[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 2435-1] gnash security update

G'day there Gabriele,

I'm hoping that this finds you fit and well.

Just to let you know, the update for "Squeeze", listed below, does not appear to have been uploaded into the security repository at the time of writing this email.

You may already be aware of this, so please accept my apologies if I'm stating the obvious.

Many thanks to you and your colleagues for maintaining such a great operating system.

Cheerio for now,
Brian.

On 20 March 2012 07:05, Gabriele Giacone <1o5g4r8o@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2435-1                   security@debian.org
http://www.debian.org/security/                          Gabriele Giacone
March 19, 2012                         http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gnash
Vulnerability  : several
Problem type   : local / local (remote)
Debian-specific: no
CVE ID         : CVE-2010-4337 CVE-2011-4328 CVE-2012-1175
Debian Bug     : 605419 649384 664023

Several vulnerabilities have been identified in Gnash, the GNU Flash
player.

CVE-2012-1175

 Tielei Wang from Georgia Tech Information Security Center discovered a
 vulnerability in GNU Gnash which is caused due to an integer overflow
 error and can be exploited to cause a heap-based buffer overflow by
 tricking a user into opening a specially crafted SWF file.

CVE-2011-4328

 Alexander Kurtz discovered an unsafe management of HTTP cookies. Cookie
 files are stored under /tmp and have predictable names, vulnerability
 that allows a local attacker to overwrite arbitrary files the users has
 write permissions for, and are also world-readable which may cause
 information leak.

CVE-2010-4337

 Jakub Wilk discovered an unsafe management of temporary files during the
 build process. Files are stored under /tmp and have predictable names,
 vulnerability that allows a local attacker to overwrite arbitrary files
 the users has write permissions for.

For the stable distribution (squeeze), this problem has been fixed in
version 0.8.8-5+squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.10-5.

We recommend that you upgrade your gnash packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk9nusMACgkQQWTRs4lLtHkgpwCgl9BiBCIslY0CitvMaYj0hIxx
+4UAoL9xJ0yinmxXn/rRrRgu11dzimgD
=cfiS
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/201203200005.34411.1o5g4r8o@gmail.com




--
Brian Booth,
Mobile:  0409 233 995
Mobile:  0469 012 389
Telephone:  08 9443 9691
Telephone:  08 6262 5652
email:  brianbth@gmail.com
P.O. Box 264,
MOUNT HAWTHORN. W.A. 6915
Reply to: