Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 456132 (CVE-2013-0633) - <www-plugins/adobe-flash-11.2.202.262: two vulnerabilities (CVE-2013-{0633,0634})
Summary: <www-plugins/adobe-flash-11.2.202.262: two vulnerabilities (CVE-2013-{0633,06...
Status: RESOLVED FIXED
Alias: CVE-2013-0633
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52116/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-08 10:12 UTC by Agostino Sarubbo
Modified: 2013-09-14 02:54 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-08 10:12:32 UTC 
From $URL :

Description
Two vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious 
people to compromise a user's system.

1) An unspecified error can be exploited to cause a buffer overflow.

NOTE: This vulnerability is currently being actively exploited in targeted attacks against the 
Windows version.

2) An unspecified error can be exploited to corrupt memory.

NOTE: This vulnerability is currently being actively exploited in targeted attacks against the 
Macintosh and Windows versions.

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

The vulnerabilities are reported in the following versions:
* Adobe Flash Player versions 11.5.502.146 and earlier for Windows and Macintosh
* Adobe Flash Player versions 11.2.202.261 and earlier for Linux
* Adobe Flash Player versions 11.1.115.36 and earlier for Android 4.x
* Adobe Flash Player versions 11.1.111.31 and earlier for Android 3.x
* Adobe Flash Player versions 11.5.31.137 and earlier for Chrome users
* Adobe Flash Player versions 11.3.378.5 and earlier for Internet Explorer 10 users on Windows 8


Solution
Update to a fixed version.
Further details available to Secunia VIM customers

Provided and/or discovered by
1, 2) Reported as 0-day.

Original Advisory
http://www.adobe.com/support/security/bulletins/apsb13-04.html
http://blogs.adobe.com/psirt/2013/02/security-updates-available-for-adobe-flash-player-apsb13-04.html
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-09 16:46:06 UTC 
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.262
Stable KEYWORDS : amd64 x86
Comment 2 Sergey Popov gentoo-dev 2013-02-09 18:05:05 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-02-13 11:16:14 UTC 
x86 stable

security please file the glsa request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-02-24 00:27:46 UTC 
CVE-2013-0634 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0634):
  Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on
  Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on
  Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on
  Android 4.x allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via crafted SWF content, as exploited
  in the wild in February 2013.

CVE-2013-0633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0633):
  Buffer overflow in Adobe Flash Player before 10.3.183.51 and 11.x before
  11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before
  11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before
  11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code
  via crafted SWF content, as exploited in the wild in February 2013.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-09-14 02:54:43 UTC 
This issue was resolved and addressed in
 GLSA 201309-06 at http://security.gentoo.org/glsa/glsa-201309-06.xml
by GLSA coordinator Sean Amoss (ackle).