Bug 510278 (CVE-2014-0510)

Summary:	<www-plugins/adobe-flash-11.2.202.359 - multiple vulnerabilities (CVE-2014-{0510,0516,0517,0518,0519,0520})
Product:	Gentoo Security	Reporter:	Jeroen Roovers (RETIRED) <jer>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	desktop-misc
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://helpx.adobe.com/security/products/flash-player/apsb14-14.html
Whiteboard:	A2 [glsa]
Package list:		Runtime testing required:	---

Description Jeroen Roovers (RETIRED) gentoo-dev

2014-05-14 04:56:36 UTC

"Users of Adobe Flash Player 11.2.202.356 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.359."

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2014-05-14 05:02:08 UTC

Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.359
Targeted stable KEYWORDS : amd64 x86

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2014-05-14 09:27:23 UTC

CVE-2014-0510 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0510):
  Heap-based buffer overflow in Adobe Flash Player 12.0.0.77 allows remote
  attackers to execute arbitrary code and bypass a sandbox protection
  mechanism via unspecified vectors, as demonstrated by Zeguang Zhao and Liang
  Chen during a Pwn2Own competition at CanSecWest 2014.

Comment 3 Mikle Kolyada (RETIRED) archtester

2014-05-14 09:35:51 UTC

amd64/x86 stable.

@jer, cleanup, please

Comment 4 Mikle Kolyada (RETIRED) archtester

2014-05-14 09:40:12 UTC

glsa request filed.

Comment 5 Agostino Sarubbo gentoo-dev

2014-05-14 15:57:30 UTC

> Whiteboard: ?? [cleanup/glsa?] → B2 [cleanup/glsa]

adobe-flash is valuated as A

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2014-05-16 12:23:59 UTC

CVE-2014-0520 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0520):
  Adobe Flash Player before 13.0.0.214 on Windows and OS X and before
  11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK &
  Compiler before 13.0.0.111 allow attackers to bypass intended access
  restrictions via unspecified vectors, a different vulnerability than
  CVE-2014-0517, CVE-2014-0518, and CVE-2014-0519.

CVE-2014-0519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0519):
  Adobe Flash Player before 13.0.0.214 on Windows and OS X and before
  11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK &
  Compiler before 13.0.0.111 allow attackers to bypass intended access
  restrictions via unspecified vectors, a different vulnerability than
  CVE-2014-0517, CVE-2014-0518, and CVE-2014-0520.

CVE-2014-0518 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0518):
  Adobe Flash Player before 13.0.0.214 on Windows and OS X and before
  11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK &
  Compiler before 13.0.0.111 allow attackers to bypass intended access
  restrictions via unspecified vectors, a different vulnerability than
  CVE-2014-0517, CVE-2014-0519, and CVE-2014-0520.

CVE-2014-0517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0517):
  Adobe Flash Player before 13.0.0.214 on Windows and OS X and before
  11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK &
  Compiler before 13.0.0.111 allow attackers to bypass intended access
  restrictions via unspecified vectors, a different vulnerability than
  CVE-2014-0518, CVE-2014-0519, and CVE-2014-0520.

CVE-2014-0516 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0516):
  Adobe Flash Player before 13.0.0.214 on Windows and OS X and before
  11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK &
  Compiler before 13.0.0.111 allow remote attackers to bypass the Same Origin
  Policy via unspecified vectors.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2014-06-10 10:00:41 UTC

This issue was resolved and addressed in
 GLSA 201406-08 at http://security.gentoo.org/glsa/glsa-201406-08.xml
by GLSA coordinator Mikle Kolyada (Zlogene).