Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 410005 (CVE-2012-0772)

Summary: <www-plugins/adobe-flash-11.2.202.228: multiple vulnerabilities (CVE-2012-{0772,0773})
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: desktop-misc, krinpaus, lack
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.adobe.com/support/security/bulletins/apsb12-07.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2012-03-28 14:26:38 UTC
From $URL:

These priority 2 updates address critical vulnerabilities in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.228. Users of Adobe Flash Player 11.1.102.63 and earlier versions for Solaris should update to Adobe Flash Player 11.2.202.223. Users of Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.8.
Comment 1 Jim Ramsay (lack) (RETIRED) gentoo-dev 2012-03-28 18:28:33 UTC
Just checked in the new ebuild.  As usual, feel free to stabilize as soon as you like.

  www-plugins/adobe-flash-11.2.202.223
Comment 2 Jim Ramsay (lack) (RETIRED) gentoo-dev 2012-03-28 18:34:58 UTC
Update: Turns out the latest version is actually 11.2.102.228.  Please stabilize  that one instead:

  =www-plugins/adobe-flash-11.2.202.228
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-03-28 18:47:53 UTC
Great, thank you.

Arches, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.228
Target keywords : "amd64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-03-29 08:36:28 UTC
amd64 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-03-29 11:31:02 UTC
CVE-2012-0773 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773):
  The NetStream class in Adobe Flash Player before 10.3.183.18 and 11.x before
  11.2.202.228 on Windows, Mac OS X, and Linux; Flash Player before
  10.3.183.18 and 11.x before 11.2.202.223 on Solaris; Flash Player before
  11.1.111.8 on Android 2.x and 3.x; and AIR before 3.2.0.2070 allows
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption) via unspecified vectors.

CVE-2012-0772 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0772):
  An unspecified ActiveX control in Adobe Flash Player before 10.3.183.18 and
  11.x before 11.2.202.228, and AIR before 3.2.0.2070, on Windows does not
  properly perform URL security domain checking, which allow attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unknown vectors.
Comment 6 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-03-29 20:01:18 UTC
I'm seeing major graphical corruption issues and all YouTube videos have a blue tint under this version of flash with nvidia GTX570 with x11-drivers/nvidia-drivers-290.10. No x86 signoff.
Comment 7 Sergio Perez 2012-03-30 13:23:46 UTC
(In reply to comment #6)
> I'm seeing major graphical corruption issues and all YouTube videos have a
> blue tint under this version of flash with nvidia GTX570 with
> x11-drivers/nvidia-drivers-290.10. No x86 signoff.

Adobe know this issue and will not fix it. You have to manually disable harware acceleration. Also it happens on amd64 too.

See: https://bugbase.adobe.com/index.cfm?event=bug&id=3109467
Comment 8 Sergio Perez 2012-03-31 17:00:13 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > I'm seeing major graphical corruption issues and all YouTube videos have a
> > blue tint under this version of flash with nvidia GTX570 with
> > x11-drivers/nvidia-drivers-290.10. No x86 signoff.
> 
> Adobe know this issue and will not fix it. You have to manually disable
> harware acceleration. Also it happens on amd64 too.
> 
> See: https://bugbase.adobe.com/index.cfm?event=bug&id=3109467

Somebody wrote a patch for libvdpau_trace which supresses this issue:
http://plagman.net/stuff/0001-vdpau_trace-WAR-Flash-quirks.patch

also see the first post here:
http://www.nvnews.net/vbulletin/showthread.php?t=177380
Comment 9 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2012-04-05 21:15:09 UTC
x86 stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-04-05 21:16:42 UTC
Thanks, everyone. Already in GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-04-17 23:47:18 UTC
This issue was resolved and addressed in
 GLSA 201204-07 at http://security.gentoo.org/glsa/glsa-201204-07.xml
by GLSA coordinator Sean Amoss (ackle).