Ubuntu
flashplugin-nonfree package

CVE-2009-1862: Security advisory for Adobe Reader, Acrobat and Flash Player

Bug #403825 reported by Micah Gersten
286
This bug affects 2 people
Affects Status Importance Assigned to Milestone
acroread (Ubuntu)
Fix Released
Critical
Unassigned
flashplugin-nonfree (Ubuntu)
Fix Released
Critical
Unassigned

Bug Description

Binary package hint: flashplugin-nonfree

From Adobe site: http://www.adobe.com/support/security/advisories/apsa09-03.html

Security advisory for Adobe Reader, Acrobat and Flash Player

Release date: July 22, 2009

Last Updated: July 23, 2009

Vulnerability identifier: APSA09-03

CVE number: CVE-2009-1862

Platform: All Platforms
Summary

A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows.

We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009.

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.
Affected software versions

Adobe Reader and Acrobat 9.1.2 and earlier 9.x versions
Adobe Flash Player 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions
Severity rating

Adobe categorizes this as a critical update.
Revisions

July 23, 2009 - Advisory updated with date of Adobe Reader for UNIX update
July 22, 2009 - Advisory first created

CVE References

Micah Gersten (micahg)
Changed in acroread (Ubuntu):
importance: Undecided → Critical
Changed in flashplugin-nonfree (Ubuntu):
importance: Undecided → Critical
Changed in acroread (Ubuntu):
status: New → Triaged
Changed in flashplugin-nonfree (Ubuntu):
status: New → Triaged
Changed in acroread (Ubuntu):
status: Triaged → Confirmed
Changed in flashplugin-nonfree (Ubuntu):
status: Triaged → Confirmed
Marc Deslauriers (mdeslaur)
visibility: private → public
Revision history for this message
Micah Gersten (micahg) wrote :

Adobe has released updates:
http://www.adobe.com/support/security/bulletins/apsb09-10.html

Revision history for this message
Adam Spain (adamspain) wrote :

Is there any reason an updated package has not been made available yet? Adobe released an update to Flash last week, and they have rated the security issues as critical - their highest rating.

Revision history for this message
wedgeshot (wedgeshot) wrote :

Is this bug really assigned to "nobody" ????? I'm new around here but assigned to nobody leaves everyone wondering..... I'd really like to see this package updated given it's a critical.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

acroread and adobe-flashplugin were updated in the partner archive for Hardy, Intrepid and Jaunty.

flashplugin-nonfree still needs to be updated.

Changed in acroread (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Odin Hørthe Omdal (velmont) wrote :

Huh? Why is there adobe-flashplugin and flashplugin-nonfree?

When is this going to be updated? Can I tell the users at my office they'll get a security update in Ubuntu soon? Or do they have to download and install it themselves?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I'm working on them as we speak. They should come out soon.

Revision history for this message
kapetr (kapetr) wrote :

I thing there is also another problem in Ubuntu 9.04. [sorry please my English!]

I have installed "adobe-flashplugin" (Synaptic) - it is in new/safe version 10.0.32.18 -and I was think, it is all right.

But ! - at "http://www.adobe.com/software/flash/about/" is still reported, that I have "10,0,22,87" version ! (after firefox restart of course). Also users may thing, that after update they are safe, but they did not.

The problem is, that:
/usr/lib/firefox/plugins/flashplugin-alternative.so points to
/etc/alternatives/firefox-flashplugin which points to
/usr/lib/flashplugin-installer/libflashplayer.so AND THIS IS STILL THE OLD "10,0,22,87"

So I did manualy:
mv /usr/lib/flashplugin-installer/libflashplayer.so /usr/lib/flashplugin-installer/libflashplayer.so.old
ln -s /usr/lib/adobe-flashplugin/ libflashplayer.so /usr/lib/flashplugin-installer/libflashplayer.so

BTW - Manage Conten Pluginst allways reports: "Adobe Flash Player (installer)"

I thing, that is bug in "postinst ?" procedure of "adobe-flashplugin" package ?

Thanks for replay.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

kapetr: you must have installed flash from the adobe site, and not from the Ubuntu repositories. An updated flash package for jaunty is now in the repositories.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Updated flashplugin-nonfree packages have been released for hardy, intrepid, jaunty and karmic.

Marking this bug as closed.

Changed in flashplugin-nonfree (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
kapetr (kapetr) wrote :

No !

As I have write - I have installed this package with Synaptic - from standard repository ! Not manually from Adobe package!

BTW - even if this new package was in repository, no automatic update was presented by Ubuntu.

Also - You schould not close this bug.

Changed in acroread (Ubuntu):
status: Fix Released → Confirmed
Revision history for this message
kapetr (kapetr) wrote :

P.S.:

See this my synaptic status:

http://jpnk.wz.cz/Synaptic.png

Maybe it helps.

Revision history for this message
Felix Geyer (debfx) wrote :

You shouldn't install flashplugin-installer (formerly flashplugin-nonfree) and adobe-flashplugin at the same time because they both provide similar functionality.
I recommend removing flashplugin-installer as adobe-flashplugin is the more reliable package.

You still have the old version because it takes some time until the package has been built and all mirrors have synced from the main server.

Changed in acroread (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
kapetr (kapetr) wrote :

Sorry,

I don't understand You:

1. flashplugin-installer is NOT the same as flashplugin-nonfree
2. it did NOT take some time: the package was in real time downloaded and installed - just the links were NOT updated properly - this is the reason, why the old plugin was still active and this is the reason, why I'm really not sure, that this bug

should not by closed, until this problem is clear !

BTW - I don't thing, that adobe-flashplugin is the better choice then flashplugin-installer:
- adobe-flashplugin didn't update my links, so old version stayed active, but I just have remove this (and my manual links) and Ubuntu-update then has update flashplugin-installer - and in /usr/lib/flashplugin-installer is now the new & working plugin.

Revision history for this message
Felix Geyer (debfx) wrote :

flashplugin-nonfree has been renamed to flashplugin-installer in jaunty (flashplugin-nonfree is a transitional package which only forces the package manager to install flashplugin-installer).

Your screenshot shows that have installed flashplugin-installer 10.0.22.87ubuntu2 which is *not* the most recent version (it's 10.0.32.18ubuntu0.9.04.1).

Installing flashplugin-installer AND adobe-flashplugin is definitely a bad idea and probably caused this problem.

Revision history for this message
chocolateboy (chocolateboy) wrote :

> Installing flashplugin-installer AND adobe-flashplugin
> is definitely a bad idea and probably caused this problem.

Can they be flagged as conflicting/mutually exclusive then? That's the Debian/Ubuntu way, surely, rather than advising people on a bug report that few people will read.

Revision history for this message
kapetr (kapetr) wrote :

Maybe are #14 and #15 right, and the problem is in conflict.

In this case, should be both of this packages: flashplugin-installer and adobe-flashplugin updated.

I still don't known, why adobe-flashplugin by installation did not updated older links from older flashplugin-installer, ... ?!?!

But this problem can occur by many users - and if they do not come across this discussion, they may stay in risk. Also this packages should be updated again, to automatic solve this dangerous possible conflict by others.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.