Summary: | <www-plugins/adobe-flash-11.2.202.481: use after free / "hackingteam" vuln (CVE-2015-5119) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ahbritto, desktop-misc, jer, phmagic |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://helpx.adobe.com/security/products/flash-player/apsa15-03.html | ||
Whiteboard: | A2 [glsa cleanup cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 554250 |
Description
Hanno Böck
2015-07-08 09:48:30 UTC
Thanks for the report, this is also discussed in - http://www.kb.cert.org/vuls/id/561288 - http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/ - http://www.symantec.com/connect/blogs/leaked-flash-zero-day-likely-be-exploited-attackers Arch teams, please test and mark stable: =www-plugins/adobe-flash-11.2.202.481 Targeted stable KEYWORDS : amd64 x86 Stable for AMD64 x86. CVE-2015-5119 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5119): Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a ValueOf function, as exploited in the wild in July 2015. glsa request filed This issue was resolved and addressed in GLSA 201507-13 at https://security.gentoo.org/glsa/201507-13 by GLSA coordinator Kristian Fiskerstrand (K_F). |