From turutani@scphys.kyoto-u.ac.jp  Thu Mar 29 09:31:15 2012
Return-Path: <turutani@scphys.kyoto-u.ac.jp>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 89B57106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 29 Mar 2012 09:31:15 +0000 (UTC)
	(envelope-from turutani@scphys.kyoto-u.ac.jp)
Received: from smtp-auth.kuins.kyoto-u.ac.jp (smtp-auth.kuins.kyoto-u.ac.jp [133.3.248.237])
	by mx1.freebsd.org (Postfix) with ESMTP id 235778FC0A
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 29 Mar 2012 09:31:14 +0000 (UTC)
Received: from smtp-auth.kuins.kyoto-u.ac.jp (smtp-auth.kuins.kyoto-u.ac.jp [127.0.0.1])
	by postfix.imss70 (Postfix) with ESMTP id 23DD62EC006;
	Thu, 29 Mar 2012 17:59:45 +0900 (JST)
Received: from h120.65.226.10.32118.vlan.kuins.net (wd232.BFL23.vectant.ne.jp [210.131.195.232])
	by smtp-auth.kuins.kyoto-u.ac.jp (Postfix) with ESMTP id E3F032EC001;
	Thu, 29 Mar 2012 17:59:44 +0900 (JST)
Received: from h120.65.226.10.32118.vlan.kuins.net (localhost [127.0.0.1])
	by h120.65.226.10.32118.vlan.kuins.net (8.14.4/8.14.4/20071004-1) with ESMTP id q2T8xcKA006994;
	Thu, 29 Mar 2012 17:59:38 +0900 (JST)
	(envelope-from turutani@h120.65.226.10.32118.vlan.kuins.net)
Received: (from turutani@localhost)
	by h120.65.226.10.32118.vlan.kuins.net (8.14.4/8.14.4/Submit) id q2T8xaHg006993;
	Thu, 29 Mar 2012 17:59:36 +0900 (JST)
	(envelope-from turutani)
Message-Id: <201203290859.q2T8xaHg006993@h120.65.226.10.32118.vlan.kuins.net>
Date: Thu, 29 Mar 2012 17:59:36 +0900 (JST)
From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Reply-To: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org
Cc: turutani@scphys.kyoto-u.ac.jp
Subject: www/linux-f10-flashplugin11 is vulnerable
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         166485
>Category:       ports
>Synopsis:       www/linux-f10-flashplugin11 is vulnerable
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    eadler
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 29 09:40:10 UTC 2012
>Closed-Date:    Mon Apr 09 23:17:18 UTC 2012
>Last-Modified:  Mon Jun 25 09:10:07 UTC 2012
>Originator:     Tsurutani Naoki
>Release:        FreeBSD 8.2-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #25: Mon Jan 24 10:37:18 JST 2011 turutani@h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386


	
>Description:
	www/linux-f10-flashplugin11 is vulnerable.
	ref: http://www.adobe.com/support/security/bulletins/apsb12-07.html
	
>How-To-Repeat:
	
>Fix:
	here is a patch:

--- Makefile.orig	2012-03-16 06:42:55.000000000 +0900
+++ Makefile	2012-03-29 17:41:19.000000000 +0900
@@ -7,7 +7,7 @@
 #
 
