Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 404101 (CVE-2012-0752) - <www-plugins/adobe-flash-11.1.102.62 : Multiple vulnerabilities (CVE-2012-{0752,0753,0754,0755,0756,0767})
Summary: <www-plugins/adobe-flash-11.1.102.62 : Multiple vulnerabilities (CVE-2012-{07...
Status: RESOLVED FIXED
Alias: CVE-2012-0752
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.adobe.com/support/securit...
Whiteboard: B2 [glsa]
Keywords:
: 404181 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-02-16 12:31 UTC by Nico Baggus
Modified: 2012-04-17 23:47 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Baggus 2012-02-16 12:31:43 UTC
This update addresses critical vulnerabilities in Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only).

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6.

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2012-02-16 13:29:57 UTC
Please bump: 11.1.102.62
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-02-16 20:18:32 UTC
*** Bug 404181 has been marked as a duplicate of this bug. ***
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-02-20 00:09:15 UTC
FWIW, renaming the existing ebuild (and computing its digest) appears to work perfectly.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:11:19 UTC
CVE-2012-0767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767):
  Cross-site scripting (XSS) vulnerability in Adobe Flash Player before
  10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and
  Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on
  Android 4.x allows remote attackers to inject arbitrary web script or HTML
  via unspecified vectors, aka "Universal XSS (UXSS)," as exploited in the
  wild in February 2012.

CVE-2012-0756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756):
  Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on
  Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and
  3.x; and before 11.1.115.6 on Android 4.x allows attackers to bypass
  intended access restrictions via unspecified vectors, a different
  vulnerability than CVE-2012-0755.

CVE-2012-0755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755):
  Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on
  Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and
  3.x; and before 11.1.115.6 on Android 4.x allows attackers to bypass
  intended access restrictions via unspecified vectors, a different
  vulnerability than CVE-2012-0756.

CVE-2012-0754 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754):
  Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on
  Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and
  3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors.

CVE-2012-0753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753):
  Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on
  Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and
  3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via crafted
  MP4 data.

CVE-2012-0752 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752):
  Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on
  Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and
  3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via
  leveraging an unspecified "type confusion."
Comment 5 Tim Harder gentoo-dev 2012-02-20 05:34:50 UTC
11.1.102.62 added to CVS, feel free to start the stabilization process.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-02-20 05:38:24 UTC
(In reply to comment #5)
> 11.1.102.62 added to CVS, feel free to start the stabilization process.

Great, thank you.

Arches, please test and mark stable:
=www-plugins/adobe-flash-11.1.102.62
Target keywords : "amd64 x86"
Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-20 09:26:59 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-02-20 10:10:21 UTC
amd64 stable
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-02-20 14:19:58 UTC
Thanks, folks. Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-04-17 23:47:07 UTC
This issue was resolved and addressed in
 GLSA 201204-07 at http://security.gentoo.org/glsa/glsa-201204-07.xml
by GLSA coordinator Sean Amoss (ackle).