Bug#649384: marked as done (gnash creates world-readable cookies under /tmp with predictable filenames)

Mon, 09 Jul 2012 01:39:20 -0700 

Your message dated Mon, 09 Jul 2012 09:38:44 +0100
with message-id <086a602cb2a76f9d054c9bb315787...@hogwarts.powdarrmonkey.net>
and subject line Re: Bug#649384: gnash creates world-readable cookies under 
/tmp  with predictable filenames
has caused the Debian Bug report #649384,
regarding gnash creates world-readable cookies under /tmp with predictable 
filenames
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
649384: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649384
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: gnash
Version: 0.8.10~git20111001-1
Tags: security
Severity: critical
Justification: Introduces a new security hole

Hi,

after watching videos on YouTube I found this in /tmp:

        $ ls -l /tmp/gnash*
        -rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 
/tmp/gnash-cookies.31032
        $ 

Please note that the file is world-readable. This enables things like:

        $ sudo -u nobody cat /tmp/gnash-cookies.31032 
        Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw
        Set-Cookie:  VISITOR_INFO1_LIVE=WEbeevRfDNo
        Set-Cookie:  
recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4
        Set-Cookie:  
GEO=0bf89ff87b12d82d91e10ddf1da36d95cwsAAAAzREVUmagnTskNGQ==
        Set-Cookie:  PREF=f1=40000000&fv=10.1.999
        $

Since gnash is installed per default and also starts playing as soon as
flash content is detected, this can be a serious security/privacy issue
on multi-user systems. Gnash should either use $HOME for storing cookies
or create them with sane permissions (0600).

Best regards

Alexander Kurtz

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Version: 0.8.8-5+squeeze1

On 2012-07-09 00:45, Didier Raboud wrote:

Le dimanche, 8 juillet 2012 17.13:39, Gabriele Giacone a écrit :

On 07/08/2012 09:15 PM, Jonathan Wiltshire wrote:
> Recently you fixed one or more security problems and as a result you > closed this bug. These problems were not serious enough for a Debian 
> Security Advisory, so they are now on my radar for fixing in the
> following suites through point releases:
>
> squeeze (6.0.6) - use target "stable"
False positive, your radar didn't detect DSA-2435 [CVE-2011-4328] has been created for such issue and fixed through security updates first, 
then shipped with 6.0.5.


-done then.

OdyX
Thanks, tracker updated. In fact the bug was already closed (this triggers 
the notification) but the BTS doesn't have correct version information.

--
Jonathan Wiltshire                                      j...@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---

Reply via email to