 PORTNAME=	flashplugin
-PORTVERSION=	11.1r102.63
+PORTVERSION=	11.2r202.228
 CATEGORIES=	www multimedia linux
 MASTER_SITES=	http://fpdownload.macromedia.com/get/flashplayer/pdc/${PORTVERSION:C/r/\./}/:plugin \
 		LOCAL/nox:suplib
--- distinfo.orig	2012-03-16 06:42:55.000000000 +0900
+++ distinfo	2012-03-29 17:43:04.000000000 +0900
@@ -1,4 +1,4 @@
-SHA256 (flashplugin/11.1r102.63/install_flash_player_11_linux.i386.tar.gz) = dff9d475b3e8900e5c9a5d1d69ba766d0cdf9471217ef35c931ccefdf7b68246
-SIZE (flashplugin/11.1r102.63/install_flash_player_11_linux.i386.tar.gz) = 6746733
-SHA256 (flashplugin/11.1r102.63/linux-f10-flashsupport-9.0.1.i386.tar.gz) = 4a309b1a326bd2212cc72480628659e5a7fd61d9e0572cb7350c206f030955bf
-SIZE (flashplugin/11.1r102.63/linux-f10-flashsupport-9.0.1.i386.tar.gz) = 3455
+SHA256 (flashplugin/11.2r202.228/install_flash_player_11_linux.i386.tar.gz) = 20a806eaf508aa8bf22d9803e94b9f942a548da87cd0a59712c7bcd1df0d44e6
+SIZE (flashplugin/11.2r202.228/install_flash_player_11_linux.i386.tar.gz) = 6917230
+SHA256 (flashplugin/11.2r202.228/linux-f10-flashsupport-9.0.1.i386.tar.gz) = 4a309b1a326bd2212cc72480628659e5a7fd61d9e0572cb7350c206f030955bf
+SIZE (flashplugin/11.2r202.228/linux-f10-flashsupport-9.0.1.i386.tar.gz) = 3455
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->emulation 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Thu Mar 29 09:40:20 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=166485 

From: poyopoyo@puripuri.plala.or.jp
To: FreeBSD-gnats-submit@FreeBSD.org,
	FreeBSD-ports-bugs@FreeBSD.org
Cc:  
Subject: Re: ports/166485: www/linux-f10-flashplugin11 is vulnerable
Date: Fri, 06 Apr 2012 06:01:44 +0900

 Does anyone have time to handle this security update?
 
 (to submitter: I suppose the Synopsis might better be like: 
 [security] update port: www/linux-f10-flashplugin11 to 11.2
 to catch comitters' eyes nicely.)

From: Volodymyr Kostyrko <c.kworr@gmail.com>
To: bug-followup@FreeBSD.org, turutani@scphys.kyoto-u.ac.jp
Cc:  
Subject: Re: ports/166485: www/linux-f10-flashplugin11 is vulnerable
Date: Sun, 08 Apr 2012 23:20:57 +0300

 Hi all.
 
 This patch results in unusable plugin on my machine. When running flash 
 it quickly drops with:
 
 *** NSPlugin Wrapper *** ERROR: NPP_New() wait for reply: Connection closed
 *** NSPlugin Wrapper *** 
 WARNING:(/tmp/ports/usr/ports/www/nspluginwrapper/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2150):invoke_NPP_Destroy: 
 assertion failed: (rpc_method_invoke_possible(plugin->connection))
 
 FreeBSD limbo.lan 9.0-STABLE FreeBSD 9.0-STABLE #0 r233753: Sun Apr  1 
 19:06:58 EEST 2012     arcade@limbo.lan:/usr/obj/usr/src/sys/MINIMALx32 
   i386
 
 World was built with clang. Previous version worked like a charm with 
 chromium and seamonkey, this one fails for both.
 
 -- 
 Sphinx of black quartz judge my vow.

From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
To: Volodymyr Kostyrko <c.kworr@gmail.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/166485: www/linux-f10-flashplugin11 is vulnerable
Date: Mon, 09 Apr 2012 10:31:50 +0900

 Volodymyr Kostyrko <c.kworr@gmail.com> wrote:
 
  I cannot reproduce this trouble on my host with chromium and firefox.
 
 h120 % uname -a
 FreeBSD h120.65.226.10.32118.vlan.kuins.net 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #25: Mon 
 Jan 24 10:37:18 JST 2011     turutani@h120.65.226.10.32118.vlan.kuins.net:usr/obj/usr/src/sys/POLYMER  i386
 
  Does running "nspluginwrapper -a -v -i" help it ?
 
