Adobe Flash security hole

berbae · 2010-06-15 10:01:45

The nspluginwrapper-debian/nspluginwrapper-flash-prerelease way requires the installation of 29 lib32 packages.
and zodmaner wrote :

Aside from few issues, like Flash sometime refuse to acknowledge a click and nspluginwrapper crashing on me a few times, everything have been working fine so far.

So I don't like very much that "solution".

I don't understand how Adobe can say :

We are fully committed to bringing native 64-bit Flash Player for the desktop by providing native support for Windows, Macintosh, and Linux 64-bit platforms in an upcoming major release of Flash Player.

and not provide at least a correction of critical bugs of the current release for those using it presently.

They announce "an upcoming major release" when?

We have temporarily closed the Labs program of Flash Player 10 for 64-bit Linux,

How can there be a new release if the Labs program is closed?

Why leaving the 64-bit architecture users alone with a bugged release when almost all recent processors are 64-bit?
It's not very logical.

As I want to keep my Arch64 installation clean, I will have now to choose the chroot way to use a Firefox 32-bit with the updated release of flashplugin 10.1 for i686 architecture, hoping there will not be other configuration problems.

It's not very pleasant and satisfying.

But luckily I have a spared partition on my HD to install the chrooted Arch32 version.
But I regret to be constrained to do that for an illogical choice from Adobe on a closed source software.

zodmaner · 2010-06-15 10:44:09

berbae wrote:

<snip>
and zodmaner wrote :
Aside from few issues, like Flash sometime refuse to acknowledge a click and nspluginwrapper crashing on me a few times, everything have been working fine so far.
So I don't like very much that "solution".
<snip>

Well, after spending some more time playing with it, I figured out two cases that can cause Firefox or nspluginwrapper to crash:

1. Mashing left click button on Flash content (due to problem mentioned earlier that sometime Flash won't register a click).
2. Right click on Flash content. Which have like 6 out of 10 chance of hard lock the browser.

So far, after I avoid doing both, Flash/nspluginwrapper have never crash on me. Heck, some Flash game that are not working with 64bit Flash (it will stuck at loading screen and start eating all my RAM/swap space) are now working just fine.

The worse bug is the Flash not registered a click one, which seems to affect mainly embedded Flash video. A work around is to click on the video once, and then use spacebar to toggle video play/pause. Still not ideal, because you cannot control anything else (volume, seek time, etc.). Of course, if the Flash content that have these problem is not video but something else (say, a Flash menu), then you're out of luck.

All of these test are done on Firefox with Flashblock plugin installed. I haven't try it on other browser (yet). Would love to see someone else try it as well to see if it's only affects my box or is it a generally symptoms.

Last edited by zodmaner (2010-06-15 10:57:04)

hokasch · 2010-06-15 10:57:11

Here I haven't experienced crashes, but embedded youtube video doesn't work, which is quite annoying (right click -> watch on youtube works though).

After nspluginwrapper -v -a -i there where a lot of lib32 errors re gecko mediaplayer - ignored them and haven't tested gecko mediaplayer since but hope it should be ok. All in all, not really a "solution" for me, but dropping flash isn't either, as much as I would wish for it.

P.S.: yep, same here with the embedded video, although I have not seen it crash. Firefox with noscript as well.

Last edited by hokasch (2010-06-15 10:59:27)

madalu · 2010-06-15 22:54:31

zodmaner wrote:

All of these test are done on Firefox with Flashblock plugin installed. I haven't try it on other browser (yet). Would love to see someone else try it as well to see if it's only affects my box or is it a generally symptoms.

So far, after a few hours of use, nspluginwrapper-flash and nspluginwrapper-debian work fine on my 64 bit system. I've tested them with chromium, conkeror, firefox, and midori with no adverse effects. Apart from the extra memory use, I notice no difference.

But I'm sure my browser will crash right after I write this post.

