+++ This bug was initially created as a clone of Bug #278813 +++ Adobe writes: A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems... This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. ... We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009...
CVE-2009-1862 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1862): Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.1.2, and Adobe Flash Player 9.x through 9.0.159.0 and 10.x through 10.0.22.87, allows remote attackers to execute arbitrary code via (1) a crafted Flash application in a .pdf file or (2) a crafted .swf file, related to authplay.dll, as exploited in the wild in July 2009.
Flash v10.0.32.18 has been released which is supposed to fix this bug.
Copying adobe-flash-10.0.22.87-r2.ebuild worked fine on the x86.
I also wanted to note that the flash-10.0.22.87 has been removed from adobe's website (as per usual).
CVE-2009-1863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1863): Unspecified vulnerability in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors, related to a "privilege escalation vulnerability." CVE-2009-1864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1864): Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2009-1865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1865): Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, related to a "null pointer vulnerability." CVE-2009-1866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1866): Stack-based buffer overflow in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2009-1867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1867): Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to trick a user into (1) selecting a link or (2) completing a dialog, related to a "clickjacking vulnerability." CVE-2009-1868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1868): Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors involving URL parsing. CVE-2009-1869 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1869): Integer overflow in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2009-1870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1870): Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to obtain sensitive information via vectors involving saving an SWF file to a hard drive, related to a "local sandbox vulnerability."
Bumped! Don't know if the amd64 stuff actually works but we'll soon find out, won't we?
Arches, please test and mark stable: =www-plugins/adobe-flash-10.0.32.18 Target keywords : "amd64 x86"
amd64 works fine, its stable now
(In reply to comment #6) > Bumped! Don't know if the amd64 stuff actually works but we'll soon find out, > won't we? Thanks for doing this! Next time feel free to bump 9.0.x.0 as well - They release the 2 in tandem, though I'm not 100% sure why I'm carrying the version 9 software, other than because I can.
x86 stable, all arches done.
GLSA with bug 278813.
GLSA 200908-04