Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 561076 - <www-plugins/adobe-flash-11.2.202.521 : Vulnerability in adobe flash player (APSB15-23) (CVE-2015-{5567,5568,5570,5571,5572,5573,5574,5575,5576,5577,5578,5579,5580,5581,5582,5584,5587,5588,6676,6677,6678,6679,6680,6681,6682})
Summary: <www-plugins/adobe-flash-11.2.202.521 : Vulnerability in adobe flash player (...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://helpx.adobe.com/security/prod...
Whiteboard: A3 [glsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-21 20:22 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2015-09-26 05:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-09-21 20:22:05 UTC 
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations using the instructions provided in the Solution section of the security bulletin.  

Learn more: https://helpx.adobe.com/security/products/flash-player/apsb15-23.html

Affected:
Product 	Affected Versions 	Platform
Adobe Flash Player for Linux 	11.2.202.508 and earlier 	Linux

Solution and priority:
Adobe Flash Player for Linux 	11.2.202.521 	Linux 	3 	Flash Player Download Cente

I haven't gone through the CVE list to determine which is affected for Linux, but we should upgrade anyhow.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-09-22 17:45:03 UTC 
CVE-2015-6682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 and
  19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux,
  Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR
  SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code
  via unspecified vectors, a different vulnerability than CVE-2015-5570,
  CVE-2015-5574, CVE-2015-5581, and CVE-2015-5584.

CVE-2015-6681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681):
  Adobe Shockwave Player before 12.2.0.162 allows attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-6680.

CVE-2015-6680 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680):
  Adobe Shockwave Player before 12.2.0.162 allows attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-6681.

CVE-2015-6679 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to bypass the Same Origin Policy and obtain
  sensitive information via unspecified vectors.

CVE-2015-6678 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678):
  Buffer overflow in Adobe Flash Player before 18.0.0.241 and 19.x before
  19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR
  before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK &
  Compiler before 19.0.0.190 allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-6676.

CVE-2015-6677 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-5575, CVE-2015-5577, CVE-2015-5578,
  CVE-2015-5580, CVE-2015-5582, and CVE-2015-5588.

CVE-2015-6676 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676):
  Buffer overflow in Adobe Flash Player before 18.0.0.241 and 19.x before
  19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR
  before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK &
  Compiler before 19.0.0.190 allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-6678.

CVE-2015-5588 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-5575, CVE-2015-5577, CVE-2015-5578,
  CVE-2015-5580, CVE-2015-5582, and CVE-2015-6677.

CVE-2015-5587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587):
  Stack-based buffer overflow in Adobe Flash Player before 18.0.0.241 and 19.x
  before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux,
  Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR
  SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code
  via unspecified vectors.

CVE-2015-5584 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 and
  19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux,
  Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR
  SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code
  via unspecified vectors, a different vulnerability than CVE-2015-5570,
  CVE-2015-5574, CVE-2015-5581, and CVE-2015-6682.

CVE-2015-5582 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-5575, CVE-2015-5577, CVE-2015-5578,
  CVE-2015-5580, CVE-2015-5588, and CVE-2015-6677.

CVE-2015-5581 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 and
  19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux,
  Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR
  SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code
  via unspecified vectors, a different vulnerability than CVE-2015-5570,
  CVE-2015-5574, CVE-2015-5584, and CVE-2015-6682.

CVE-2015-5580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-5575, CVE-2015-5577, CVE-2015-5578,
  CVE-2015-5582, CVE-2015-5588, and CVE-2015-6677.

CVE-2015-5579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code or cause a denial of
  service (stack memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-5567.

CVE-2015-5578 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-5575, CVE-2015-5577, CVE-2015-5580,
  CVE-2015-5582, CVE-2015-5588, and CVE-2015-6677.

CVE-2015-5577 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-5575, CVE-2015-5578, CVE-2015-5580,
  CVE-2015-5582, CVE-2015-5588, and CVE-2015-6677.

CVE-2015-5576 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 do not properly restrict discovery of memory addresses, which
  allows attackers to bypass the ASLR protection mechanism via unspecified
  vectors.

CVE-2015-5575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-5577, CVE-2015-5578, CVE-2015-5580,
  CVE-2015-5582, CVE-2015-5588, and CVE-2015-6677.

CVE-2015-5574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 and
  19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux,
  Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR
  SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code
  via unspecified vectors, a different vulnerability than CVE-2015-5570,
  CVE-2015-5581, CVE-2015-5584, and CVE-2015-6682.

CVE-2015-5573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code by leveraging an
  unspecified "type confusion."

CVE-2015-5572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to bypass intended access restrictions and obtain
  sensitive information via unspecified vectors.

CVE-2015-5571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 do not properly restrict the SWF file format, which allows remote
  attackers to conduct cross-site request forgery (CSRF) attacks against JSONP
  endpoints, and obtain sensitive information, via a crafted OBJECT element
  with SWF content satisfying the character-set requirements of a callback
  API.  NOTE: this issue exists because of an incomplete fix for CVE-2014-4671
  and CVE-2014-5333.

CVE-2015-5570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 and
  19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux,
  Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR
  SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code
  via unspecified vectors, a different vulnerability than CVE-2015-5574,
  CVE-2015-5581, CVE-2015-5584, and CVE-2015-6682.

CVE-2015-5568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to cause a denial of service (vector-length
  corruption) or possibly have unspecified other impact via unknown vectors.

CVE-2015-5567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567):
  Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows
  and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190,
  Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before
  19.0.0.190 allow attackers to execute arbitrary code or cause a denial of
  service (stack memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-5579.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-23 04:29:40 UTC 
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.521
Targeted stable KEYWORDS : amd64 x86
Comment 3 Agostino Sarubbo gentoo-dev 2015-09-23 10:02:54 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-09-23 10:04:06 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-09-23 23:33:37 UTC 
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-09-25 07:31:44 UTC 
This issue was resolved and addressed in
 GLSA 201509-07 at https://security.gentoo.org/glsa/201509-07
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 7 Matt 2015-09-26 00:49:55 UTC 
Is there a problem with Infrastructure ?

https://packages.gentoo.org/package/www-plugins/adobe-flash

shows 11.2.202.508
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-09-26 05:27:53 UTC 
Packages is currently not migrated to GIT. If you want to sue a web version you can use this one:

https://packagestest.gentoo.org/packages/www-plugins/adobe-flash

See http://a3li.li/2015/09/repackaging-packages-gentoo-org/