Last edited by madalu (2010-06-15 22:54:49)

Kaeso · 2010-06-16 01:22:53

madalu wrote:

zodmaner wrote:
All of these test are done on Firefox with Flashblock plugin installed. I haven't try it on other browser (yet). Would love to see someone else try it as well to see if it's only affects my box or is it a generally symptoms.
So far, after a few hours of use, nspluginwrapper-flash and nspluginwrapper-debian work fine on my 64 bit system. I've tested them with chromium, conkeror, firefox, and midori with no adverse effects. Apart from the extra memory use, I notice no difference.

They work fine for me too. Is this a difference between nspluginwrapper-flash and nspluginwrapper-flash-prerelease?

idx · 2010-06-16 17:42:13

They work fine for me too. Is this a difference between nspluginwrapper-flash and nspluginwrapper-flash-prerelease?

nspluginwrapper-flash = 10.1.53-1
nspluginwrapper-flash-prerelease = 10.1.53.64-1

And according to the news published on the first page :

The flashplugin has a critical vulnerability[1] in version 10.0.45.2 which is fixed in 10.1.53.64.

So yeah, you should go with the prerelease version if you actually want to fix the vulnerability. I nearly missed that extra ".64" too, though.

Also, shouldn't the nswrapper solution be explicitly mentionned on the news page ? It sounds safer than just using flashblock to me.

Last edited by idx (2010-06-16 20:20:38)

mento · 2010-06-16 18:46:58

Just look in the pkgbuild:
nspluginwrapper-flash-prerelease:
source=('http://download.macromedia.com/pub/labs/flashplayer10/flashplayer10_1_rc7_linux_060210.so.tar.gz'
nspluginwrapper-flash:
source=('http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_10_linux.tar.gz'

You see that the nspluginwrapper-flash-prerelease is the release candidate of nspluginwrapper-flash, but I think there should be no difference between both.

Cerebral · 2010-06-16 19:06:38

Just for everybody's info, we had three topics talking about basically the same thing. I've closed these two but all three had fairly extensive conversation:

http://bbs.archlinux.org/viewtopic.php?id=99165
http://bbs.archlinux.org/viewtopic.php?id=99203

idx · 2010-06-16 20:19:04

@mento : I disagree when you say there should be no difference between both. Unless I'm completely missing the point here, the nspluginwrapper-flash (non-prerelease) does not include the fix for the flaw that we are discussing here, whereas nspluginwrapper-flash-prerelease does.

That is, of course, relying on the info that the fix was included only in flash 10.1.53.64 (see my previous post)

Labello · 2010-06-16 20:19:35

and what if i just do not upgrade flashplugin? what is wrong with continuing to use the old one? and why has it got to be removed from the repo when adobe does not release a new version? why not keep the old working one? i mean just on x86_64...

Kaeso · 2010-06-16 20:39:12

idx wrote:

@mento : I disagree when you say there should be no difference between both. Unless I'm completely missing the point here, the nspluginwrapper-flash (non-prerelease) does not include the fix for the flaw that we are discussing here, whereas nspluginwrapper-flash-prerelease does.
That is, of course, relying on the info that the fix was included only in flash 10.1.53.64 (see my previous post)

@idx, I think mento's right. They really do appear to be identical, just download them both and see for yourself. Both archives contain the same libflashplayer.so from 2010-05-26 with the md5sum 6b96f76f89b9f565a01f36b2abacd052. I think the lack of a final .64 in nspluginwrapper-flash is just a matter of the AUR packager's naming preference, not a reflection of its contents.

idx · 2010-06-16 20:39:45

@labello
This :

http://www.adobe.com/support/security/a … 10-01.html

is what adobe has to say about it. I didn't inquire much further, but I for one am not going to leave this vulnerability open when there is a (rather easy) workaround.

Still, I hate it just as much as anybody else that Adobe didn't release a fixed version for 64bit linux systems.

EDIT : @kaeso : Oh, sorry. I probably should have checked that instead of just looking at the names...

