Bug#649384: gnash creates world-readable cookies under /tmp
Alexander Kurtz
kurtz.alex at googlemail.com
Sun Nov 20 14:39:36 UTC 2011
Package: gnash
Version: 0.8.10~git20111001-1
Tags: security
Severity: critical
Justification: Introduces a new security hole
Hi,
after watching videos on YouTube I found this in /tmp:
$ ls -l /tmp/gnash*
-rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032
$
Please note that the file is world-readable. This enables things like:
$ sudo -u nobody cat /tmp/gnash-cookies.31032
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw
Set-Cookie: VISITOR_INFO1_LIVE=WEbeevRfDNo
Set-Cookie: recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4
Set-Cookie: GEO=0bf89ff87b12d82d91e10ddf1da36d95cwsAAAAzREVUmagnTskNGQ==
Set-Cookie: PREF=f1=40000000&fv=10.1.999
$
Since gnash is installed per default and also starts playing as soon as
flash content is detected, this can be a serious security/privacy issue
on multi-user systems. Gnash should either use $HOME for storing cookies
or create them with sane permissions (0600).
Best regards
Alexander Kurtz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-flash-devel/attachments/20111120/0eaffdfb/attachment.pgp>
More information about the pkg-flash-devel
mailing list