[Secure-testing-team] Bug#623005: Current flashplugin-nonfree situation is FFS

root pmatthaei at debian.org
Sat Apr 16 15:14:58 UTC 2011 

Package: flashplugin-nonfree
Version: 1:2.8.3
Severity: grave
Tags: security
Justification: user security hole


Hello,

the prop. flash-player is since a longer time out-of-date in Debian, speaking of:
  http://people.debian.org/~bartm/flashplugin-nonfree/

The plugin is "outdated" with many serious security holes, it is not binNMU- and
update-able.

Currently only update-flashplugin-nonfree updates the packaging (if you have
updated the binaries on people.d.o), because you want to verify the signatures
of the downloaded files, which is useless IMHO, because you have to download
it without any verification from adobe.com, so if your download is compromised
every other user will get the evil binaries.


-- Package-specific info:
Debian version: wheezy/sid
Architecture: amd64
Package version: 1:2.8.3
Adobe Flash Player version: LNX 10,3,162,29
MD5 checksums:
	49b55c7eb8044453e5f6f2e4b3cb4084  /var/cache/flashplugin-nonfree/flashplayer10_2_p3_64bit_linux_111710.tar.gz
	338e954c02ba6776b6b8a908e6f96b5f  /var/cache/flashplugin-nonfree/flashplayer_square_p1_64bit_linux_091510.tar.gz
	4777665a6149af11233d8a000b89ffb1  /var/cache/flashplugin-nonfree/install_flash_player_10_linux.tar.gz
	a311fd97aa6c214f63dc089a20cf7a39  /var/cache/flashplugin-nonfree/install_flash_player_9_linux.tar.gz
	492d98d25886afcaf18252334d4ac4e2  /var/cache/flashplugin-nonfree/libflashplayer-10.0.22.87.linux-x86_64.so.tar.gz
	332e60275e9c7a92059f286a2bad6e41  /var/cache/flashplugin-nonfree/libflashplayer-10.0.32.18.linux-x86_64.so.tar.gz
	8b427c2991c0447af56a951c653ee383  /var/cache/flashplugin-nonfree/libflashplayer-10.0.42.34.linux-x86_64.so.tar.gz
	14c918ac5a9b9b680bdb37aedae40009  /var/cache/flashplugin-nonfree/libflashplayer-10.0.d20.7.linux-x86_64.so.tar.gz
	c165af9d4e324bfaf6d1cfbdbe959fbb  /var/cache/flashplugin-nonfree/libflashplayer-10.0.d21.1.linux-x86_64.so.tar.gz
	267bfdb38d14c9d96d0d04e273c3d961  /usr/lib/flashplugin-nonfree/libflashplayer.so
Alternatives:
	flash-mozilla.so - auto mode
	  link currently points to /usr/lib/flashplugin-nonfree/libflashplayer.so
	/usr/lib/flashplugin-nonfree/libflashplayer.so - priority 50
	Current 'best' version is '/usr/lib/flashplugin-nonfree/libflashplayer.so'.
	lrwxrwxrwx 1 root root 34 Dec 30 20:16 /usr/lib/mozilla/plugins/flash-mozilla.so -> /etc/alternatives/flash-mozilla.so
	/usr/lib/mozilla/plugins/flash-mozilla.so: symbolic link to `/etc/alternatives/flash-mozilla.so'

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages flashplugin-nonfree depends on:
ii  debconf [debconf 1.5.38                  Debian configuration management sy
ii  gnupg            1.4.11-3                GNU privacy guard - a free PGP rep
ii  libatk1.0-0      2.0.0-1                 The ATK accessibility toolkit
ii  libcairo2        1.10.2-6                The Cairo 2D vector graphics libra
ii  libcurl3-gnutls  7.21.4-2                Multi-protocol file transfer libra
ii  libfontconfig1   2.8.0-2.1               generic font configuration library
ii  libfreetype6     2.4.4-1                 FreeType 2 font engine, shared lib
ii  libgcc1          1:4.6.0-2               GCC support library
ii  libglib2.0-0     2.28.6-1                The GLib library of C routines
ii  libgtk2.0-0      2.24.4-3                The GTK+ graphical user interface 
ii  libnspr4-0d      4.8.7-2                 NetScape Portable Runtime Library
ii  libnss3-1d       3.12.9.with.ckbi.1.82-1 Network Security Service libraries
ii  libpango1.0-0    1.28.3-6                Layout and rendering of internatio
ii  libstdc++6       4.6.0-2                 The GNU Standard C++ Library v3
ii  libx11-6         2:1.4.3-1               X11 client-side library
ii  libxext6         2:1.2.0-2               X11 miscellaneous extension librar
ii  libxt6           1:1.1.1-1               X11 toolkit intrinsics library
ii  wget             1.12-3                  retrieves files from the web

flashplugin-nonfree recommends no packages.

Versions of packages flashplugin-nonfree suggests:
pn  flashplugin-nonfree-extrasoun <none>     (no description available)
ii  iceweasel                     4.0-3      Web browser based on Firefox
pn  konqueror-nsplugins           <none>     (no description available)
ii  msttcorefonts                 2.7        transitional dummy package
ii  ttf-dejavu                    2.33-1     Metapackage to pull in ttf-dejavu-
ii  ttf-mscorefonts-installer [ms 3.3        Installer for Microsoft TrueType c
pn  ttf-xfree86-nonfree           <none>     (no description available)
pn  x-ttcidfont-conf              <none>     (no description available)

-- no debconf information

More information about the Secure-testing-team mailing list