Last edited by idx (2010-06-16 20:44:49)

nstoyanov · 2010-06-16 23:19:30

I just installed nspluginwrapper-flash from AUR and wow... What a difference! It runs significantly better for me, not ot mention 0 crashes (well, while watching highlights from the world cup in particular, lol) and perfect hulu.com. I should have used nspluginwrapper a long time ago.

Last edited by nstoyanov (2010-06-16 23:20:25)

hokasch · 2010-06-16 23:36:39

We should update the Wiki page and mention the problem on [[Browser Plugins]]

Please add/correct/take it to the wiki:

32Flash implant for 64 Systems
1. Install nspluginwrapper-flash from AUR
2. run nspluginwrapper -v -a -i (ignore ELF library errors with other plugins)
3. add export GDK_NATIVE_WINDOWS=1 in /usr/lib/nspluginwrapper/i386/linux/npviewer

Downside: crashes Qt's webkit browsers (thread) / instabilities reported by zodmaner (if still there? / I still have some weird rendering issues with embeded youtube, will check again tomorrow

alternatives:
swfdec-mozilla
firefox32 and lib32-flashplugin from aur

Last edited by hokasch (2010-06-17 09:48:07)

berbae · 2010-06-17 08:27:15

There is another alternative for those who want to keep an arch64 installation clean of lib32 libraries, and that have spared hard drive spaces :

a chrooted arch32 installation.

I personally have chosen that way which doesn't need nspluginwrapper and no AUR packages :

firefox 3.6.3-1
flashplugin 10.1.53.64-1

from i686 extra repository.

My arch32 installation is on another partition.

Surely it requires to sync/update the two installations separately, but I can do with it.

I was worried by the nspluginwrapper crashes reported by zodmaner.

The chrooted arch32 installation can also be used for other 32-bit only softwares which we may want to use.

That solution works for me until now, I will report if there are problems appearing.

Othin · 2010-06-17 10:39:12

@ berbae: I think that's too much hassle for just a web plugin. In my opinion, that solution is akin to killing flies with cannons.

Me, I'm going to use flashblock, which has the added bonus of removing advertisements and useless resource hogging crap that appears in so many websites. If I use flash only for YouTube the vulnerability is not a problem, am i right?

In any case, I'm really wishing for a world free of flash. Hopefully, all the pressure by Steve Jobs & Co. will kill it...

Cookie · 2010-06-17 11:31:30

Othin wrote:

@ berbae: I think that's too much hassle for just a web plugin. In my opinion, that solution is akin to killing flies with cannons.
Me, I'm going to use flashblock, which has the added bonus of removing advertisements and useless resource hogging crap that appears in so many websites. If I use flash only for YouTube the vulnerability is not a problem, am i right?
In any case, I'm really wishing for a world free of flash. Hopefully, all the pressure by Steve Jobs & Co. will kill it...

same here, only videos I watch either from youtube or a major newspaper/TV website,so I guess I'm relatively safe

berbae · 2010-06-17 15:12:01

I agree that the chrooted arch32 installation is not practical to implement.
I'd rather not have to do that, it's not a pleasant thing for me. But it seems a secured way.

I think it should be added to the alternatives listed in the hokasch post #39 for a wiki update.

Because the nspluginwrapper is not perfect too ; it requires many lib32 packages and zodmaner reports problems with clicks and some crashes.
Moreover the debian nspluginwrapper 1.3.0 was released on march 2009, and since then their system to find new updates cannot connect to the project site (see http://packages.qa.debian.org/nspluginwrapper )
I could not find recent infos about Gwenolé Beauchesne the developper, so I am not sure the project is still maintained (I can be wrong but if someone can find something recent...).
So nothing's perfect.

Last edited by berbae (2010-06-17 15:28:55)

akurei · 2010-06-17 17:34:43

For everyone that needs Flash only for youtube: yaourt -Sy minitube
30 % CPU load when watchin 1080p video from youtube. Why didn't I uninstall Flash earlier? Minitube is such an improvement!

estevao · 2010-06-17 18:02:47

akurei wrote:

For everyone that needs Flash only for youtube: yaourt -Sy minitube
30 % CPU load when watchin 1080p video from youtube. Why didn't I uninstall Flash earlier? Minitube is such an improvement!

