Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501960 (CVE-2014-0498) - <www-plugins/adobe-flash-11.2.202.341 multiple security vulnerabilities (CVE-2014-{0498,0499,0502})
Summary: <www-plugins/adobe-flash-11.2.202.341 multiple security vulnerabilities (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2014-0498
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://helpx.adobe.com/security/produ...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-21 07:41 UTC by Mike Limansky
Modified: 2014-05-03 19:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Limansky 2014-02-21 07:41:01 UTC
According to security annonsement current version of flash contains critical security issues. Looks like exploit is already available:

http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-21 13:32:25 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.341
Targeted stable KEYWORDS : amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2014-02-22 07:15:19 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-02-22 07:15:28 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 4 Sergey Popov gentoo-dev 2014-02-26 14:22:54 UTC
Thanks for your work. Assigned A2, cause one of the vulnerabilities is definitely ACE.

GLSA request filed. Cleanup is done by Jeroen Roovers.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-02-26 14:26:08 UTC
CVE-2014-0502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0502):
  Double free vulnerability in Adobe Flash Player before 11.7.700.269 and
  11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before
  11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK
  before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows
  remote attackers to execute arbitrary code via unspecified vectors, as
  exploited in the wild in February 2014.

CVE-2014-0499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0499):
  Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before
  12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe
  AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe
  AIR SDK & Compiler before 4.0.0.1628 do not prevent access to address
  information, which makes it easier for attackers to bypass the ASLR
  protection mechanism via unspecified vectors.

CVE-2014-0498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0498):
  Stack-based buffer overflow in Adobe Flash Player before 11.7.700.269 and
  11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before
  11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK
  before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows
  attackers to execute arbitrary code via unspecified vectors.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-02-26 14:26:25 UTC
CVE-2014-0498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0498):
  Stack-based buffer overflow in Adobe Flash Player before 11.7.700.269 and
  11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before
  11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK
  before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows
  attackers to execute arbitrary code via unspecified vectors.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-05-03 19:14:03 UTC
This issue was resolved and addressed in
 GLSA 201405-04 at http://security.gentoo.org/glsa/glsa-201405-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).