[Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable

gnash-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable

From:	Gabriele Giacone
Subject:	[Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames
Date:	Sat, 26 Nov 2011 03:40:29 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0 Iceweasel/8.0

URL:
  <http://savannah.gnu.org/bugs/?34903>

                 Summary: CVE-2011-4328: gnash creates world-readable cookies
under /tmp with predictable filenames
                 Project: Gnash - The GNU Flash player
            Submitted by: gg0
            Submitted on: Sat 26 Nov 2011 04:40:28 AM CET
                Category: plugin
                Severity: 3 - Normal
                 Release: master
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:


Forwarding http://bugs.debian.org/649384

Attached 2 patches. One moves cookies/launchers under $HOME/.gnash, proposed
few days ago [0]. Second one doesn't move them, randomizes file names and
makes them 600 with mkstemp(). I don't really like it cause I had to add boost
libs to the plugin, but it's the best I've managed to do so far.
Please review and feel free to push better ones.


[0] http://bugs.debian.org/649384#49



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Sat 26 Nov 2011 04:40:28 AM CET  Name: movetohomedir.diff  Size: 3kB  
By: gg0

<http://savannah.gnu.org/bugs/download.php?file_id=24459>
-------------------------------------------------------
Date: Sat 26 Nov 2011 04:40:28 AM CET  Name: mkstemp.diff  Size: 4kB   By: gg0

<http://savannah.gnu.org/bugs/download.php?file_id=24460>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?34903>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames, Gabriele Giacone <=
- [Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames, Gabriele Giacone, 2011/11/25
  - [Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames, Gabriele Giacone, 2011/11/26
    - Message not available
    - [Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames, Benjamin Wolsey, 2011/11/27
    - [Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames, Gabriele Giacone, 2011/11/27
    - Message not available
    - Message not available
    - [Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames, Gabriele Giacone, 2011/11/30

Prev by Date: [Gnash-commit] buildbot success in Gnash on oneiric-linux-i386
Next by Date: [Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames
Previous by thread: [Gnash-commit] [bug #34902] gnash fails to build with cygnal sshclient
Next by thread: [Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames
Index(es):
- Date
- Thread