Bug 755518 (CVE-2011-4328)

Summary: CVE-2011-4328 gnash: Unsafe management of HTTP cookies
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: denis.arnaud_fedora, hicham.haouari, jreznik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20111120,reported=20111120,source=debian,cvss2=2.1/AV:L/AC:L/Au:N/C:P/I:N/A:N,fedora-all/gnash=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 10:51:07 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 755520    
Bug Blocks:    

Description Jan Lieskovsky 2011-11-21 06:32:43 EST
A security flaw was found in the way Shockwave Flash plug-in of the gnash, a GNU flash movie player, performed management of HTTP cookies (they were stored under /tmp directory with world-readable permissions). A local attacker could use this flaw to obtain sensitive information.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649384
Comment 1 Jan Lieskovsky 2011-11-21 06:34:18 EST
This issue affects the versions of the gnash package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update (once final upstream patch known).
Comment 2 Jan Lieskovsky 2011-11-21 06:35:21 EST
Created gnash tracking bugs for this issue

Affects: fedora-all [bug 755520]
Comment 3 Jan Lieskovsky 2011-11-21 06:38:38 EST
CVE request:
[2] http://www.openwall.com/lists/oss-security/2011/11/21/7
Comment 4 Jan Lieskovsky 2011-11-21 12:23:58 EST
The CVE identifier of CVE-2011-4328 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2011/11/21/12
Comment 5 Fedora Update System 2012-03-06 15:37:26 EST
gnash-0.8.10-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-03-08 16:25:23 EST
gnash-0.8.10-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-03-08 16:26:18 EST
gnash-0.8.10-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.