Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 537426 (CVE-2015-0311)

Summary: <www-plugins/adobe-flash-11.2.202.440 - remote code execution (CVE-2015-0311)
Product: Gentoo Security Reporter: Chí-Thanh Christopher Nguyễn <chithanh>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: alex, desktop-misc, jackdachef, jer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---

Description Chí-Thanh Christopher Nguyễn gentoo-dev 2015-01-23 09:58:20 UTC 
Security Advisory for Adobe Flash Player

Release date: January 22, 2015

Vulnerability identifier: APSA15-01

CVE number: CVE-2015-0311

Platform: All Platforms
Summary

A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows, Macintosh and Linux.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.

Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26.  

Affected software versions

    Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
    Adobe Flash Player 13.0.0.262 and earlier 13.x versions
    Adobe Flash Player 11.2.202.438 and earlier versions for Linux

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Severity ratings

Adobe categorizes this as a critical vulnerability.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-26 08:52:55 UTC 
There is a new version out there but versioned tarballs have not yet been made available.

https://www.adobe.com/products/flashplayer/distribution3.html
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-26 09:20:02 UTC 
Meanwhile, the privileged people at Canonical get early access:

http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_11.2.202.440.orig.tar.gz
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-27 08:51:16 UTC 
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.440
Targeted stable KEYWORDS : amd64 x86
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-01-27 08:53:32 UTC 
CVE-2015-0311 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311):
  Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x,
  15.x, and 16.x through 16.0.0.287 on Windows and OS X and through
  11.2.202.438 on Linux allows remote attackers to execute arbitrary code via
  unknown vectors, as exploited in the wild in January 2015.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-01-27 10:32:25 UTC 
both arches are stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-01-27 10:36:31 UTC 
Added to existing glsa draft.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 19:28:45 UTC 
This issue was resolved and addressed in
 GLSA 201502-02 at http://security.gentoo.org/glsa/glsa-201502-02.xml
by GLSA coordinator Mikle Kolyada (Zlogene).