Summary: | <www-plugins/adobe-flash-10.1.53.64: authplay ACE (APSA10-01) (CVE-2009-3793,CVE-2010-{1297,2160,2162,2163,2164,2165,2166,2167,2169,2170,2171,2172,2173,2174,2175,2176,2177,2178,2179,2180,2181,2182,2183,2184,2185,2186,2187,2188,2189}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ainsaar, alex, alx333, blackrabbit, caster, creffett, denilsonsa, erik.dobak, estar, gef.kornflakes, gentoo, jackdachef, jacobgodserv, jan.killian, ken69267, keytoaster, lack, m.debruijne, order+gentoo, paolo.pedroni, pierre42d, psdasilva, pvhe01, razamatan, thomas.kear, Wizzleby, xmw |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.adobe.com/support/security/advisories/apsa10-01.html | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2010-06-05 13:56:57 UTC
From http://blogs.adobe.com/asset/2010/06/background_on_apsa10-01_patch.html: The security update for Flash Player will be available by June 10, 2010. The security update for Adobe Reader and Acrobat will be available by June 29, 2010. Fix released upstream: http://www.adobe.com/support/security/bulletins/apsb10-14.html The exploit is spreading in the wild and available for download. I'd appreciate to see this bumped fast, so if it's possible, do it ASAP, stabilization should follow shortly (1 day?!). It's a bump from 10.0.x to 10.1.x so 1 day between ~arch and stabling is probably not enough time. There's no 64bit version it seems :( (In reply to comment #5) > There's no 64bit version it seems :( /me tears my hear out *AAAAAUGH* ADOBE!!! :( I suppose this means 64-bit flash is dead again. I'll version-bump shortly but my heart won't be in it. (In reply to comment #5) > There's no 64bit version it seems :( Yes, there's only commitment [1] to release 64bit for Linux with the next release after 10.1. Maybe, if the 10.1 64bit beta3 is stable enough, we could use an ebuild from piczu repository [2]. There's probably a reason for not releasing the 64bit 10.1 to public now, but it still might be a good alternative to a stable 10.0 with vulnerability, that's rated 'higly critical' and reported to be actively exploited [3]. [1] http://kb2.adobe.com/cps/000/6b3af6c9.html Adobe is working on Flash Player support for 64-bit platforms as part of our ongoing commitment to the cross-platform compatibility of Flash Player. We expect to provide native support for 64-bit platforms in an upcoming release of Flash Player following the release of Flash Player 10.1 [2] http://gpo.zugaina.org/www-plugins/adobe-flash [3] http://secunia.com/advisories/40026/ Problem: Testing 10.1.63.64 in a 64-bit browser with nspluginwrapper: Major issues including hanging the browser. I'd rather take my chances with a remote exploit. I'm honestly not sure how to proceed here. The cure may be worse than the disease. I have committed 10.1.53.64 into ~arch for now, but I can't recommend stabilizing it until it somehow becomes more... stable. Update: I have removed ~amd64 from www-plugins/adobe-flash-10.1.53.64 due to total brokenness with nspluginwrapper, and made explicit note of this security issue in the www-plugins/adobe-flash-10.0.45.2 I suppose I can recommend that www-plugins/adobe-flash-10.1.53.64 can go stable on x86 any time, but amd64 will still be suffering from this exploit until Adobe comes up with something better. Why isn't that PMASK'ed? As we no __nobody__ reads elog messages, it needs more interaction to umask a package. (In reply to comment #10) > Update: I have removed ~amd64 from www-plugins/adobe-flash-10.1.53.64 due to > total brokenness with nspluginwrapper, and made explicit note of this security > issue in the www-plugins/adobe-flash-10.0.45.2 Can you please provide a URI were www-plugins/adobe-flash-10.1.53.64 breaks? I use it on amd64 w/ www-plugins/nspluginwrapper-1.2.2-r2 and www-client/mozilla-firefox-3.6.3 w/o any problems. (In reply to comment #12) > Can you please provide a URI were www-plugins/adobe-flash-10.1.53.64 breaks? I > use it on amd64 w/ www-plugins/nspluginwrapper-1.2.2-r2 and > www-client/mozilla-firefox-3.6.3 w/o any problems. same here works great. i just installed it ( putting www-plugins/adobe-flash ** in p.keywords) and running nspluginwrapper -i //usr/lib32/nsbrowser/plugins/libflashplayer.so Right clicking on any flash object causes the browser to stop responding until npviewer.bin is killed. I've been able to cause that at youtube, and the flash based advertisements that are everywhere. Brian: That's the exact issue I was experiencing. Right-click on any flash object causes a browser hang. I've also had some flash applets (youtube for example) stop accepting any input at all (ie, cannot pause video), but this is more haphazard. The issue of right-click hanging the browser is much more consistent. I did not experience any hangs of the ffx browser but found 2 problems: Major: does not work in konqueror. Minor: scrolling the