Bug#649384: gnash creates world-readable cookies under /tmp

Alexander Kurtz kurtz.alex at googlemail.com
Sun Nov 20 14:39:36 UTC 2011

Package: gnash
Version: 0.8.10~git20111001-1
Tags: security
Severity: critical
Justification: Introduces a new security hole


after watching videos on YouTube I found this in /tmp:

	$ ls -l /tmp/gnash*
	-rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032

Please note that the file is world-readable. This enables things like:

	$ sudo -u nobody cat /tmp/gnash-cookies.31032 
	Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw
	Set-Cookie:  VISITOR_INFO1_LIVE=WEbeevRfDNo
	Set-Cookie:  recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4
	Set-Cookie:  GEO=0bf89ff87b12d82d91e10ddf1da36d95cwsAAAAzREVUmagnTskNGQ==
	Set-Cookie:  PREF=f1=40000000&fv=10.1.999

Since gnash is installed per default and also starts playing as soon as
flash content is detected, this can be a serious security/privacy issue
on multi-user systems. Gnash should either use $HOME for storing cookies
or create them with sane permissions (0600).

Best regards

Alexander Kurtz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-flash-devel/attachments/20111120/0eaffdfb/attachment.pgp>

More information about the pkg-flash-devel mailing list