Critical vulnerabilities have been identified in Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.152.26.
10.2.152.27 was released, please provide an updated ebuild: http://www.adobe.com/software/flash/about/
Working on the ebuild, standby.
Ebuild is in the tree as follows: www-plugins/adobe-flash-10.2.152.27 ----------------------------------- This is a 32-bit only ebuild, a simple upgrade from the affected 10.1.102.64 This one should be stabilized in the near future (depends on app-emulation/emul-linux-x86-xlibs-20110129 going stable for amd64) www-plugins/adobe-flash-10.2.152.27_p201011173 ---------------------------------------------- This is the "beta" version of the 64-bit "square" release (which has not changed as of this date), but it now installs the latest 10.2.152.27 release for the 32-bit plugin. This ebuild should *NOT* be stabilized. www-plugins/adobe-flash-9.0.289.0 --------------------------------- I was keeping the 9.0 series around as long as they were supported, but Adobe has dropped support for this release line. 9.0.289.0 should be p.masked and slated for removal as a result of this security bug.
With this version new config option is needed for GPU accelerated video: EnableLinuxHWVideoDecode=1 See: http://kb2.adobe.com/cps/890/cpsid_89050.html H.264 Hardware decoding on Linux is available as an experimental feature and has been tested on NVidia GT 330 and Broadcom BCM70015 GPUs. Users may choose to enable hardware decoding by adding EnableLinuxHWVideoDecode=1 in an mms.cfg configuration file. Users may experiance instability and crashes while watching hardware accelerated video. Please report any issues to http://bugs.adobe.com/flashplayer. So maybe it should be activated when USE=vdpau or at least elog message should be show. But still, even having "accelerated video rendering" on youtube (amd64 with nspluginwrapper) no VSYNC problems, CPU usage is much higher than with release www-plugins/adobe-flash-10.2.161.23_pre20101117 (I manually compiled 32-bit vdpau cause it wasn't provided with emul x86 then)
(In reply to comment #3) > Ebuild is in the tree as follows: > > www-plugins/adobe-flash-10.2.152.27 > ----------------------------------- > This is a 32-bit only ebuild, a simple upgrade from the affected 10.1.102.64 > > This one should be stabilized in the near future (depends on > app-emulation/emul-linux-x86-xlibs-20110129 going stable for amd64) > Thank you, Jim. Arches, please test and mark stable: =www-plugins/adobe-flash-10.2.152.27 Target keywords : "amd64 x86" @amd64, per Jim's note, you'll also need: =app-emulation/emul-linux-x86-xlibs-20110129 Target keywords : "amd64"
(In reply to comment #5) > @amd64, per Jim's note, you'll also need: > > =app-emulation/emul-linux-x86-xlibs-20110129 > Target keywords : "amd64" > This will also need other emul packages (that I am fine with stabilizing): app-emulation/emul-linux-x86-baselibs-20110129 app-emulation/emul-linux-x86-gtklibs-20110129 app-emulation/emul-linux-x86-medialibs-20110129 app-emulation/emul-linux-x86-opengl-20110129 app-emulation/emul-linux-x86-qtlibs-20110129 app-emulation/emul-linux-x86-sdl-20110129 app-emulation/emul-linux-x86-soundlibs-20110129
amd64 done
x86 stable, last one so update the whiteboard
Thanks, folks. GLSA request filed.
FYI, I have just p.masked <www-plugins/adobe-flash-10.2.153.1 because of this bug and also #360529 and #359019.
CVE-2011-0608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, and CVE-2011-0607. CVE-2011-0607 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, and CVE-2011-0608. CVE-2011-0578 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors related to a constructor for an unspecified ActionScript3 object and improper type checking, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0607, and CVE-2011-0608. CVE-2011-0577 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577): Unspecified vulnerability in Adobe Flash Player before 10.2.152.26 allows remote attackers to execute arbitrary code via a crafted font. CVE-2011-0575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575): Untrusted search path vulnerability in Adobe Flash Player before 10.2.152.26 allows local users to gain privileges via a Trojan horse DLL in the current working directory. CVE-2011-0574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. CVE-2011-0573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. CVE-2011-0572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. CVE-2011-0571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. CVE-2011-0561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0560, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. CVE-2011-0560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0559, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. CVE-2011-0559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559): Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted parameters to an unspecified ActionScript method that cause a parameter to be used as an object pointer, a different vulnerability than CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0578, CVE-2011-0607, and CVE-2011-0608. CVE-2011-0558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558): Integer overflow in Adobe Flash Player before 10.2.152.26 allows attackers to execute arbitrary code via a large array length value in the ActionScript method of the Function class.
This issue was resolved and addressed in GLSA 201110-11 at http://security.gentoo.org/glsa/glsa-201110-11.xml by GLSA coordinator Tim Sammut (underling).