 > Hi all.
 > 
 > This patch results in unusable plugin on my machine. When running flash 
 > it quickly drops with:
 > 
 > *** NSPlugin Wrapper *** ERROR: NPP_New() wait for reply: Connection closed
 > *** NSPlugin Wrapper *** 
 > WARNING:(/tmp/ports/usr/ports/www/nspluginwrapper/work/nspluginwrapper-1.4.4/src/npw-
 wrapper.c:2150):invoke_NPP_Destroy: 
 > assertion failed: (rpc_method_invoke_possible(plugin->connection))
 > 
 > FreeBSD limbo.lan 9.0-STABLE FreeBSD 9.0-STABLE #0 r233753: Sun Apr  1 
 > 19:06:58 EEST 2012     arcade@limbo.lan:/usr/obj/usr/src/sys/MINIMALx32 
 >   i386
 > 
 > World was built with clang. Previous version worked like a charm with 
 > chromium and seamonkey, this one fails for both.
 
 
 --- 
 Tsurutani Naoki
 turutani@scphys.kyoto-u.ac.jp

From: Volodymyr Kostyrko <c.kworr@gmail.com>
To: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/166485: www/linux-f10-flashplugin11 is vulnerable
Date: Mon, 09 Apr 2012 07:30:29 +0300

 Tsurutani Naoki wrote:
 >   I cannot reproduce this trouble on my host with chromium and firefox.
 >
 > h120 % uname -a
 > FreeBSD h120.65.226.10.32118.vlan.kuins.net 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #25: Mon
 > Jan 24 10:37:18 JST 2011     turutani@h120.65.226.10.32118.vlan.kuins.net:usr/obj/usr/src/sys/POLYMER  i386
 >
 >   Does running "nspluginwrapper -a -v -i" help it ?
 
 No, nothing changes. Installing previous version fixes things.
 
 I'll try to recheck and rebuild everything close to nspluginwrapper. 
 However I have already checked that there are no unresolved symbols in 
 libraries under /usr/local.
 
 -- 
 Sphinx of black quartz judge my vow.

From: Volodymyr Kostyrko <c.kworr@gmail.com>
To: bug-followup@FreeBSD.org, turutani@scphys.kyoto-u.ac.jp
Cc:  
Subject: Re: ports/166485: www/linux-f10-flashplugin11 is vulnerable
Date: Mon, 09 Apr 2012 13:37:39 +0300

 On my other desktop everything works fine.
 
 FreeBSD green.tandem.local 9.0-STABLE FreeBSD 9.0-STABLE #1 r234052: Mon 
 Apr  9 11:22:31 EEST 2012 
 arcade@green.tandem.local:/usr/obj/usr/src/sys/MINIMAL  amd64
 
 -- 
 Sphinx of black quartz judge my vow.

From: Volodymyr Kostyrko <c.kworr@gmail.com>
To: bug-followup@FreeBSD.org, turutani@scphys.kyoto-u.ac.jp
Cc:  
Subject: Re: ports/166485: www/linux-f10-flashplugin11 is vulnerable
Date: Mon, 09 Apr 2012 22:19:53 +0300

 Geez, I missed one thing that possibly explains this situation:
 
 Apr  8 21:43:24 limbo kernel: pid 6571 (npviewer.bin), uid 1001: exited 
 on signal 4 (core dumped)
 
 My machine is not SSE2 capable.
 
 CPU: AMD Athlon(tm)  (1750.59-MHz 686-class CPU)
 Origin = "AuthenticAMD"  Id = 0x6a0  Family = 6  Model = a  Stepping = 0
 Features=0x383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE>
 AMD Features=0xc0400800<SYSCALL,MMX+,3DNow!+,3DNow!>
 
 Windows version on the same machine works. It seems I should bug Adobe 
 about that...
 
