Closed Bug 1331489 Opened 5 years ago Closed 5 years ago

flash blocklist doesn't seem to be working under Ubuntu

Categories

(Toolkit :: Blocklist Policy Requests, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: kjozwiak, Unassigned)

References

Details

Attachments

(1 file)

It seems like the flash blocklist is not working under Ubuntu. I suspect it might be due to the version numbers not being displayed/missing under about:addons/about:plugins. Does the server ping pull any information from about:plugins? If it does, it would explain why it's not working as the version numbers seem to be missing.

I'm attempting to go through bug#1330086 to test the latest block against 24.0.0.186, however, it's not setting the plugin as "vulnerable" when I ping the staging server. Here's the work flow that I've been using:

* download/install flash 24.0.0.186 [1] which is currently vulnerable
* check about:plugins and you should see something similar: (notice no version # being displayed)
 
File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 
State: Enabled
Shockwave Flash 24.0 r0

* point fx to the blocklist staging server [2]
* once you've changed all the about:config prefs, ping the staging server via:

Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

You'll get the following log from the browser console:

Blocklist::notify: Requesting https://blocklist-dev.allizom.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/53.0a1/Firefox/20170116030326/Linux_x86_64-gcc3/en-US/nightly/Linux%204.4.0-45-generic%20(GTK%203.18.9%2Clibpulse%208.0.0)/default/default/invalid/invalid/0/

Blocklist state for shield-recipe-client@mozilla.org changed from 0 to 0
Blocklist state for formautofill@mozilla.org changed from 0 to 0
Blocklist state for webcompat@mozilla.org changed from 0 to 0
Blocklist state for flyweb@mozilla.org changed from 0 to 0
Blocklist state for firefox@getpocket.com changed from 0 to 0
Blocklist state for presentation@mozilla.org changed from 0 to 0
Blocklist state for aushelper@mozilla.org changed from 0 to 0
Blocklist state for e10srollout@mozilla.org changed from 0 to 0
Blocklist state for {972ce4c6-7e08-4474-a285-3208198ce6fd} changed from 0 to 0
Blocklist state for firefox-compact-light@mozilla.org@personas.mozilla.org changed from 0 to 0
Blocklist state for firefox-compact-dark@mozilla.org@personas.mozilla.org changed from 0 to 0
Blocklist state for Shockwave Flash changed from 0 to 0

As you can see from the last entry, the 24.0.0.186 plugin wasn't marked as vulnerable. A successful block would display the following:

Blocklist state for Shockwave Flash changed from 0 to 4

I'm not sure if something changed with flash or fx, but it's definitely not working as expected. It looks like FX isn't pulling and displaying the correct information under about:plugins/about:addons.

[1] https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html
[2] https://wiki.mozilla.org/Blocklisting/Testing
(In reply to Kamil Jozwiak [:kjozwiak] from comment #0)
> File: libflashplayer.so
> Path: /usr/lib/mozilla/plugins/libflashplayer.so
> Version: 
> State: Enabled
> Shockwave Flash 24.0 r0

If this is what you're seeing in about:plugins, then we won't be able to effectively block the plugin on Ubuntu (or Linux in general).

The version number should show up next to Version, allowing us to use the version filter to block it. A long time ago we had this same problem with the version number, so we had to rely on the description, which showed the full version number. This doesn't appear to be the case now either, so there's no way to do an effective block.

I suggest looking into old versions of the Flash plugin, to verify that the version was properly reported before, so we can figure out if this was caused by a change in Firefox or the Flash plugin.
It looks like the issue started happening when Adobe switched all the platforms, including Linux to the fp_24 track sometime in December. I went through fp_24.0.0.186 once again and it's also affected. I must have missed the issue in bug#1323300 as fp_24.0.0.186 wasn't being blocked as it was the latest version at the time so it wasn't as obvious.

I'm not sure if this is an Adobe or Firefox issue but I'm leaning towards an issue with Flash as it's occurring on all of our channels and several different Linux distro's as shown below. I downloaded the latest version of Debian/Fedora, set them up on my VM and went through several tests. All three are affected:

Ubuntu 16.04.1 LTS (xenial):
============================

* fp_24.0.0.194 - FAILED (version # not appearing)
* fp_24.0.0.186 - FAILED (version # not appearing)
* fp_11.2.202.664 - PASSED (version # appearing correctly)

Debian GNU/Linux 8.7 x64 (jessie):
==================================

* fp_24.0.0.194 - FAILED (version # not appearing)
* fp_24.0.0.186 - FAILED (version # not appearing)
* fp_11.2.202.664 - PASSED (version # appearing correctly)

Fedora 25 x64 (Linux 4.9.3-200.fc25.x86_64):
============================================

* fp_24.0.0.194 - FAILED (version # not appearing)
* fp_24.0.0.186 - FAILED (version # not appearing)
* fp_11.2.202.664 - PASSED (version # appearing correctly)

Jorge, let me know if there's anything else that I can do here.
I'll escalate this to Adobe, thanks.
Kamil, what does the following JavaScript return when run in Firefox's devtools console on Linux? What is the version number that Flash is actually reporting on Linux? 

  navigator.plugins['Shockwave Flash'].version
Flags: needinfo?(muszynski.kamil)
Thanks for the report.  I've opened FLASH-4187248 on our side.
(In reply to Chris Peterson [:cpeterson] from comment #4)
> Kamil, what does the following JavaScript return when run in Firefox's
> devtools console on Linux? What is the version number that Flash is actually
> reporting on Linux? 
> 
>   navigator.plugins['Shockwave Flash'].version

With fp_11.2.202.644 which is working correctly and the last 11.x version, I'll get the following output:

> navigator.plugins['Shockwave Flash'].version
> "11.2.202.644"

However, with fp_24.0.0.186 which is the first version that started using the 24.x numbering convention under linux, I'll get the following:

> navigator.plugins['Shockwave Flash'].version
> ""
Flags: needinfo?(muszynski.kamil)
Adobe must have fixed the issue with 24.0.0.221. It looks like the version is appearing correctly under about:plugins:

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0

However with 24.0.0.186 and 24.0.0.194, the version numbers are still missing under about:plugins. I'll leave this opened until there's a new version so we can ensure that 24.0.0.221 will correctly be blocked now that the version field is appearing under about:plugins.
This is now working as expected. I went through the latest flash blocklist using Ubuntu via bug#1347215 without any issues. Both fp24.0.0.221 [1] and fp25.0.0.127 [2] are correctly displaying the version numbers under about:plugins.

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
[1] Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
[2] Version: 25.0.0.127
State: Enabled
Shockwave Flash 25.0 r0
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.