Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 420311 (CVE-2012-2034)

Summary: <www-plugins/adobe-flash-11.2.202.236: Multiple vulnerabilities (CVE-2012-{2034,2035,2036,2037,2038,2039,2040})
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: desktop-misc, lack
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.adobe.com/support/security/bulletins/apsb12-14.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2012-06-08 19:27:30 UTC
From upstream advisory at $URL:

Summary

Adobe released security updates for Adobe Flash Player 11.2.202.235 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

    Users of Adobe Flash Player 11.2.202.235 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.257.
    Users of Adobe Flash Player 11.2.202.235 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.236.
Comment 1 Tim Harder gentoo-dev 2012-06-10 04:44:32 UTC
11.2.202.236 added to CVS.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-06-10 15:07:06 UTC
Thanks, Tim.

Arches, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.236
Target keywords : "amd64 x86"
Comment 3 Johannes Huber gentoo-dev 2012-06-11 09:48:58 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2012-06-11 10:15:01 UTC
amd64 stable
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-06-11 13:12:37 UTC
Thanks, folks. Added to existing GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 19:03:15 UTC
CVE-2012-2040 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040):
  Untrusted search path vulnerability in the installer in Adobe Flash Player
  before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X;
  before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10
  on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR
  before 3.3.0.3610, allows local users to gain privileges via a Trojan horse
  executable file in an unspecified directory.

CVE-2012-2039 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039):
  Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on
  Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on
  Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on
  Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute
  arbitrary code or cause a denial of service (NULL pointer dereference) via
  unspecified vectors.

CVE-2012-2038 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038):
  Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on
  Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on
  Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on
  Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to bypass
  intended access restrictions and obtain sensitive information via
  unspecified vectors.

CVE-2012-2037 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037):
  Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on
  Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on
  Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on
  Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2012-2034.

CVE-2012-2036 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036):
  Integer overflow in Adobe Flash Player before 10.3.183.20 and 11.x before
  11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before
  11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before
  11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers
  to execute arbitrary code via unspecified vectors.

CVE-2012-2035 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035):
  Stack-based buffer overflow in Adobe Flash Player before 10.3.183.20 and
  11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and
  11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and
  3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610,
  allows attackers to execute arbitrary code via unspecified vectors.

CVE-2012-2034 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034):
  Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on
  Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on
  Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on
  Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2012-2037.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-06-23 20:37:12 UTC
This issue was resolved and addressed in
 GLSA 201206-21 at http://security.gentoo.org/glsa/glsa-201206-21.xml
by GLSA coordinator Sean Amoss (ackle).