Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 359019 (CVE-2011-0609) - <www-plugins/adobe-flash-10.2.153.1: Critical vulnerability in Adobe Flash Player (CVE-2011-0609)
Summary: <www-plugins/adobe-flash-10.2.153.1: Critical vulnerability in Adobe Flash Pl...
Status: RESOLVED FIXED
Alias: CVE-2011-0609
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-15 13:55 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-13 23:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-03-15 13:55:08 UTC
From $URL:

A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems (Adobe Flash Player 10.2.154.18 and earlier for Chrome users), Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. Adobe is not currently aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 02:11:27 UTC
Adobe has release Flash 10.2.153.1. Please bump; thanks!
Comment 2 Jim Ramsay (lack) (RETIRED) gentoo-dev 2011-03-22 16:38:10 UTC
Bumped:

www-plugins/adobe-flash-10.2.153.1 is in the tree and as usual can probably be marked stable any time since it's closed source and not really going to change.

www-plugins/adobe-flash-10.2.153.1_p201011173.ebuild is also in the tree with this same fix, but should *not* go stable.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 17:08:36 UTC
(In reply to comment #2)
> Bumped:
> 

Awesome, thanks!

Arches, please test and mark stable:
=www-plugins/adobe-flash-10.2.153.1
Target keywords : "amd64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-03-22 18:09:34 UTC
works for me only with +nspluginwrapper
Comment 5 Andreas Schürch gentoo-dev 2011-03-23 07:47:50 UTC
Looks ok on x86.
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2011-03-23 15:24:23 UTC
Oh yeah the good old it's not a regression train. Great. It's still bad, you know... x86 stable.
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2011-03-23 15:24:52 UTC
x86 stable. Thanks Andreas.
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-03-23 15:26:17 UTC
(In reply to comment #6)
> Oh yeah the good old it's not a regression train. Great. It's still bad, you
> know... x86 stable.

That one is for another bug, sorry.
Comment 9 Jim Ramsay (lack) (RETIRED) gentoo-dev 2011-03-23 19:18:21 UTC
(In reply to comment #4)
> works for me only with +nspluginwrapper

You make a good point (here and on IRC).

I've adjusted the ebuilds so that IUSE="+nspluginwrapper" since I believe most amd64 users with the 32-bit plugin will want it.
Comment 10 Jim Ramsay (lack) (RETIRED) gentoo-dev 2011-03-23 19:19:59 UTC
(In reply to comment #8)
> (In reply to comment #6)
> > It's still bad, you
> > know... x86 stable.

I believe that may still be a valid complaint in this case ;)
Comment 11 Christoph Mende (RETIRED) gentoo-dev 2011-03-24 14:20:16 UTC
amd64 done, thanks Agostino
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-03-24 15:28:16 UTC
Thanks, folks. Added to existing GLSA request. See you next time! ;)
Comment 13 Jim Ramsay (lack) (RETIRED) gentoo-dev 2011-04-14 18:46:38 UTC
FYI, I have just p.masked <www-plugins/adobe-flash-10.2.153.1 because of this bug and also #360529 and #354207.
Comment 14 Arnaud Launay 2011-04-16 11:00:18 UTC
As long as #355191 isn't resolved, I don't think this is a good idea (from usability point of view, at least -- from a security one, no word from me)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-10-13 23:53:55 UTC
This issue was resolved and addressed in
 GLSA 201110-11 at http://security.gentoo.org/glsa/glsa-201110-11.xml
by GLSA coordinator Tim Sammut (underling).