 -- 
 Sphinx of black quartz judge my vow.
Responsible-Changed-From-To: emulation->eadler 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Mon Apr 9 22:10:50 UTC 2012 
Responsible-Changed-Why:  
take as flash maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=166485 
State-Changed-From-To: open->closed 
State-Changed-By: eadler 
State-Changed-When: Mon Apr 9 23:17:16 UTC 2012 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=166485 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/166485: commit references a PR
Date: Mon,  9 Apr 2012 23:15:49 +0000 (UTC)

 eadler      2012-04-09 23:15:31 UTC
 
   FreeBSD ports repository
 
   Modified files:
     www/linux-f10-flashplugin11 Makefile distinfo 
   Log:
   - Update flash to current 11,2,202,228
   
   PR:             ports/166485
   Submitted by:   Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
   Reviewed by:    nox
   Security:       20923a0d-82ba-11e1-8d7b-003067b2972c
   
   Revision  Changes    Path
   1.33      +1 -1      ports/www/linux-f10-flashplugin11/Makefile
   1.26      +4 -4      ports/www/linux-f10-flashplugin11/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
To: Volodymyr Kostyrko <c.kworr@gmail.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/166485: www/linux-f10-flashplugin11 is vulnerable
Date: Tue, 01 May 2012 15:00:34 +0900

 Hi,
 
 Would you try 11.2.202.233 ?
 
 ref: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/167469
 
 Volodymyr Kostyrko <c.kworr@gmail.com> wrote:
 
 > Geez, I missed one thing that possibly explains this situation:
 > 
 > Apr  8 21:43:24 limbo kernel: pid 6571 (npviewer.bin), uid 1001: exited 
 > on signal 4 (core dumped)
 > 
 > My machine is not SSE2 capable.
 > 
 > CPU: AMD Athlon(tm)  (1750.59-MHz 686-class CPU)
 > Origin = "AuthenticAMD"  Id = 0x6a0  Family = 6  Model = a  Stepping = 0
 > Features=0x383fbff
 <FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE>
 > AMD Features=0xc0400800<SYSCALL,MMX+,3DNow!+,3DNow!>
 > 
 > Windows version on the same machine works. It seems I should bug Adobe 
 > about that...
 > 
 > -- 
 > Sphinx of black quartz judge my vow.
 > 
 

From: Volodymyr Kostyrko <c.kworr@gmail.com>
To: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/166485: www/linux-f10-flashplugin11 is vulnerable
Date: Wed, 02 May 2012 12:42:50 +0300

 Tsurutani Naoki wrote:
 > Hi,
 >
 > Would you try 11.2.202.233 ?
 >
 > ref: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/167469
 >
 
 Already filed that as 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/167390
 
 Right now I managed to fully ruin my filesystem on that machine. I'm at 
 decyphering DVA's in ZFS and writing some code to recover my data. I'm 
 far off testing flash there... I'll test this when I can. Meanwhile 
 there's no point in stopping updating the port - 233 seems to be "final" 
 flash 11.2 revision and works for me on AMD64.
 
 -- 
 Sphinx of black quartz judge my vow.

From: Volodymyr Kostyrko <c.kworr@gmail.com>
To: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/166485: www/linux-f10-flashplugin11 is vulnerable
Date: Mon, 25 Jun 2012 12:02:24 +0300

 Volodymyr Kostyrko wrote:
 > Tsurutani Naoki wrote:
 >> Hi,
 >>
 >> Would you try 11.2.202.233 ?
 >>
 >> ref: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/167469
 >>
 >
 > Already filed that as
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/167390
 >
 > Right now I managed to fully ruin my filesystem on that machine. I'm at
 > decyphering DVA's in ZFS and writing some code to recover my data. I'm
 > far off testing flash there... I'll test this when I can. Meanwhile
 > there's no point in stopping updating the port - 233 seems to be "final"
 > flash 11.2 revision and works for me on AMD64.
 
 No, latest version doesn't work for me on old i386 hardware while 
 11.1r102.63 works fine.
 
 I'm sure this is something about SSE2 as each failure results in "exited 
 on signal 4" which means 'illegal instruction'.
 
 -- 
 Sphinx of black quartz judge my vow.
>Unformatted:
