Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 461598 (CVE-2013-0646)

Summary: <www-plugins/adobe-flash-11.2.202.275: multiple vulnerabilities (CVE-2013-{0646,0650,1371,1375})
Product: Gentoo Security Reporter: shimi <gentoo-bugzilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: desktop-misc, lack
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.adobe.com/support/security/bulletins/apsb13-09.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description shimi 2013-03-13 05:00:07 UTC 
Please version bump adobe-flash to 11.2.202.275:

Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.273 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-0646).

These updates resolve a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-1371).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

Source: http://www.adobe.com/support/security/bulletins/apsb13-09.html
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-14 15:38:25 UTC 
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.275
Stable KEYWORDS : amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2013-03-15 11:53:38 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-03-15 11:57:06 UTC 
x86 stable
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-17 22:23:02 UTC 
Adding to existing GLSA draft.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-03-21 18:45:06 UTC 
CVE-2013-1375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1375):
  Heap-based buffer overflow in Adobe Flash Player before 10.3.183.68 and 11.x
  before 11.6.602.180 on Windows and Mac OS X, before 10.3.183.68 and 11.x
  before 11.2.202.275 on Linux, before 11.1.111.44 on Android 2.x and 3.x, and
  before 11.1.115.48 on Android 4.x; Adobe AIR before 3.6.0.6090; Adobe AIR
  SDK before 3.6.0.6090; and Adobe AIR SDK & Compiler before 3.6.0.6090 allows
  attackers to execute arbitrary code via unspecified vectors.

CVE-2013-1371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1371):
  Adobe Flash Player before 10.3.183.68 and 11.x before 11.6.602.180 on
  Windows and Mac OS X, before 10.3.183.68 and 11.x before 11.2.202.275 on
  Linux, before 11.1.111.44 on Android 2.x and 3.x, and before 11.1.115.48 on
  Android 4.x; Adobe AIR before 3.6.0.6090; Adobe AIR SDK before 3.6.0.6090;
  and Adobe AIR SDK & Compiler before 3.6.0.6090 allow attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors.

CVE-2013-0650 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0650):
  Use-after-free vulnerability in Adobe Flash Player before 10.3.183.68 and
  11.x before 11.6.602.180 on Windows and Mac OS X, before 10.3.183.68 and
  11.x before 11.2.202.275 on Linux, before 11.1.111.44 on Android 2.x and
  3.x, and before 11.1.115.48 on Android 4.x; Adobe AIR before 3.6.0.6090;
  Adobe AIR SDK before 3.6.0.6090; and Adobe AIR SDK & Compiler before
  3.6.0.6090 allows attackers to execute arbitrary code via unspecified
  vectors.

CVE-2013-0646 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0646):
  Integer overflow in Adobe Flash Player before 10.3.183.68 and 11.x before
  11.6.602.180 on Windows and Mac OS X, before 10.3.183.68 and 11.x before
  11.2.202.275 on Linux, before 11.1.111.44 on Android 2.x and 3.x, and before
  11.1.115.48 on Android 4.x; Adobe AIR before 3.6.0.6090; Adobe AIR SDK
  before 3.6.0.6090; and Adobe AIR SDK & Compiler before 3.6.0.6090 allows
  attackers to execute arbitrary code via unspecified vectors.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-09-14 02:54:49 UTC 
This issue was resolved and addressed in
 GLSA 201309-06 at http://security.gentoo.org/glsa/glsa-201309-06.xml
by GLSA coordinator Sean Amoss (ackle).