Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537426 (CVE-2015-0311) - <www-plugins/adobe-flash-11.2.202.440 - remote code execution (CVE-2015-0311)
Summary: <www-plugins/adobe-flash-11.2.202.440 - remote code execution (CVE-2015-0311)
Status: RESOLVED FIXED
Alias: CVE-2015-0311
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: http://helpx.adobe.com/security/produ...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-23 09:58 UTC by Chí-Thanh Christopher Nguyễn
Modified: 2015-02-06 19:28 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chí-Thanh Christopher Nguyễn gentoo-dev 2015-01-23 09:58:20 UTC 
Security Advisory for Adobe Flash Player

Release date: January 22, 2015

Vulnerability identifier: APSA15-01

CVE number: CVE-2015-0311

Platform: All Platforms
Summary

A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows, Macintosh and Linux.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.

Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26.  

Affected software versions

    Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
    Adobe Flash Player 13.0.0.262 and earlier 13.x versions
    Adobe Flash Player 11.2.202.438 and earlier versions for Linux

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Severity ratings

Adobe categorizes this as a critical vulnerability.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-26 08:52:55 UTC 
There is a new version out there but versioned tarballs have not yet been made available.

https://www.adobe.com/products/flashplayer/distribution3.html
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-26 09:20:02 UTC 
Meanwhile, the privileged people at Canonical get early access:

http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_11.2.202.440.orig.tar.gz
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-27 08:51:16 UTC 
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.440
Targeted stable KEYWORDS : amd64 x86
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-01-27 08:53:32 UTC 
CVE-2015-0311 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311):
  Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x,
  15.x, and 16.x through 16.0.0.287 on Windows and OS X and through
  11.2.202.438 on Linux allows remote attackers to execute arbitrary code via
  unknown vectors, as exploited in the wild in January 2015.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-01-27 10:32:25 UTC 
both arches are stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-01-27 10:36:31 UTC 
Added to existing glsa draft.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 19:28:45 UTC 
This issue was resolved and addressed in
 GLSA 201502-02 at http://security.gentoo.org/glsa/glsa-201502-02.xml
by GLSA coordinator Mikle Kolyada (Zlogene).