Bug#649384: gnash creates world-readable cookies under /tmp
Francesco Poli
invernomuto at paranoici.org
Sun Nov 20 20:12:10 UTC 2011
On Sun, 20 Nov 2011 15:39:36 +0100 Alexander Kurtz wrote:
[...]
> Hi,
>
> after watching videos on YouTube I found this in /tmp:
>
> $ ls -l /tmp/gnash*
> -rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032
> $
Hi!
I am a user of the gnash package and I am experiencing the same issue.
>
> Please note that the file is world-readable.
[...]
> Since gnash is installed per default and also starts playing as soon as
> flash content is detected, this can be a serious security/privacy issue
> on multi-user systems. Gnash should either use $HOME for storing cookies
> or create them with sane permissions (0600).
I would add the following consideration: why does gnash create cookies
at all?
I thought I managed to disable flash cookies long time ago with the
following setting:
$ grep SOLSafeDir /etc/gnashrc
set SOLSafeDir /dev/null
but it seems that this option is not (or no longer?) enough to prevent
gnash from creating/storing cookies.
Could someone please tell me where is the option to disable cookies?
I think there should be one, but I seem to be unable to find it...
Thanks for your time!
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-flash-devel/attachments/20111120/d0fbff47/attachment.pgp>
More information about the pkg-flash-devel
mailing list