Bug#649384: gnash creates world-readable cookies under /tmp

Francesco Poli invernomuto at paranoici.org
Sun Nov 20 20:12:10 UTC 2011

On Sun, 20 Nov 2011 15:39:36 +0100 Alexander Kurtz wrote:

> Hi,
> after watching videos on YouTube I found this in /tmp:
> 	$ ls -l /tmp/gnash*
> 	-rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032
> 	$

I am a user of the gnash package and I am experiencing the same issue.

> Please note that the file is world-readable.
> Since gnash is installed per default and also starts playing as soon as
> flash content is detected, this can be a serious security/privacy issue
> on multi-user systems. Gnash should either use $HOME for storing cookies
> or create them with sane permissions (0600).

I would add the following consideration: why does gnash create cookies
at all?

I thought I managed to disable flash cookies long time ago with the
following setting:

  $ grep SOLSafeDir /etc/gnashrc
  set SOLSafeDir /dev/null

but it seems that this option is not (or no longer?) enough to prevent
gnash from creating/storing cookies.

Could someone please tell me where is the option to disable cookies?
I think there should be one, but I seem to be unable to find it...

Thanks for your time!

 New GnuPG key, see the transition document!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-flash-devel/attachments/20111120/d0fbff47/attachment.pgp>

More information about the pkg-flash-devel mailing list