Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 414603 (CVE-2012-0779)

Summary: <www-plugins/adobe-flash-11.2.202.235: object confusion remote code execution vulnerability (CVE-2012-0779)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: desktop-misc, lack
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.adobe.com/support/security/bulletins/apsb12-09.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2012-05-04 14:41:03 UTC 
From the upstream advisory at $URL:

Adobe released security updates for Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x. These updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system.
There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only.

Adobe recommends users of Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235. Flash Player installed with Google Chrome was updated automatically, so no user action is required.
Comment 1 Jim Ramsay (lack) (RETIRED) gentoo-dev 2012-05-05 02:43:44 UTC 
Just bumped flash to 11.2.202.235.

As usual, stabilize any time.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-05-05 02:57:40 UTC 
Thanks, Jim.

Arches, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.235
Target keywords : "amd64 x86"
Comment 3 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-05-05 05:16:42 UTC 
amd64: pass
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2012-05-05 11:28:31 UTC 
amd64 done. Thanks  Elijah
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-05-05 12:51:03 UTC 
I'm can't see problems for x86, tried run under firefox and chromium: all well.
Please mark stable.
Comment 6 Andreas Schürch gentoo-dev 2012-05-06 17:33:11 UTC 
x86 stable, thanks Mikle.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-05-06 22:25:43 UTC 
CVE-2012-0779 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779):
  Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on
  Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and
  before 11.1.115.8 on Android 4.x allows remote attackers to execute
  arbitrary code via a crafted file, related to an "object confusion
  vulnerability," as exploited in the wild in May 2012.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-05-07 02:51:50 UTC 
Thanks, folks. Already in GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-06-23 20:37:09 UTC 
This issue was resolved and addressed in
 GLSA 201206-21 at http://security.gentoo.org/glsa/glsa-201206-21.xml
by GLSA coordinator Sean Amoss (ackle).