Two vulnerabilities have been reported in Adobe Flash Player and Adobe AIR, which can be exploited by malicious people to compromise a user's system. 1) An unspecified error can be exploited to cause memory corruption. 2) Another unspecified error can be exploited to cause memory corruption. The vulnerabilities are reported in following versions and products: * Adobe Flash Player versions 11.9.900.117 and prior for Windows and Macintosh * Adobe Flash Player versions 11.2.202.310 and prior for Linux * Adobe AIR versions 3.9.0.1030 and prior for Windows and Macintosh * Adobe AIR versions 3.9.0.1030 SDK and prior * Adobe AIR versions 3.9.0.1030 SDK & Compiler and prior * Adobe AIR versions 3.9.0.1060 and prior for Android Solution: Update to a fixed version. Further details available to Secunia VIM customers Provided and/or discovered by: The vendor credits: 1) Wen Guanxing, Venustech adlab 2) Anonymously via ZDI Original Advisory: APSB13-26: http://www.adobe.com/support/security/bulletins/apsb13-26.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Arch teams, please test and mark stable: =www-plugins/adobe-flash-11.2.202.327 Targeted stable KEYWORDS : amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
GLSA request filed
+ 14 Nov 2013; Jeroen Roovers <jer@gentoo.org> + -adobe-flash-11.2.202.310-r1.ebuild, -adobe-flash-11.2.202.310.ebuild, + metadata.xml: + Old.
CVE-2013-5330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5330): Adobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11.9.900.152 on Windows and Mac OS X and before 11.2.202.327 on Linux, Adobe AIR before 3.9.0.1210, Adobe AIR SDK before 3.9.0.1210, and Adobe AIR SDK & Compiler before 3.9.0.1210 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-5329. CVE-2013-5329 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5329): Adobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11.9.900.152 on Windows and Mac OS X and before 11.2.202.327 on Linux, Adobe AIR before 3.9.0.1210, Adobe AIR SDK before 3.9.0.1210, and Adobe AIR SDK & Compiler before 3.9.0.1210 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-5330.
This issue was resolved and addressed in GLSA 201402-06 at http://security.gentoo.org/glsa/glsa-201402-06.xml by GLSA coordinator Mikle Kolyada (Zlogene).