My thoughts on Slackware, life and everything

Month: March 2016 (Page 2 of 2)

March ’16 security fixes for Adobe Flash

adobe_flash_8s600x600_2Adobe’s Flash player  security update for March showed an updated Flash player which addresses several vulnerabilities. I packaged the Linux Flash Player plugin for you as usual – on friday. However, Google did not release an updated binary for Linux Chrome until this moment, instead having people rely on Chrome’s internal auto-update feature which takes care of downloading the latest PepperFlash library. That would leave Chromium users in the cold, so I took a different approach: I installed the latest Google Chrome in a virtual machine and started the program, then went away to do other stuff. After a while, Chrome had indeed downloaded a new version of the Flash library and put that in the ~/.config/google-chrome/PepperFlash/ directory. I have used a copy of this downloaded library to create the new chromium-pepperflash-plugin package.

The new plugin for the Chromium browser (chromium-pepperflash-plugin) has the version number 21.0.0.182. The plugin for Mozilla browsers (flashplayer-plugin) has version 11.2.202.577.

My download locations for the Flash plugin packages are as always:

If you are using the slackpkg+ extension for slackpkg, then you just run “slackpkg update && slackpkg upgrade flash”. Alternatively, you can subscribe to my repository RSS feed to stay informed of any updates.

Eric

Chromium 49 packages address security issues; no more 32-bit binary plugins

chromium_iconChromium 49 was announced on the Google Chrome Releases blog. I needed some time to compile package for my ‘ktown’ repository containing the KDE Plasma 5 environment. In fact it took more time than anticipated because I had upgraded my QEMU from 1.2.0 to 2.5.0 and that had unepected side effects: it severely affected the performance of the host server (running Slackware64 13.37 and a 2.6.37.6 kernel) and decreased the Virtual Machine speed to almost half. And when the VM froze while I was compiling chromium in it, I had enough. I reverted to QEMU 1.2.0 and all is well again.

Anyway, the new chromium 49.0.2623.75 release addresses a couple of security issues – some of these have a CVE number:

  • [$8000][560011] High CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz Mlynski.
  • [$7500][569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski.
  • [$5000][549986] High CVE-2016-1632: Bad cast in Extensions. Credit to anonymous.
  • [$3000][572537] High CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer.
  • [$3000][559292] High CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer.
  • [$2000][585268] High CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu.
  • [$2000][584155] High CVE-2016-1636: SRI Validation Bypass. Credit to Ryan Lester and Bryant Zadegan.
  • [$500][560291] High CVE-2015-8126: Out-of-bounds access in libpng. Credit to joerg.bornemann.
  • [$2000][555544] Medium CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy.
  • [$1000][585282] Medium CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu.
  • [$1000][572224] Medium CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani.
  • [$1000][550047] Medium CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan Herrera.
  • [$500][583718] Medium CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen of OUSPG.
  • [591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.

It is advised to upgrade to this version of Chromium.

Please note that Google has stopped providing 32-bit versions of Chrome for Linux. This means that I will no longer be able to supply 32-bit plugins for Pepper Flash and for Widevine CDM support. The 32-bit plugins currently in my repository are taken from the Chrome 48 RPM and they will probably just keep functioning for a while. However I have no idea when they break, and particularly the Pepper Flash plugin will age pretty fast, considering the fact that Adobe releases security updates for Flash almost every month. YMMV.

Get my chromium packages in one of the usual locations:

The widevine and pepperflash plugin packagess for chromium can be found in the same repository.

Have fun! Eric

Package recompilation effort underway

alienHey folks! Two things recently happened to Slackware-current that you need to be aware of if you are using my Plasma5 packages from the ‘ktown‘ repository.

  1. libical was upgraded. The new shared library has a different version number, breaking several applications in my Plasma 5 package set. Mostly these are KDEPIM related.
  2. the openssl upgrade  dropped support for the obsolete OpenSSL SSLv2 protocol (by eliminating the ‘SSLv2_client_method’ symbol) in order to address the “DROWN” vulnerability. This broke applications that are linking against openssl using this symbol.

This means I have to recompile several packages; the PIM related ones are kcalcore, kcalutils, kblog, ktnef, kalarmcal, akonadi-calendar, kdepim-runtime, kdepim and kdepimlibs4 (I did kdepimlibs earlier this week). Packages linking to the removed SSLv2 symbol are qt5 and qca-qt5.

This will take some time on my trusty old build-box. The 64-bit PIM packages are done, Qt5 is compiling, qca-qt5 is next. Then I need to repeat for 32-bit and be aware that compiling Qt5 is quite a lengthy process… I won’t have new packages to upload until friday evening probably.

Then I intend to compile new Plasma 5.5.5 (just released, it’s the last in the 5.5 series) and generate new Slackware Live ISO images. Don’t stay up for those… will probably be on the other side of the weekend before you see those, because I need to test some updates to the liveslak scripts first.

Somewhere inbetween I should also take care of the new Chromium sources which were just released, addressing several vulnerabilities. By the way, this new 49.0.2623.75 release is the first where Google is only releasing 64-bit binaries for Linux, so I am afraid that at some point the 32-bit plugins I used to extract from the Chrome binaries (pepperflash and widevine plugins) will stop working for the 32-bit chromium packages which I will of course keep compiling for you. The most recent versions of these binary-only plugins remain in my repository until they break.

Newer posts »

© 2024 Alien Pastures

Theme by Anders NorenUp ↑