page, for example youtube, causes the image to flick a lot (quick display/no display). Stopping the scrolling backs to normal. right click on youtube works here, no hang at all. But i have the minor issue described in comment #16 . almost harmless anyway Right click on YouTube works here as well, on Firefox 64bit. I have both issues in comment #16, though: no flash in konqueror, and flickering when scrolling the page. Has anyone been able to have flash working in konqueror 64bit, and how? Thanks a lot. As per Alex's request: Arches, please test and mark stable: =www-plugins/adobe-flash-10.1.53.64 Target keywords : "amd64 x86" x86 stable (In reply to comment #12) > (In reply to comment #10) > > Update: I have removed ~amd64 from www-plugins/adobe-flash-10.1.53.64 due to > > total brokenness with nspluginwrapper, and made explicit note of this security > > issue in the www-plugins/adobe-flash-10.0.45.2 > > Can you please provide a URI were www-plugins/adobe-flash-10.1.53.64 breaks? I > use it on amd64 w/ www-plugins/nspluginwrapper-1.2.2-r2 and > www-client/mozilla-firefox-3.6.3 w/o any problems. > I did the same things what u did. But firefox always hangs.So I masked the adobe-flash-10.0.53.64 to my package.mask, and now I 'm using 10.0.45.2-r1. ~amd64 It also hangs here even with a local nspluginwraper-1.3.0 version (applying all patches from mandriva and fedora). Simply visiting http://www.publico.es and right clicking on flash objects make it hang For later reference: I've discussed the amd64 issue with Jim and we're going with the following procedure: The 10.1 package that is being stabilized installs the 32-bit plugin version on amd64, but does not invoke nspluginwrapper as this setup has shown to be overly unstable. Instead, amd64 users are advised to use a 32-bit browser such as firefox-bin with the 32-bit flash plugin that is not vulnerable to this issue. Additionally, the old vulnerable package will stay in the tree, but hardmasked for users where the 32-bit browser solution is not an option. These users can continue to use the 64-bit 10.0 flash plugin but they need to be willing to take the risk of exploitation. This option is not endorsed by Gentoo. Generally, all Flash users on Gentoo are advised to only run trusted Flash files from trusted sources. Additional measures such as flashblock should be considered. PLEASE READ BEFORE REPLYING TO THIS BUG: Do NOT post any further support requests or other issues here, as this bug is solely intended to track the vulnerability. Please file new bugs instead. Thanks. stable on amd64 CVE-2010-1297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1297): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, related to the ActionScript Virtual Machine 2 (AVM2) newfunction instruction, as exploited in the wild in June 2010. Why is adobe-flash-10.0.45.2 in tree and not masked? (In reply to comment #26) > Why is adobe-flash-10.0.45.2 in tree and not masked? > Matt, thanks for the reminder. I just added the mask. Tobias, this vulnerability has been fixed in 9.0.277.0 too, if I read the descriptions right. (And 9.0 seems to work slightly better for me on amd64 than 10.1, for some reason.) Would it be possible to make the mask more specific so this version is not masked? (I know I can do it in /etc/..., but this might confuse other people too.) Ewgenij, thanks for the information. I just restricted the mask to =www-plugins/adobe-flash-10.0*. Note, however, that 9.x is old and only kept around for older operating systems (http://kb2.adobe.com/cps/406/kb406791.html, bug 254011). Sorry for the inconvenience. please keep a adobe-flash-10.0.x in the tree too for the 64bit flash support. it's useful in dedicated services (like hulu) where the exploits are not an issue. or when you browse with flashblocker and only use flash on specific "trusted" sites. as for adobe-flash-10.1.x bugs, there might not be much that can be done. it's a binary only package, so you have to accept any random bugs adobe has added to it. if you disagree, complain to adobe. (In reply to comment #30) > please keep a adobe-flash-10.0.x in the tree too for the 64bit flash support. > it's useful in dedicated services (like hulu) where the exploits are not an > issue. or when you browse with flashblocker and only use flash on specific > "trusted" sites. > see comment #23 CVE-2009-3793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3793): Unspecified vulnerability in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory consumption) or possibly execute arbitrary code via unknown vectors. CVE-2010-2160 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2160): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via an invalid offset in an unspecified undocumented opcode in ActionScript Virtual Machine 2, related to getouterscope, a different vulnerability than CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2162): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via vectors related to improper length calculation and the (1) STSC, (2) STSZ, and (3) STCO atoms. CVE-2010-2163 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2163): Multiple unspecified vulnerabilities in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow attackers to execute arbitrary code via unknown vectors. CVE-2010-2164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2164): Use-after-free vulnerability in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow attackers to execute arbitrary code via unspecified vectors related to an unspecified "image type within a certain function." CVE-2010-2165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2165): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2166): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2167): Multiple heap-based buffer overflows in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow attackers to execute arbitrary code via unspecified vectors related to malformed (1) GIF or (2) JPEG data. CVE-2010-2169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2169): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allow attackers to cause a denial of service (pointer memory corruption) or possibly execute arbitrary code via unspecified vectors. CVE-2010-2170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2170): Integer overflow in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2181 and CVE-2010-2183. CVE-2010-2171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2171): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via vectors related to SWF files, decompression of embedded JPEG image data, and the DefineBits and other unspecified tags, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2172): Adobe Flash Player 9 before 9.0.277.0 on unspecified UNIX platforms allows attackers to cause a denial of service via unknown vectors. CVE-2010-2173 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2173): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow attackers to execute arbitrary code via unspecified vectors, related to an "invalid pointer vulnerability" and the newclass (0x58) operator, a different vulnerability than CVE-2010-2174. CVE-2010-2174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2174): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow attackers to execute arbitrary code via unspecified vectors, related to an "invalid pointer vulnerability" and the newfunction (0x44) operator, a different vulnerability than CVE-2010-2173. CVE-2010-2175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2175): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2176): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2177): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2178): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2179): Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, when Firefox or Chrome is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to URL parsing. CVE-2010-2180 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2180): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2181 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2181): Integer overflow in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2170 and CVE-2010-2183. CVE-2010-2182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2182): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2183): Integer overflow in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2170 and CVE-2010-2181. CVE-2010-2184 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2184): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2187, and CVE-2010-2188. CVE-2010-2185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2185): Buffer overflow in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow attackers to execute arbitrary code via unspecified vectors. CVE-2010-2186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2186): Unspecified vulnerability in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-2187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2187): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, and CVE-2010-2188. CVE-2010-2188 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2188): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code by calling the ActionScript native object 2200 connect method multiple times with different arguments, a different vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, and CVE-2010-2187. CVE-2010-2189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2189): Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, when used in conjunction with VMWare Tools on a VMWare platform, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. GLSA request filed together with bug 332205. This is GLSA 201101-09; thank you. |