Summary: | <www-plugins/adobe-flash-10.0.32.18 APSA09-03 Execution of arbitrary code (CVE-2009-{1862,1863,1864,1865,1866,1867,1868,1869,1870}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | desktop-misc, facorread, greg, jer, lack, Martin.vGagern |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.adobe.com/support/security/advisories/apsa09-03.html | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 278813 | ||
Bug Blocks: | 279202, 279941 |
Description
Robert Buchholz (RETIRED)
2009-07-23 09:59:54 UTC
CVE-2009-1862 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1862): Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.1.2, and Adobe Flash Player 9.x through 9.0.159.0 and 10.x through 10.0.22.87, allows remote attackers to execute arbitrary code via (1) a crafted Flash application in a .pdf file or (2) a crafted .swf file, related to authplay.dll, as exploited in the wild in July 2009. Flash v10.0.32.18 has been released which is supposed to fix this bug. Copying adobe-flash-10.0.22.87-r2.ebuild worked fine on the x86. I also wanted to note that the flash-10.0.22.87 has been removed from adobe's website (as per usual). CVE-2009-1863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1863): Unspecified vulnerability in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors, related to a "privilege escalation vulnerability." CVE-2009-1864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1864): Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2009-1865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1865): Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, related to a "null pointer vulnerability." CVE-2009-1866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1866): Stack-based buffer overflow in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2009-1867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1867): Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to trick a user into (1) selecting a link or (2) completing a dialog, related to a "clickjacking vulnerability." CVE-2009-1868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1868): Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors involving URL parsing. CVE-2009-1869 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1869): Integer overflow in Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2009-1870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1870): Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to obtain sensitive information via vectors involving saving an SWF file to a hard drive, related to a "local sandbox vulnerability." Bumped! Don't know if the amd64 stuff actually works but we'll soon find out, won't we? Arches, please test and mark stable: =www-plugins/adobe-flash-10.0.32.18 Target keywords : "amd64 x86" amd64 works fine, its stable now (In reply to comment #6) > Bumped! Don't know if the amd64 stuff actually works but we'll soon find out, > won't we? Thanks for doing this! Next time feel free to bump 9.0.x.0 as well - They release the 2 in tandem, though I'm not 100% sure why I'm carrying the version 9 software, other than because I can. x86 stable, all arches done. GLSA with bug 278813. GLSA 200908-04 |