Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 507176 (CVE-2014-0506)

Summary: <www-plugins/adobe-flash-11.2.202.350: multiple vulnerabilities (CVE-2014-{0506,0507,0508,0509})
Product: Gentoo Security Reporter: Jeroen Roovers <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://helpx.adobe.com/security/products/flash-player/apsb14-09.html
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers gentoo-dev 2014-04-08 21:17:32 UTC
"Adobe has released security updates for ... Adobe Flash Player 11.2.202.346 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system."
Comment 1 Jeroen Roovers gentoo-dev 2014-04-08 21:18:55 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.350
Targeted stable KEYWORDS : amd64 x86
Comment 2 Jeroen Roovers gentoo-dev 2014-04-10 13:35:10 UTC
Stable for AMD64 x86.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-04-10 21:39:05 UTC
CVE-2014-0509 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0509):
  Cross-site scripting (XSS) vulnerability in Adobe Flash Player before
  11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X
  and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android,
  Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before
  13.0.0.83 allows remote attackers to inject arbitrary web script or HTML via
  unspecified vectors.

CVE-2014-0508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0508):
  Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before
  13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR
  before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR
  SDK & Compiler before 13.0.0.83 allow attackers to bypass intended access
  restrictions and obtain sensitive information via unspecified vectors.

CVE-2014-0507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0507):
  Buffer overflow in Adobe Flash Player before 11.7.700.275 and 11.8.x through
  13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on
  Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before
  13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allows attackers to
  execute arbitrary code via unspecified vectors.
Comment 4 Drake Donahue 2014-04-17 05:33:15 UTC
this player version, =www-plugins/adobe-flash-11.2.202.350, fails on youtube with undefined, out of date or unrecognized version at ABC.com, facebook, etc
Comment 5 Drake Donahue 2014-04-17 16:55:57 UTC
(In reply to Drake Donahue from comment #4)
> this player version, =www-plugins/adobe-flash-11.2.202.350, fails on youtube
> with undefined, out of date or unrecognized version at ABC.com, facebook, etc

chromium-35.0.1916.27 displays this behavior; firefox-bin-24.4.0 does not
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-04-17 17:15:52 UTC
(In reply to Drake Donahue from comment #5)
> (In reply to Drake Donahue from comment #4)
> > this player version, =www-plugins/adobe-flash-11.2.202.350, fails on youtube
> > with undefined, out of date or unrecognized version at ABC.com, facebook, etc
> 
> chromium-35.0.1916.27 displays this behavior; firefox-bin-24.4.0 does not

This is security bug, please do _NOT_ discuss there about your behaviour problems. File separate bug.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-05-03 19:14:07 UTC
This issue was resolved and addressed in
 GLSA 201405-04 at http://security.gentoo.org/glsa/glsa-201405-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).