Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 484512 (CVE-2013-3361)

Summary: <www-plugins/adobe-flash-11.2.202.310 : Multiple Vulnerabilities (CVE-2013-{3361,3362,3363,5324})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: desktop-misc, jer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/54697/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-09-10 19:15:10 UTC 
From ${URL} :

Description

Multiple vulnerabilities have been reported in Adobe Flash Player and Adobe AIR, which can be exploited by malicious people to compromise a user's system.

1) An unspecified error can be exploited to cause memory corruption.

2) Another unspecified error can be exploited to cause memory corruption.

3) Another unspecified error can be exploited to cause memory corruption.

4) Another unspecified error can be exploited to cause memory corruption.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in following versions and products:
* Adobe Flash Player versions 11.8.800.94 and prior for Windows and Macintosh
* Adobe Flash Player versions 11.2.202.297 and prior for Linux
* Adobe Flash Player versions 11.1.115.69 and prior for Android 4.x
* Adobe Flash Player versions 11.1.111.64 and prior for Android 3.x and 2.x
* Adobe AIR versions 3.8.0.870 and earlier for Windows and Android
* Adobe AIR versions 3.8.0.910 and earlier for Macintosh
* Adobe AIR SDK & Compiler versions 3.8.0.870 and earlier for Windows
* Adobe AIR SDK & Compiler versions 3.8.0.910 and earlier for Macintosh


Solution:
Update to a fixed version.

Further details available to Secunia VIM customers

Provided and/or discovered by:
The vendor credits Mateusz Jurczyk and Ben Hawkes, Google Security Team

Original Advisory:
http://www.adobe.com/support/security/bulletins/apsb13-21.html




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-09-11 01:44:11 UTC 
http://www.adobe.com/support/security/bulletins/apsb13-21.html
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-09-11 01:49:32 UTC 
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.310
Targeted stable KEYWORDS : -* amd64 x86
Comment 3 Sergey Popov (RETIRED) gentoo-dev 2013-09-11 09:05:00 UTC 
amd64/x86 stable

Added to existing GLSA draft
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-09-12 22:45:46 UTC 
CVE-2013-5324 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5324):
  Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on
  Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on
  Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before
  3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via unspecified vectors, a different vulnerability than CVE-2013-3361,
  CVE-2013-3362, and CVE-2013-3363.

CVE-2013-3363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3363):
  Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on
  Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on
  Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before
  3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via unspecified vectors, a different vulnerability than CVE-2013-3361,
  CVE-2013-3362, and CVE-2013-5324.

CVE-2013-3362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3362):
  Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on
  Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on
  Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before
  3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via unspecified vectors, a different vulnerability than CVE-2013-3361,
  CVE-2013-3363, and CVE-2013-5324.

CVE-2013-3361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3361):
  Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on
  Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on
  Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before
  3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via unspecified vectors, a different vulnerability than CVE-2013-3362,
  CVE-2013-3363, and CVE-2013-5324.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-09-14 02:54:59 UTC 
This issue was resolved and addressed in
 GLSA 201309-06 at http://security.gentoo.org/glsa/glsa-201309-06.xml
by GLSA coordinator Sean Amoss (ackle).