Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 414603 (CVE-2012-0779) - <www-plugins/adobe-flash-11.2.202.235: object confusion remote code execution vulnerability (CVE-2012-0779)
Summary: <www-plugins/adobe-flash-11.2.202.235: object confusion remote code execution...
Status: RESOLVED FIXED
Alias: CVE-2012-0779
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.adobe.com/support/securit...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-04 14:41 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-23 20:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2012-05-04 14:41:03 UTC
From the upstream advisory at $URL:

Adobe released security updates for Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x. These updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system.
There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only.

Adobe recommends users of Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235. Flash Player installed with Google Chrome was updated automatically, so no user action is required.
Comment 1 Jim Ramsay (lack) (RETIRED) gentoo-dev 2012-05-05 02:43:44 UTC
Just bumped flash to 11.2.202.235.

As usual, stabilize any time.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-05-05 02:57:40 UTC
Thanks, Jim.

Arches, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.235
Target keywords : "amd64 x86"
Comment 3 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-05-05 05:16:42 UTC
amd64: pass
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2012-05-05 11:28:31 UTC
amd64 done. Thanks  Elijah
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-05-05 12:51:03 UTC
I'm can't see problems for x86, tried run under firefox and chromium: all well.
Please mark stable.
Comment 6 Andreas Schürch gentoo-dev 2012-05-06 17:33:11 UTC
x86 stable, thanks Mikle.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-05-06 22:25:43 UTC
CVE-2012-0779 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779):
  Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on
  Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and
  before 11.1.115.8 on Android 4.x allows remote attackers to execute
  arbitrary code via a crafted file, related to an "object confusion
  vulnerability," as exploited in the wild in May 2012.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-05-07 02:51:50 UTC
Thanks, folks. Already in GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-06-23 20:37:09 UTC
This issue was resolved and addressed in
 GLSA 201206-21 at http://security.gentoo.org/glsa/glsa-201206-21.xml
by GLSA coordinator Sean Amoss (ackle).