Package: gnash Version: 0.8.10~git20111001-1 Tags: security Severity: critical Justification: Introduces a new security hole Hi, after watching videos on YouTube I found this in /tmp: $ ls -l /tmp/gnash* -rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032 $ Please note that the file is world-readable. This enables things like: $ sudo -u nobody cat /tmp/gnash-cookies.31032 Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw Set-Cookie: VISITOR_INFO1_LIVE=WEbeevRfDNo Set-Cookie: recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4 Set-Cookie: GEO=0bf89ff87b12d82d91e10ddf1da36d95cwsAAAAzREVUmagnTskNGQ== Set-Cookie: PREF=f1=40000000&fv=10.1.999 $ Since gnash is installed per default and also starts playing as soon as flash content is detected, this can be a serious security/privacy issue on multi-user systems. Gnash should either use $HOME for storing cookies or create them with sane permissions (0600). Best regards Alexander Kurtz
Attachment:
signature.asc
Description: This is a digitally signed message part