[gentoo-amd64] Re: Firefox/Firefox-bin & Flash

[Duncan <1i5t5.duncan@cox.net>]

Claes Gyllenswärd posted on Thu, 09 Dec 2010 17:09:44 +0100 as excerpted:

> I haven't kept strictly up to date, but it's my understanding that since
> then a new 64bit version has been released. And some new security
> problems, it's flash after all, and two more releases I think. So
> there's a "proper" 64-bit version out, if you consider flash/binary
> proper.

Yes.  AFAIK, there's another 64-bit flash beta out.

But meanwhile, there's a problem with beta glibc and flash (both 32-bit 
and 64-bit), where flash is depending on officially "undefined" behavior 
as if it was behind, and the new (still unreleased upstream) glibc changes 
the officially undefined behavior, breaking flash.

But the behavior has been undefined for years and years (tho until now the 
actual glibc behavior had happened to remain the same), valgrind and other 
memory analysis tools have been warning about it for years and years, and 
flash was never fixed.  So now we know that either it had so many warnings 
they couldn't care about this one, or they never ran it thru such checkers 
in the first place, a rather serious problem for something as security 
exposed as flash obviously is, on millions of machines out there.

That would seem to go some way to explaining all the security holes it has 
had recently -- they apparently never ran it thru memory analysis tools 
designed to catch such problems.  <shrug>

Obviously, my take is a bit biased, but yet another reason I'm glad I 
don't do that servantware.  Even when/if the situation is fixed, that 
won't change the fact that flash is now known NOT to use regular security 
analysis tools to help them find and plug such problems before they 
release, so who knows how many more security issues wait to be found?

> On a related note, the alternative flash player lightspark has reached a
> "actually useful for youtube some of the time" status, and the current
> RC is supposed to improve this. Help me flattr the guys lightspark blog
> posts and you can soon ditch another binary package. :D

FWIW, I do have gnash installed, tho I've not tried lightspark, but don't 
use it all /that/ much, as I use the downloader for youtube, and on most 
(but not all) other sites, flash is mostly ads, anyway.  Rather, I tend to 
pick another site if I need to.  Sometimes manufacturers lose my buying 
dollars as a result because I can't see what they're product specs are due 
to flash, but oh, well...

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman