be>
.
(full text, mbox, link).
Message #57 received at 402822@bugs.debian.org (full text, mbox, reply):
On Sun, Feb 04, 2007 at 11:11:56PM +0100, Bart Martens wrote:
> On Sun, 2007-02-04 at 22:20 +0100, Moritz Muehlenhoff wrote:
> > Bart Martens wrote:
> > > Bug 402822 was tagged "security" on 14 Dec 2006. I'm not sure whether
> > > your team scans the BTS daily for bugs tagged "security". :)
> > >
> > > Any suggestions on how to handle this bug?
> > >
> > > New sarge users won't install the insecure plugin, because installing
> > > flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin. So
> > > removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything
> > > more secure.
> > >
> > > Existing sarge users might still be using the insecure plugin. I could
> > > create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without
> > > installing a new plugin, with a debconf dialog at level "critical"
> > > explaining the removal and suggesting backports.org.
> >
> > non-free/contrib isn't supported by the Security Team. However, it appears
> > to me as if upgrading Sarge through a stable point update to the latest fixed
> > upstream (9.?) would be the best solution. It's a rocky upgrade path, but
> > that's what you have to bear when running proprietary software.
>
> So your advice is to create a package for Sarge to install Flash 9. Two
> questions about that:
>
> 1. Must that package be created starting from 7.0.25-5 (ruby), or is it
> OK to start from 9.0.31.0.1 (shell scripting) ?
>
> 2. Which procedure must be followed, "uploads to the stable
> distribution" or "Handling security-related bugs" ?
> http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-upload-stable
This one, but you should discuss 1.) with the stable release managers first. It's
their call.
Cheers,
Moritz
Information stored:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Bart Martens <bartm@knars.be>
:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
Message #62 received at 402822-quiet@bugs.debian.org (full text, mbox, reply):
On Sun, 2007-03-11 at 13:13 +0100, Martin Zobel-Helas wrote:
> Hi,
>
> On Sun Mar 11, 2007 at 13:16:24 +0100, Bart Martens wrote:
> > Hi Stable Release Manager(s),
> >
> > Any suggestions on how to handle this bug?
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=402822
>
> upload a fixed version to proposed-updates, mentioning the CVE id in the
> changelog.
>
> Greetings
> Martin
>
Hi Martin,
Must that package be created starting from 7.0.25-5 (ruby), or is it OK
to start from 9.0.31.0.x (shell scripting) ?
Regards,
Bart Martens
Information stored:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Martin Zobel-Helas <zobel@ftbfs.de>
:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
Message #67 received at 402822-quiet@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun Mar 11, 2007 at 13:33:15 +0100, Bart Martens wrote:
> On Sun, 2007-03-11 at 13:13 +0100, Martin Zobel-Helas wrote:
> > Hi,
> >
> > On Sun Mar 11, 2007 at 13:16:24 +0100, Bart Martens wrote:
> > > Hi Stable Release Manager(s),
> > >
> > > Any suggestions on how to handle this bug?
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=402822
> >
> > upload a fixed version to proposed-updates, mentioning the CVE id in the
> > changelog.
> >
> > Greetings
> > Martin
> >
>
> Hi Martin,
>
> Must that package be created starting from 7.0.25-5 (ruby), or is it OK
> to start from 9.0.31.0.x (shell scripting) ?
as always for stable: as less changes as possible.
Greetings
Martin
--
[root@debian /root]# man real-life
No manual entry for real-life
Tags added: help
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(full text, mbox, link).
Information stored:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Bart Martens <bartm@knars.be>
:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
Message #74 received at 402822-quiet@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 402822 help
stop
On Sun, 2007-03-11 at 16:59 +0100, Martin Zobel-Helas wrote:
> On Sun Mar 11, 2007 at 13:33:15 +0100, Bart Martens wrote:
> > Must that package be created starting from 7.0.25-5 (ruby), or is it OK
> > to start from 9.0.31.0.x (shell scripting) ?
