Plugin needs to update automatically

Bug #1312219 reported by Marc Deslauriers
This bug affects 30 people
Affects Status Importance Assigned to Milestone
Pepperflashplugin Nonfree
Fix Released
pepperflashplugin-nonfree (Ubuntu)

Bug Description

The pepperflashplugin-nonfree package downloads a chrome package and rips out the pepper flash plugin binary from it upon installation.

After installation, the plugin must be manually updated by root using the update-pepperflashplugin-nonfree script.

Since the flash plugin routinely gets security updates, and is directly exposed to untrusted content, there needs to be a way for this plugin to get updated automatically, else we are exposing our users to risk.

Perhaps the best solution would be to fork the package and routinely publish security updates for it.

Changed in pepperflashplugin-nonfree (Ubuntu):
status: New → Confirmed
Obsidian (grandobsidian)
Changed in pepperflashplugin-nonfree (Ubuntu):
status: Confirmed → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pepperflashplugin-nonfree (Ubuntu):
status: New → Confirmed
murad (muradmf)
Changed in pepperflashplugin-nonfree (Ubuntu):
assignee: nobody → murad (muradmf)
assignee: murad (muradmf) → nobody
Revision history for this message
houstonbofh (leesharp) wrote :

I think the only reason this bug does not have more people is no one knows it is not being updated.

Revision history for this message
psl (slansky) wrote :

Thank you! I have no idea I have to run updates manually. That is not good...

$ update-pepperflashplugin-nonfree --status
Flash Player version installed on this system :
Flash Player version available on upstream site:

$ update-pepperflashplugin-nonfree --install --quiet

Revision history for this message
Tar Ni (taruny9) wrote :

Wow I thought that I would get automatic update through the Update Manager... I stumbled upon an article on a website that said the plugin didn't update itself and refered to this page. Hopefully this will be fixed soon.

Changed in pepperflashplugin-nonfree:
status: Unknown → Fix Released
Revision history for this message
Florian W. (florian-will) wrote :

Debian status is inaccurate, it is actually something like "Invalid" / "Wontfix", not "Fix Released".

I do think this is a valid bug. The "proper" solution probably is: Release an updated pepperflashplugin-nonfree package every time Google updates the flash plugin. The package should contain a checksum of the current .so file and download&extract&check&install the library on installation. (This will only work if old chrome download files are available even after a new version is released… otherwise, the package installation will fail as soon as a new chrome version is released. In that case, the checksum verification should be skipped, but still: a new debian package should released every time flash gets updated.)

The Debian wiki says that this is not suitable for Debian because it's apparently difficult to get security updates into stable if they are not 100% security related. So I wonder why there's no special exception for closed-source software in Debian where patching ONLY security issues is simply not possible… It really sounds stupid.

> But that would reopen the debate on how to get the updated Debian package
> in stable in a user friendly way and sufficiently fast. Note that the Debian
> package would pull in a combination of feature updates and security fixes in a
> new upstream release of closed-source software, which is somewhat difficult
> for Debian procedures to install quickly in stable.

So Debian apparently prefers having really dangerous outdated versions of flash installed on their users' systems (because ~~nobody knows about update-pepperflashplugin-nonfree) instead of pushing one isolated closed-source software package (that might do a little more than fixing security issues) into stable.

The debian process is not very well suited for closed-source software. I wonder if Ubuntu would be willing to improve this. It probably depends on the number of Chromium users, most of which probably use pepperflash-plugin-nonfree without knowing about the risk for their system when installing & forgetting about that package.

So … please: Either drop the pepperflash package and recommend upstream chrome for users that need flash, or fix the package.

Revision history for this message
houstonbofh (leesharp) wrote :

I had forgotten about this. So my flash was way out of date...

Revision history for this message
Mateusz Stachowski (stachowski-mateusz) wrote :

It should be noted that this package is irrelevant in Ubuntu for at least 9 months.

Instaling adobe-flashplugin from Canonical Partners repo will give you both NPAPI and PPAPI at it's latest versions in all currently supported Ubuntu releases. And that starts with 12.04 LTS.

The PPAPI is even newer than in pepperflasplugin-nonfree.

Revision history for this message
Hans Hellén (hans-hellen) wrote :

Unfortunately this package and bug is still relevant for the users of Yandex.Browser.

Revision history for this message
Janghou (janghou) wrote :

If it's deprecated, shouldn't it be removed, or changed to show that it is deprecated?

For people unaware of the new package, I did not have `Canonical Partners source` active, it should notice people, or it should uninstall flash.

Leaving people with old (broken vulnerable) flash plugins seems to me a very bad idea. Better no flash then.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.