538982 – (CVE-2015-0314) <www-plugins/adobe-flash-11.2.202.442: Multiple vulnerabilities (CVE-2015-{0312,0313,0314,0315,0316,0317,0318,0319,0320,0321,0322,0323,0324,0325,0326,0327,0328,0329,0330,0331})

Bug 538982 (CVE-2015-0314) - <www-plugins/adobe-flash-11.2.202.442: Multiple vulnerabilities (CVE-2015-{0312,0313,0314,0315,0316,0317,0318,0319,0320,0321,0322,0323,0324,0325,0326,0327,0328,0329,0330,0331})

Summary: <www-plugins/adobe-flash-11.2.202.442: Multiple vulnerabilities (CVE-2015-{03...

Status:	RESOLVED FIXED

Alias:	CVE-2015-0314

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://helpx.adobe.com/security/prod...
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-02-05 21:45 UTC by Marius Brehler
Modified:	2015-03-14 13:34 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marius Brehler 2015-02-05 21:45:30 UTC

Also adobe-flash 11.x isn't affected by CVE-2015-0313 [1], adobe ships a new release which includes fixes for several issues (18 CVEs in total). Please bump.

[1] http://helpx.adobe.com/security/products/flash-player/apsa15-02.html

Reproducible: Always

Comment 1 Patrick Lauer gentoo-dev

2015-02-06 03:33:19 UTC

+  06 Feb 2015; Patrick Lauer <patrick@gentoo.org>
+  +adobe-flash-11.2.202.442.ebuild:
+  Bump #538982

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2015-02-06 08:59:21 UTC

Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.442
Targeted stable KEYWORDS : amd64 x86

Comment 3 Agostino Sarubbo gentoo-dev

2015-02-06 11:34:24 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2015-02-06 11:36:06 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-02-06 14:18:35 UTC

Added to existing GLSA draft

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2015-02-06 14:21:14 UTC

CVE-2015-0330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, and CVE-2015-0329.

CVE-2015-0329 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, and CVE-2015-0330.

CVE-2015-0321 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0316, CVE-2015-0318, CVE-2015-0329, and CVE-2015-0330.

CVE-2015-0318 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0316, CVE-2015-0321, CVE-2015-0329, and CVE-2015-0330.

CVE-2015-0316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0318, CVE-2015-0321, CVE-2015-0329, and CVE-2015-0330.

CVE-2015-0314 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0316,
  CVE-2015-0318, CVE-2015-0321, CVE-2015-0329, and CVE-2015-0330.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2015-02-06 14:21:57 UTC

CVE-2015-0322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-0313,
  CVE-2015-0315, and CVE-2015-0320.

CVE-2015-0320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-0313,
  CVE-2015-0315, and CVE-2015-0322.

CVE-2015-0315 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-0313,
  CVE-2015-0320, and CVE-2015-0322.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2015-02-06 14:22:20 UTC

CVE-2015-0319 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code by leveraging an unspecified "type confusion," a
  different vulnerability than CVE-2015-0317.

CVE-2015-0317 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code by leveraging an unspecified "type confusion," a
  different vulnerability than CVE-2015-0319.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2015-02-06 14:22:48 UTC

CVE-2015-0327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327):
  Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x
  through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442
  on Linux allows attackers to execute arbitrary code via unspecified vectors,
  a different vulnerability than CVE-2015-0323.

CVE-2015-0323 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323):
  Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x
  through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442
  on Linux allows attackers to execute arbitrary code via unspecified vectors,
  a different vulnerability than CVE-2015-0327.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2015-02-06 14:23:22 UTC

CVE-2015-0324 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324):
  Buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x through
  16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux
  allows attackers to execute arbitrary code via unspecified vectors.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2015-02-06 14:23:50 UTC

CVE-2015-0328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  cause a denial of service (NULL pointer dereference) or possibly have
  unspecified other impact via unknown vectors, a different vulnerability than
  CVE-2015-0325 and CVE-2015-0326.

CVE-2015-0326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  cause a denial of service (NULL pointer dereference) or possibly have
  unspecified other impact via unknown vectors, a different vulnerability than
  CVE-2015-0325 and CVE-2015-0328.

CVE-2015-0325 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  cause a denial of service (NULL pointer dereference) or possibly have
  unspecified other impact via unknown vectors, a different vulnerability than
  CVE-2015-0326 and CVE-2015-0328.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2015-02-06 19:28:52 UTC

This issue was resolved and addressed in
 GLSA 201502-02 at http://security.gentoo.org/glsa/glsa-201502-02.xml
by GLSA coordinator Mikle Kolyada (Zlogene).

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2015-02-13 09:41:27 UTC

CVE-2015-0313 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0313):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows remote attackers to execute arbitrary code via
  unspecified vectors, as exploited in the wild in February 2015, a different
  vulnerability than CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.

CVE-2015-0312 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0312):
  Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x
  through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440
  on Linux allows attackers to execute arbitrary code via unspecified vectors.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2015-03-14 13:12:16 UTC

CVE-2015-0331 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0331):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-0313,
  CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.