Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 459368 (CVE-2013-0504)

Summary: <www-plugins/adobe-flash-11.2.202.273: multiple vulnerabilities (CVE-2013-{0504,0643,0648})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: desktop-misc, lack
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.adobe.com/support/security/bulletins/apsb13-08.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-02-26 21:40:02 UTC 
From ${URL} :

Adobe has released security updates for Adobe Flash Player 11.6.602.168 and earlier versions for 
Windows, Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, and Adobe Flash Player 
11.2.202.270 and earlier versions for Linux. These updates address vulnerabilities that could cause 
a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in 
targeted attacks designed to trick the user into clicking a link which directs to a website serving 
malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to 
target the Firefox browser.

Users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux should update to Adobe 
Flash Player 11.2.202.273.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-27 05:10:47 UTC 
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.273
Stable KEYWORDS : amd64 x86
Comment 2 Sergey Popov (RETIRED) gentoo-dev 2013-02-27 13:22:08 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-02-27 13:45:58 UTC 
x86 stable
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 01:24:51 UTC 
Added to existing GLSA draft.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 01:25:10 UTC 
CVE-2013-0648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0648):
  Unspecified vulnerability in the ExternalInterface ActionScript
  functionality in Adobe Flash Player before 10.3.183.67 and 11.x before
  11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before
  11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via
  crafted SWF content, as exploited in the wild in February 2013.

CVE-2013-0643 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0643):
  The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before
  11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before
  11.2.202.273 on Linux, does not properly restrict privileges, which makes it
  easier for remote attackers to execute arbitrary code via crafted SWF
  content, as exploited in the wild in February 2013.

CVE-2013-0504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0504):
  Buffer overflow in the broker service in Adobe Flash Player before
  10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before
  10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows attackers to
  execute arbitrary code via unspecified vectors.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-09-14 02:54:47 UTC 
This issue was resolved and addressed in
 GLSA 201309-06 at http://security.gentoo.org/glsa/glsa-201309-06.xml
by GLSA coordinator Sean Amoss (ackle).