[Bug 908597] New: freshplayerplugin is unsecure, also the newest version!
http://bugzilla.novell.com/show_bug.cgi?id=908597 Bug ID: 908597 Summary: freshplayerplugin is unsecure, also the newest version! Classification: openSUSE Product: openSUSE Factory Version: 201411* Hardware: x86-64 OS: SUSE Other Status: NEW Keywords: security_vulnerability Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: w.pelser@web.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I installed freshplayerplugin from obs://build.opensuse.org/home:scalpel4 and chromium-pepper-flash from obs://build.opensuse.org/home:mik34020. Then I tested with Firefox 34.0.5 in "extras" my plugin, wheter it is actual or not. The result was, that the detected version of shockwaveflash was old and unsecure! "version": "11.9.900.152", in /usr/share/chromium/PepperFlash/manifest.json. So I extracted from google-chrome-stable-39.0.2171.71-1.x86_64.rpm to /opt/google/chrome/Pepperflash the newest version and kopied it into /usr/lib64/chromium. Then I tested again with Firefox 34.0.5 in "extras" my plugin, wheter it is actual or not. The result was again, that the detected version of shockwaveflash was old and unsecure! "version": "11.9.900.152". But in /usr/share/chromium/PepperFlash/manifest.json was now version "version": "15.0.0.239". The Test-side run by adobe showed that the newest version of shockwave-flas was installed. So I tried to compile a new libfreshwrapper-pepperflash.so with git clone https://github.com/i-rinat/freshplayerplugin.git The compilation was easy and brought a new plugin and i copied it into /usr/lib64/browser-plugins. Then I tested again with Firefox 34.0.5 in "extras" my plugin, wheter they are actual or not. The result now was "15.0.0.239"! If there should be an alternative to adobe's old linux-flashplayer it should be a secure one! I'm interested in Your reaction. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=908597 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |inscriptions1982@gmail.com, | |scalpel4k@gmail.com --- Comment #1 from Marcus Meissner <meissner@suse.com> --- this only seem to be in home:user directories currently... security is not looking at those. I am ccing the two users. (FWIW, if its a good idea to have freshplayerplugin in factory it should get submitted.) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=908597 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=908597 --- Comment #2 from Walther Pelser <w.pelser@web.de> --- Thanks. I did not know, how to come in contact with scalpel4. So I tried this way. The "offical" version comes from packman, so I will try, to send an e-mail to this team. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=908597 --- Comment #3 from Walther Pelser <w.pelser@web.de> --- The packman-point is obsolete. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=908597 --- Comment #4 from Walther Pelser <w.pelser@web.de> --- There are two different systematics for the versionnumbers of chromium-pepper-flash one made by packman and one made by scalpel4. So I became the victim of the Yast-software-update-window. The packman-version seemed to be a very old one, but it wasnt. Sorry for that. But it should be made better, to avoid such misunderstandings. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=908597 --- Comment #5 from Michael Woski <scalpel4k@gmail.com> --- (In reply to Walther Pelser from comment #4)
There are two different systematics for the versionnumbers of chromium-pepper-flash one made by packman and one made by scalpel4. So I became the victim of the Yast-software-update-window. The packman-version seemed to be a very old one, but it wasnt. Sorry for that. But it should be made better, to avoid such misunderstandings.
Hi Walther, I don't quite understand your problem. freshplayer plugin is being installed into %{_libdir)/browser-plugins and works as a small shim to %{_libdir}/chromium/PepperFlash/libpepflashplayer.so The latter comes from an extra package, e.g. available from packman. The version I build is not being published. My freshplayerplugin package together with packman's chromium-pepper-flash package is definitely working nicely together. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=908597 --- Comment #6 from Walther Pelser <w.pelser@web.de> --- Hallo Michael! Thanks for the answer.! I often use the search-function " /software.opensuse.org/search" to find newer software. There I found a link to home::mik3 4020, when I searched for available packages with "chromium-pepper-flash". This package caused the problems for me, this I had in mind, when I wrote Comment#4. I found your package "freshplayerplugin" at the same way, but there are no problems. It works fine in my Firefox with the packman-package and even with my self-compiled one. (Because the YaST-installation-utility printed that there was a dependency between this two packages, I mentioned them together.) So my comment is for mik3 4020 and I hope he could read it too. And as I wrote before, I didn’t know how to contact him. Your freshplayerplugin should become part of an official repository very soon. It is working better for me than the old npapi-version -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com