Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 432286 (CVE-2012-4163) - <www-plugins/adobe-flash-11.2.202.238: Multiple Vulnerabilities (CVE-2012-{4163,4164,4165,4166,4167,4168,5054})
Summary: <www-plugins/adobe-flash-11.2.202.238: Multiple Vulnerabilities (CVE-2012-{41...
Status: RESOLVED FIXED
Alias: CVE-2012-4163
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.adobe.com/support/securit...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-22 11:04 UTC by Agostino Sarubbo
Modified: 2012-09-25 00:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-08-22 11:04:47 UTC
From secunia advisory at $URL:

Description
Multiple vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to gain knowledge of potentially sensitive information or compromise a user's system.

1) An unspecified error can be exploited to corrupt memory.

2) An unspecified error can be exploited to corrupt memory.

3) An unspecified error can be exploited to corrupt memory.

4) An unspecified error can be exploited to corrupt memory.

5) An integer overflow error can be exploited to corrupt memory.

6) An error can lead to cross-domain information leaks.

The vulnerabilities are reported in the following versions:
* Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh, and Linux
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-08-24 14:24:18 UTC
Do we have confirmation that 11.2.202.238 is impacted by these? The upstream advisory states:

Adobe recommends users update their product installations to the latest versions:
 - Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238.

This, to me, either means 11.2.202.238 is the best available but affected, or the release versioning is not completely ordered numerically and 11.2.202.238 is not affected.
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-24 14:47:44 UTC
(In reply to comment #1)
> Do we have confirmation that 11.2.202.238 is impacted by these? The upstream
> advisory states:
> 
> Adobe recommends users update their product installations to the latest
> versions:
>  - Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux
> should update to Adobe Flash Player 11.2.202.238.
> 
> This, to me, either means 11.2.202.238 is the best available but affected,
> or the release versioning is not completely ordered numerically and
> 11.2.202.238 is not affected.

Adobe usually, when there isn't a fixed version does not says to update to version $x, so probably those vulnerabilities are fixed in 11.2.202.238 but discovered or announced not at same time of CVE-2012-1535(we need only glsa).

What do you think about?
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-24 16:03:53 UTC
(In reply to comment #2)
> > [..]
> > This, to me, either means 11.2.202.238 is the best available but affected,
> > or the release versioning is not completely ordered numerically and
> > 11.2.202.238 is not affected.
> 
> Adobe usually, when there isn't a fixed version does not says to update to
> version $x, so probably those vulnerabilities are fixed in 11.2.202.238 but
> discovered or announced not at same time of CVE-2012-1535(we need only glsa).
> 
> What do you think about?

... what?
Comment 4 Agostino Sarubbo gentoo-dev 2012-08-24 16:15:17 UTC
(In reply to comment #3)
> ... what?

What you did not understand?
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-08-24 17:36:11 UTC
I sent a note to the Adobe PSIRT and will loopback here if they respond.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-08-24 21:43:50 UTC
CVE-2012-4168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4168):
  Adobe Flash Player before 11.4.402.265 on Windows and Mac OS X, before
  11.2.202.238 on Linux, before 11.1.111.16 on Android 2.x and 3.x, and before
  11.1.115.17 on Android 4.x; Adobe AIR before 3.4.0.2540; and Adobe AIR SDK
  before 3.4.0.2540 allow remote attackers to read content from a different
  domain via a crafted web site.

CVE-2012-4167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4167):
  Integer overflow in Adobe Flash Player before 11.4.402.265 on Windows and
  Mac OS X, before 11.2.202.238 on Linux, before 11.1.111.16 on Android 2.x
  and 3.x, and before 11.1.115.17 on Android 4.x; Adobe AIR before 3.4.0.2540;
  and Adobe AIR SDK before 3.4.0.2540 allows attackers to execute arbitrary
  code via unspecified vectors.

CVE-2012-4166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4166):
  Adobe Flash Player before 11.4.402.265 on Windows and Mac OS X, before
  11.2.202.238 on Linux, before 11.1.111.16 on Android 2.x and 3.x, and before
  11.1.115.17 on Android 4.x; Adobe AIR before 3.4.0.2540; and Adobe AIR SDK
  before 3.4.0.2540 allow attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-4163, CVE-2012-4164, and CVE-2012-4165.

CVE-2012-4165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4165):
  Adobe Flash Player before 11.4.402.265 on Windows and Mac OS X, before
  11.2.202.238 on Linux, before 11.1.111.16 on Android 2.x and 3.x, and before
  11.1.115.17 on Android 4.x; Adobe AIR before 3.4.0.2540; and Adobe AIR SDK
  before 3.4.0.2540 allow attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-4163, CVE-2012-4164, and CVE-2012-4166.

CVE-2012-4164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4164):
  Adobe Flash Player before 11.4.402.265 on Windows and Mac OS X, before
  11.2.202.238 on Linux, before 11.1.111.16 on Android 2.x and 3.x, and before
  11.1.115.17 on Android 4.x; Adobe AIR before 3.4.0.2540; and Adobe AIR SDK
  before 3.4.0.2540 allow attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-4163, CVE-2012-4165, and CVE-2012-4166.

CVE-2012-4163 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4163):
  Adobe Flash Player before 11.4.402.265 on Windows and Mac OS X, before
  11.2.202.238 on Linux, before 11.1.111.16 on Android 2.x and 3.x, and before
  11.1.115.17 on Android 4.x; Adobe AIR before 3.4.0.2540; and Adobe AIR SDK
  before 3.4.0.2540 allow attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-4164, CVE-2012-4165, and CVE-2012-4166.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-08-29 02:31:03 UTC
Adobe has updated their advisory:

https://www.adobe.com/support/security/bulletins/apsb12-19.html

We stabilized a fixed version via bug 431432. Moving to GLSA so that we can capture these CVEs in the GLSA, and added to the existing GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-09-05 01:38:26 UTC
This issue was resolved and addressed in
 GLSA 201209-01 at http://security.gentoo.org/glsa/glsa-201209-01.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-09-25 00:26:44 UTC
CVE-2012-5054 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5054):
  Integer overflow in the copyRawDataTo method in the Matrix3D class in Adobe
  Flash Player before 11.4.402.265 allows remote attackers to execute
  arbitrary code via malformed arguments.