Very good! The only problem I see is that you can't FF or RW the video...

Last edited by estevao (2010-06-17 18:26:01)

fsckd · 2010-06-17 20:32:53

akurei wrote:

For everyone that needs Flash only for youtube: yaourt -Sy minitube
30 % CPU load when watchin 1080p video from youtube. Why didn't I uninstall Flash earlier? Minitube is such an improvement!

Mentioned earlier in either this thread or one of the other threads on this same topic is youtube-dl which downloads flash videos from youtube. There is also the more generic get_flash_video which works for many (but not all) flash video sites. Both programs can be obtained from AUR. Also, youtube has some html5 support.

maxexcloo · 2010-06-18 08:07:15

Flash seems to crash the entire browser every time when I right click a video/game. I'm using nspluginwrapper-flash-prerelease and nspluginwrapper.
Otherwise from that it works fine though

hokasch · 2010-06-18 08:31:42

Could you link an example, or is it every video/game? Not a single crash here, right click works fine, e.g. http://www.fastgames.com/pixellegions.html ("about" does not display anything though).

The only (minor) annoyance I could see so far is a rendering issue with embeded youtube, see here (grey box overlapping text):

It goes away with scrolling up/down or so.

edit: example from http://www.spreeblick.com/2010/06/18/guten-morgen-179/

Last edited by hokasch (2010-06-18 08:32:33)

zodmaner · 2010-06-18 09:38:46

berbae wrote:

Because the nspluginwrapper is not perfect too ; it requires many lib32 packages and zodmaner reports problems with clicks and some crashes.

Just want to add that since then I have not experience any crash. So while nspluginwrapper method is not perfect, it's definitely stable enough for daily use.

Last edited by zodmaner (2010-06-18 09:40:03)

kralyk · 2010-06-18 14:32:18

Hi,
is there any reason to chose nspluginwrapper-flash-prerelease over nspluginwrapper-flash?
Is nspluginwrapper-flash (not the prerelease) sechole-free?
Thank you ;-)

Arch Linux

#26 2010-06-15 10:01:45

Re: Adobe Flash security hole

#27 2010-06-15 10:44:09

Re: Adobe Flash security hole

#28 2010-06-15 10:57:11

Re: Adobe Flash security hole

#29 2010-06-15 22:54:31

Re: Adobe Flash security hole

#30 2010-06-16 01:22:53

Re: Adobe Flash security hole

#31 2010-06-16 17:42:13

Re: Adobe Flash security hole

#32 2010-06-16 18:46:58

Re: Adobe Flash security hole

#33 2010-06-16 19:06:38

Re: Adobe Flash security hole

#34 2010-06-16 20:19:04

Re: Adobe Flash security hole

#35 2010-06-16 20:19:35

Re: Adobe Flash security hole

#36 2010-06-16 20:39:12

Re: Adobe Flash security hole

#37 2010-06-16 20:39:45

Re: Adobe Flash security hole

#38 2010-06-16 23:19:30

Re: Adobe Flash security hole

#39 2010-06-16 23:36:39

Re: Adobe Flash security hole

#40 2010-06-17 08:27:15

Re: Adobe Flash security hole

#41 2010-06-17 10:39:12

Re: Adobe Flash security hole

#42 2010-06-17 11:31:30

Re: Adobe Flash security hole

#43 2010-06-17 15:12:01

Re: Adobe Flash security hole

#44 2010-06-17 17:34:43

Re: Adobe Flash security hole

#45 2010-06-17 18:02:47

Re: Adobe Flash security hole

#46 2010-06-17 20:32:53

Re: Adobe Flash security hole

#47 2010-06-18 08:07:15

Re: Adobe Flash security hole

#48 2010-06-18 08:31:42

Re: Adobe Flash security hole

#49 2010-06-18 09:38:46

Re: Adobe Flash security hole

#50 2010-06-18 14:32:18

Re: Adobe Flash security hole

Board footer