Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 522448 (CVE-2014-0547)

Summary: <www-plugins/adobe-flash-11.2.202.406: Multiple vulnerabilities (CVE-2014-{0547,0548,0549,0550,0551,0552,0553,0554,0555,0556,0557,0559})
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://helpx.adobe.com/security/products/flash-player/apsb14-21.html
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2014-09-09 17:15:25 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.406
Targeted stable KEYWORDS : amd64 x86
Comment 1 Agostino Sarubbo gentoo-dev 2014-09-10 07:40:29 UTC
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2014-09-10 07:40:43 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2014-09-10 21:39:48 UTC
New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-09-10 21:46:04 UTC
CVE-2014-0559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0559):
  Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x
  and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on
  Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252
  on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler
  before 15.0.0.249 allows attackers to execute arbitrary code via unspecified
  vectors, a different vulnerability than CVE-2014-0556.

CVE-2014-0557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0557):
  Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on
  Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before
  15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR
  SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 do not
  properly restrict discovery of memory addresses, which allows attackers to
  bypass the ASLR protection mechanism via unspecified vectors.

CVE-2014-0556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0556):
  Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x
  and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on
  Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252
  on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler
  before 15.0.0.249 allows attackers to execute arbitrary code via unspecified
  vectors, a different vulnerability than CVE-2014-0559.

CVE-2014-0555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0555):
  Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on
  Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before
  15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR
  SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption) via unspecified vectors, a different vulnerability than
  CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, and
  CVE-2014-0552.

CVE-2014-0554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0554):
  Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on
  Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before
  15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR
  SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow
  attackers to bypass intended access restrictions via unspecified vectors.

CVE-2014-0553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0553):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.244 and
  14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406
  on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before
  15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK &
  Compiler before 15.0.0.249 allows attackers to execute arbitrary code via
  unspecified vectors.

CVE-2014-0552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0552):
  Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on
  Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before
  15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR
  SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption) via unspecified vectors, a different vulnerability than
  CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, and
  CVE-2014-0555.

CVE-2014-0551 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0551):
  Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on
  Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before
  15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR
  SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption) via unspecified vectors, a different vulnerability than
  CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0552, and
  CVE-2014-0555.

CVE-2014-0550 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0550):
  Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on
  Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before
  15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR
  SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption) via unspecified vectors, a different vulnerability than
  CVE-2014-0547, CVE-2014-0549, CVE-2014-0551, CVE-2014-0552, and
  CVE-2014-0555.

CVE-2014-0549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0549):
  Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on
  Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before
  15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR
  SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption) via unspecified vectors, a different vulnerability than
  CVE-2014-0547, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, and
  CVE-2014-0555.

CVE-2014-0548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0548):
  Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on
  Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before
  15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR
  SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow
  remote attackers to bypass the Same Origin Policy via unspecified vectors.

CVE-2014-0547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0547):
  Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on
  Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before
  15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR
  SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption) via unspecified vectors, a different vulnerability than
  CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, and
  CVE-2014-0555.
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2014-09-14 20:39:59 UTC
  10 Sep 2014; Jeroen Roovers <jer@gentoo.org>
  -adobe-flash-11.2.202.400.ebuild:
  Old.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-09-19 18:49:16 UTC
This issue was resolved and addressed in
 GLSA 201409-05 at http://security.gentoo.org/glsa/glsa-201409-05.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).