browser-plugin-freshplayer-pepperflash broken

Attached please find some terminal output from the crash case ("Always Activate") when starting Firefox from command line.

It works with Firefox 56.0; there are reasons to assume that browser-plugin-freshplayer-pepperflash lacks support for Firefox's improved sandboxing feature.

@Naël and @Niklas: Would appreciate to know if you see the same issue as I do, an whether you think that the proposed upgrade to version 0.3.9 is a decent way to fix it.

The Cosmic build failed for s390x, which prevents migrating to cosmic-release. OTOH, the browser-plugin-freshplayer-pepperflash package is a wrapper to be used together with the PPAPI plugin in adobe-flashplugin, which is only built for amd64 and i386. So let's only build the package for amd64 and i386.

Attached please find a debdiff with that change to be applied to the version in cosmic-proposed. For bionic and xenial I have changed the proposed uploads in the PPA in the same way.

Rebuild with upgraded ffmpeg failed:

https://launchpad.net/ubuntu/+source/freshplayerplugin/0.3.9-0ubuntu2

Attached new debdiff with a cherry picked upstream commit to handle that.

Successfully built on cosmic. Still in -proposed, though, awaiting the migration of the latest ffmpeg.

Hello Gunnar, or anyone else affected,

Accepted freshplayerplugin into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/freshplayerplugin/0.3.9-0ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

If you don't mind I have modified the version number to follow the security team's versioning scheme. There was nothing wrong with the previous versioning - I prefer if that kind of versioning is used for direct backports to series where other versioning schemes wouldn't quite cut it.

No problem with the version number, of course.

Verified the test case using browser-plugin-freshplayer-pepperflash 0.3.9-0ubuntu0.18.04.1 from bionic-proposed.

+ * debian/rules:
+ - libpdf and NaCl wrappers dropped upstream, so dropping the
+ browser-plugin-freshplayer-libpdf and
+ browser-plugin-freshplayer-nacl binaries.

This will leave these binary packages installed on users' systems. What if there's a future security update that address vulnerabilities in them? Should these be removed on users' systems instead, with a Breaks/Replaces for example?

AFAICT, this question applies to both the version in bionic-proposed and the version in the queue for xenial-proposed.

Hi Robie,

Addressing that makes sense, I suppose. Not sure, though, which kind of d/control entries you have in mind, considering that they are not replaced by anything.

Please note that browser-plugin-freshplayer-pepperflash is not built on all architectures, so in that case we may want to handle those in a similar way.

> which kind of d/control entries you have in mind

https://wiki.debian.org/PackageTransition case 6 or 11 perhaps?

I'm not sure either. It occurs to me now that perhaps if the plugins are completely broken and won't be restored, then there will never be any need to be able to update them anyway.

Another option might be to turn them into empty packages.

Or perhaps nothing needs to be done.

I'll ask others for opinions on this.

> This will leave these binary packages installed on users' systems. What if there's a future security update that address vulnerabilities in them?

They were not functional in the first place. Both were just an experiment hidden behind a switch, which was off by default. Also there is no much sense in developing them to a working state, since Firefox dropped any plugins other than Flash. They'll just be ignored by the browser.

So, most probably, there won't be any updates for -libpdf and -nacl.

> Another option might be to turn them into empty packages.

That would be nice. It's better to have them removed, since some other browsers could still load other plugins. And if for some reason some future update reintroduces those plugins again, updates would be easier. I guess with Break/Replace it will be trickier.

When I reviewed the bionic package my assumption is what Rinat mentioned: the removed packages were broken and unusable in the current state, so no security uploads would be happening anyway. That being said, maybe adding a breaks would be indeed a good idea since otherwise users will be left with some unneeded packages on their systems.

Posting the address to an IRC discussion with Robie last Wednesday:

https://irclogs.ubuntu.com/2018/08/15/%23ubuntu-devel.html#t16:55

This bug was fixed in the package freshplayerplugin - 0.3.9-0ubuntu3

---------------
freshplayerplugin (0.3.9-0ubuntu3) cosmic; urgency=medium

  * debian/control:
    - Only build amd64 and i386.
  * debian/patches/use-AV_-prefixed-macros.patch:
    - Prevent build failure with ffmpeg 7:4.0.2.

 -- Gunnar Hjalmarsson <email address hidden> Tue, 31 Jul 2018 00:05:00 +0200

After some discussion we decided to just let the package in as is. Releasing.

This bug was fixed in the package freshplayerplugin - 0.3.9-0ubuntu0.18.04.1

---------------
freshplayerplugin (0.3.9-0ubuntu0.18.04.1) bionic; urgency=medium

  * New upstream release (LP: #1778041)
  * debian/patches/typo-from-lintian.patch:
    - Dropped; applied upstream.
  * debian/browser-plugin-freshplayer-libpdf.install:
  * debian/browser-plugin-freshplayer-nacl.install:
  * debian/browser-plugin-freshplayer-pepperflash.install:
  * debian/control:
  * debian/rules:
    - libpdf and NaCl wrappers dropped upstream, so dropping the
      browser-plugin-freshplayer-libpdf and
      browser-plugin-freshplayer-nacl binaries.
    - Avoid duplication of libfreshwrapper-flashplayer.so.
  * debian/control:
    - Add libicu-dev to Build-Depends.
    - Only build amd64 and i386.

 -- Gunnar Hjalmarsson <email address hidden> Mon, 16 Jul 2018 18:04:00 +0200

The verification of the Stable Release Update for freshplayerplugin has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Hello Gunnar, or anyone else affected,

Accepted freshplayerplugin into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/freshplayerplugin/0.3.9-0ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verified the test case using browser-plugin-freshplayer-pepperflash 0.3.9-0ubuntu0.16.04.1 from xenial-proposed.

This bug was fixed in the package freshplayerplugin - 0.3.9-0ubuntu0.16.04.1

---------------
freshplayerplugin (0.3.9-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (LP: #1778041)
  * debian/browser-plugin-freshplayer-libpdf.install:
  * debian/browser-plugin-freshplayer-nacl.install:
  * debian/browser-plugin-freshplayer-pepperflash.install:
  * debian/control:
  * debian/rules:
    - libpdf and NaCl wrappers dropped upstream, so dropping the
      browser-plugin-freshplayer-libpdf and
      browser-plugin-freshplayer-nacl binaries.
    - Avoid duplication of libfreshwrapper-flashplayer.so.
  * debian/control:
    - Add libicu-dev to Build-Depends.
    - Only build amd64 and i386.

 -- Gunnar Hjalmarsson <email address hidden> Mon, 16 Jul 2018 18:06:00 +0200