>
> as always for stable: as less changes as possible.
>
I'll take that as "must start from 7.0.25-5 (ruby)".
I'm tagging this bug "help". NMU welcome.
[signature.asc (application/pgp-signature, inline)]
Tags added: wontfix
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(Wed, 30 May 2007 17:51:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, fpiat@bigfoot.com, Bart Martens <bartm@knars.be>
:
Bug#402822
; Package flashplugin-nonfree
.
(full text, mbox, link).
Acknowledgement sent to Franklin Piat <fpiat@bigfoot.com>
:
Extra info received and forwarded to list. Copy sent to fpiat@bigfoot.com, Bart Martens <bartm@knars.be>
.
(full text, mbox, link).
Message #81 received at 402822@bugs.debian.org (full text, mbox, reply):
Package: flashplugin-nonfree
Followup-For: Bug #402822
According to adobe's advisory regarding the vulnerability APSB06-18,
Flash Player 7.0.69.0 and 9.0.28.0 address security vulnerabilities in
previous versions.
Therefore i assume this bug can be closed ( stable,testing and
unstable are shipping 9.0.31+ versions).
(any chance to get a security update for "oldstable" ?).
Franklin Piat
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages flashplugin-nonfree depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii fontconfig 2.4.2-1.2 generic font configuration library
ii libatk1.0-0 1.12.4-3 The ATK accessibility toolkit
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libcairo2 1.2.4-4 The Cairo 2D vector graphics libra
ii libexpat1 1.95.8-3.4 XML parsing C library - runtime li
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libfreetype6 2.2.1-5+etch4 FreeType 2 font engine, shared lib
ii libglib2.0-0 2.12.4-2 The GLib library of C routines
ii libgtk2.0-0 2.8.20-7 The GTK+ graphical user interface
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libpango1.0-0 1.14.8-5 Layout and rendering of internatio
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxau6 1:1.0.1-2 X11 authorisation library
ii libxcursor1 1.1.7-4 X cursor management library
ii libxdmcp6 1:1.0.1-2 X11 Display Manager Control Protoc
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxfixes3 1:4.0.1-5 X11 miscellaneous 'fixes' extensio
ii libxi6 1:1.0.1-4 X11 Input extension library
ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library
ii libxrandr2 2:1.1.0.2-5 X11 RandR extension library
ii libxrender1 1:0.9.1-3 X Rendering Extension client libra
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii wget 1.10.2-2 retrieves files from the web
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages flashplugin-nonfree recommends:
ii xfs 1:1.0.1-5 X font server
-- debconf information excluded
Bug marked as fixed in version 9.0.31.0.1.
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(Thu, 19 Jul 2007 08:12:03 GMT) (full text, mbox, link).
Bug marked as fixed in version 9.0.31.0.4.
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(Thu, 19 Jul 2007 08:12:04 GMT) (full text, mbox, link).
Bug marked as fixed in version 9.0.48.0.1.
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(Thu, 19 Jul 2007 08:12:05 GMT) (full text, mbox, link).
Bug marked as fixed in version 9.0.48.0.2.
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(Thu, 19 Jul 2007 08:12:05 GMT) (full text, mbox, link).
Severity set to `grave' from `important'
Request was from Bart Martens <bartm@knars.be>
to control@bugs.debian.org
.
(Thu, 19 Jul 2007 08:12:06 GMT) (full text, mbox, link).
Reply sent to Bart Martens <bartm@knars.be>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Ben Hutchings <ben@decadent.org.uk>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #96 received at 402822-done@bugs.debian.org (full text, mbox, reply):
http://packages.qa.debian.org/f/flashplugin-nonfree/news/20080331T151403Z.html
http://packages.qa.debian.org/f/flashplugin-nonfree/news/20080216T124605Z.html
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 01 May 2008 07:29:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:54:14 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.