Shockwave Flash 11,2,202,440 disabled as vulnerable

[vlatkoB]

On Ubuntu 12.04, PaleMoon 24.5.0, I have installed Shockwave Flash (with flashplugin-installer)

Code: Select all

Shockwave Flash

    File: libflashplayer.so
    Path: /usr/lib/flashplugin-installer/libflashplayer.so
    Version: 11,2,202,440
    State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
    Shockwave Flash 11.2 r202

and it is marked as vulnerable. 440 is the latest update and this one is not vulnerable.

When I click on Update Now link for Shockwave Flash in Plugins, it opens URL https://addons.mozilla.org/en-US/firefox/blocked/p796 which says

Code: Select all

Flash Player Plugin on Linux 11.2.202.424 and lower (click-to-play) has been blocked for your protection.

In other words, all Flash is blocked. I restarted PM several times, but no changes.
What to do?

br,
vlatko

[Moonchild]

OK, I think I know what's going on with these recent issues... the version separator is a comma instead of what it is supposed to be, a period.
This will make it look to Pale Moon as version 11 (no subs). Is this an OS locale issue? what locale are you running?
Unless the version numbering can be changed to use periods in how it is reported to Pale Moon, I can't effectively use the blocklist on Linux.

[vlatkoB]

Language is English, but the formats and dates are Croatian. And we use decimal comma, not decimal point.

EDIT: I had no problems till last update.

[Lucio Chiappetti]

The problem described by the OP is the same I reported in another thread http://forum.palemoon.org/viewtopic.php ... =20#p46671, me too see after the upgrade, in PM 25.0.2 (x64) under Linux SUSE 11.3 about:plugins,
Version: 11,2,202,440 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)

I am not aware to have done any fiddling with the locale, the "locale" commands report LC_CTYPE=en_US.UTF-8, and all the rest as "POSIX"

[vlatkoB]

I do not think it is locale thing. Just turned to UK locale, restarted Ubuntu, but the version is still shown with commas. Than I reinstalled flashplugin-installer with UK locale, and it is still shown with commas.

[SvenG]

Same issue here, German locale. Fun thing is that Firefox shows the version correctly.

[vlatkoB]

Uninstalled flashplugin-installer, installed adobe-flushplugin, and it is the same.

[Moonchild]

I'll make the blocklist more conservative until I figure out what exactly is going on with the version numbers here.
More info would be welcome since it might be distro related as Pale Moon will just pull the file version from the file - what distros give commas? what distros give periods?

[SvenG]

I am not even sure if the file is distro specific. The package installed by ubuntu is just a downloader that grabs the file directly from adobe.

Here it's Ubuntu 14.04 with PM 25.2 and FossaMail 25.1 showing commas and FF 28 and TB 31.4 showing periods all with German localization.

[vlatkoB]

Why not simply disregard the separator, be it dot or comma?

[Moonchild]

Why not simply disregard the separator, be it dot or comma?

You can't just disregard it. the problem seems to be that the comma isn't seen AS a separator.
It may yet be locale specific. internationalization getting in the way of what is supposed to be a standard format with periods because it's treated "as a number" (even though no number with multiple decimal separators exists).

I may have to do a mozregression and see if I can (1) reproduce it in ff and (2) find out if and if so, when, this was addressed. I can't imagine that this was in FF-release for over a year without a fix though, but maybe it was.

[vlatkoB]

FF shows the version correctly, with dots.
Also, as I already mentioned, all worked correctly till a day ago, when I updated the flash plugin.

[squarefractal]

It may yet be locale specific. internationalization getting in the way of what is supposed to be a standard format with periods because it's treated "as a number" (even though no number with multiple decimal separators exists).

I don't think so, because both strings happen to be present:

Code: Select all

$ strings libflashplayer.so | grep -P '11[^\w]2'
libgtk-x11-2.0.so.0
libgdk-x11-2.0.so.0
LNX 11,2,202,440
Shockwave Flash 11.2 r202
11.2.202.440
drm/%s/%s/%s/11.2.202.440%s

[SvenG]

I may have to do a mozregression and see if I can (1) reproduce it in ff and (2) find out if and if so, when, this was addressed. I can't imagine that this was in FF-release for over a year without a fix though, but maybe it was.

Looking at this bugzilla post
https://bugzilla.mozilla.org/show_bug.c ... 109795#c45
it has been a problem in Firefox too.

[Lucio Chiappetti]

I don't think so, because both strings happen to be present

I confirm the same output in the 440 libflashplayer.so I installed yesterday but also that commas and dots were present in the same place in the previous version (which I backed up offline)

Code: Select all

11,2,202,346
11.2.202.346
drm/%s/%s/%s/11.2.202.346%s

[nostril]

Hi

Debian Wheezy
LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_TIME="en_US.UTF-8"
like every other 'LC'

Palemoon 25.2.1 - with commas
Version: 11,2,202,440
VULNERABLE MESSAGE

Iceweasel ESR 31.4.0
Version: 11.2.202.440
EVERYTHING OK

GNU Icecat 31.4.0
Version: 11.2.202.440
EVERYTHING OK

Tried/copied blocklist file from Iceweasel and Icecat which results in the same VULNERABLE MESSAGE.
COPIED OLD BLOCKLISTt file from Palemoon 2015/01/15 over the current one and ERROR DISAPEARS.

Removed write permission of blocklist file for the time being, and Bob's my Uncle.

[Moonchild]

I've updated the blocklist to allow any v11 without warning for the moment. It may take a day to propagate unless you remove the blocklist.xml manually from your profile.

[nostril]

Pulled the updated blocklist and it does not make a difference on Debian Wheezy.
On Pale Moon it still brings up the 'should be updated' message.

I copied the updated blocklist across to Iceweasel and Icecat which DOES NOT bring the error in both browsers.
I tried that with the old blocklist too and it DID NOT bring up an error either.

Palemoon blocklist from 01/15/2015 works and DOES NOT bring the error.

most bizarre

[Moonchild]

Please verify that the blocklist you pulled has a lastupdate stamp of 1422619961000. It should work and no longer block libflashplayer.so 11.anything.
If it doesn't have that timestamp then you've pulled the previous version.

It has to be an error in the Pale Moon code somewhere that causes this, but I have to hunt down exactly where and what. it was obviously broken in the base code I used when forking off.

[Moonchild]

Hunt successful: something that was present since FF 1.0, and fixed in FF28 FF27 (it was uplifted).
bug #942356 I'll have this fixed in the next version.

Edit: this seems to be a fault of Adobe's plugin trying to be "helpful" by localizing the version string