Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 538982 (CVE-2015-0314)

Summary: <www-plugins/adobe-flash-11.2.202.442: Multiple vulnerabilities (CVE-2015-{0312,0313,0314,0315,0316,0317,0318,0319,0320,0321,0322,0323,0324,0325,0326,0327,0328,0329,0330,0331})
Product: Gentoo Security Reporter: Marius Brehler <marius.brehler+gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: desktop-misc, jer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Marius Brehler 2015-02-05 21:45:30 UTC
Also adobe-flash 11.x isn't affected by CVE-2015-0313 [1], adobe ships a new release which includes fixes for several issues (18 CVEs in total). Please bump.

[1] http://helpx.adobe.com/security/products/flash-player/apsa15-02.html

Reproducible: Always
Comment 1 Patrick Lauer gentoo-dev 2015-02-06 03:33:19 UTC
+  06 Feb 2015; Patrick Lauer <patrick@gentoo.org>
+  +adobe-flash-11.2.202.442.ebuild:
+  Bump #538982
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-06 08:59:21 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.442
Targeted stable KEYWORDS : amd64 x86
Comment 3 Agostino Sarubbo gentoo-dev 2015-02-06 11:34:24 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-02-06 11:36:06 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-06 14:18:35 UTC
Added to existing GLSA draft
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 14:21:14 UTC
CVE-2015-0330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, and CVE-2015-0329.

CVE-2015-0329 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, and CVE-2015-0330.

CVE-2015-0321 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0316, CVE-2015-0318, CVE-2015-0329, and CVE-2015-0330.

CVE-2015-0318 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0316, CVE-2015-0321, CVE-2015-0329, and CVE-2015-0330.

CVE-2015-0316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0314,
  CVE-2015-0318, CVE-2015-0321, CVE-2015-0329, and CVE-2015-0330.

CVE-2015-0314 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2015-0316,
  CVE-2015-0318, CVE-2015-0321, CVE-2015-0329, and CVE-2015-0330.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 14:21:57 UTC
CVE-2015-0322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-0313,
  CVE-2015-0315, and CVE-2015-0320.

CVE-2015-0320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-0313,
  CVE-2015-0315, and CVE-2015-0322.

CVE-2015-0315 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-0313,
  CVE-2015-0320, and CVE-2015-0322.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 14:22:20 UTC
CVE-2015-0319 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code by leveraging an unspecified "type confusion," a
  different vulnerability than CVE-2015-0317.

CVE-2015-0317 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  execute arbitrary code by leveraging an unspecified "type confusion," a
  different vulnerability than CVE-2015-0319.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 14:22:48 UTC
CVE-2015-0327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327):
  Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x
  through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442
  on Linux allows attackers to execute arbitrary code via unspecified vectors,
  a different vulnerability than CVE-2015-0323.

CVE-2015-0323 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323):
  Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x
  through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442
  on Linux allows attackers to execute arbitrary code via unspecified vectors,
  a different vulnerability than CVE-2015-0327.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 14:23:22 UTC
CVE-2015-0324 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324):
  Buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x through
  16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux
  allows attackers to execute arbitrary code via unspecified vectors.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 14:23:50 UTC
CVE-2015-0328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  cause a denial of service (NULL pointer dereference) or possibly have
  unspecified other impact via unknown vectors, a different vulnerability than
  CVE-2015-0325 and CVE-2015-0326.

CVE-2015-0326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  cause a denial of service (NULL pointer dereference) or possibly have
  unspecified other impact via unknown vectors, a different vulnerability than
  CVE-2015-0325 and CVE-2015-0328.

CVE-2015-0325 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325):
  Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305
  on Windows and OS X and before 11.2.202.442 on Linux allows attackers to
  cause a denial of service (NULL pointer dereference) or possibly have
  unspecified other impact via unknown vectors, a different vulnerability than
  CVE-2015-0326 and CVE-2015-0328.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 19:28:52 UTC
This issue was resolved and addressed in
 GLSA 201502-02 at http://security.gentoo.org/glsa/glsa-201502-02.xml
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-02-13 09:41:27 UTC
CVE-2015-0313 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0313):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows remote attackers to execute arbitrary code via
  unspecified vectors, as exploited in the wild in February 2015, a different
  vulnerability than CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.

CVE-2015-0312 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0312):
  Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x
  through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440
  on Linux allows attackers to execute arbitrary code via unspecified vectors.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-03-14 13:12:16 UTC
CVE-2015-0331 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0331):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and
  14.x through 16.x before 16.0.0.305 on Windows and OS X and before
  11.2.202.442 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2015-0313,
  CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.