Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 563014

Summary: <www-plugins/adobe-flash-11.2.202.535 : Vulnerability in adobe flash player (APSB15-25) (CVE-2015-{5569,7625,7626,7627,7628,7629,7630,7631,7632,7633,7634,7643,7644})
Product: Gentoo Security Reporter: Daniel Kenzelmann <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: desktop-misc, jer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://helpx.adobe.com/security/products/flash-player/apsb15-25.html
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Daniel Kenzelmann 2015-10-13 18:24:11 UTC
Adobe has released security updates for Adobe Flash Player.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Learn more: https://helpx.adobe.com/security/products/flash-player/apsb15-25.html

Affected: Adobe Flash Player for Linux 	11.2.202.521 and earlier 	Linux

Solution and priority:
Adobe Flash Player for Linux 	11.2.202.535 	Linux 	3 	Flash Player Download Center

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-10-14 07:30:32 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.535
Targeted stable KEYWORDS : amd64 x86
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-10-14 12:37:58 UTC
done for both amd64 and x86
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 14:54:21 UTC
CVE-2015-5569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5569):
  Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows
  and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213,
  Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before
  19.0.0.213 improperly implement the Flash broker API, which has unspecified
  impact and attack vectors.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 14:55:29 UTC
CVE-2015-7644 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7644):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and
  19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux,
  Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR
  SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code
  via unspecified vectors, a different vulnerability than CVE-2015-7629,
  CVE-2015-7631, and CVE-2015-7643.

CVE-2015-7643 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7643):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and
  19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux,
  Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR
  SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code
  via a Video object with a crafted deblocking property, a different
  vulnerability than CVE-2015-7629, CVE-2015-7631, and CVE-2015-7644.

CVE-2015-7634 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7634):
  Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows
  and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213,
  Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before
  19.0.0.213 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-7625, CVE-2015-7626, CVE-2015-7627,
  CVE-2015-7630, and CVE-2015-7633.

CVE-2015-7633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7633):
  Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows
  and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213,
  Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before
  19.0.0.213 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-7625, CVE-2015-7626, CVE-2015-7627,
  CVE-2015-7630, and CVE-2015-7634.

CVE-2015-7632 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7632):
  Buffer overflow in Adobe Flash Player before 18.0.0.252 and 19.x before
  19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR
  before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK &
  Compiler before 19.0.0.213 allows attackers to execute arbitrary code via a
  Loader object with a crafted loaderBytes property.

CVE-2015-7631 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7631):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and
  19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux,
  Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR
  SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code
  via a TextLine object with a crafted validity property, a different
  vulnerability than CVE-2015-7629, CVE-2015-7643, and CVE-2015-7644.

CVE-2015-7630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7630):
  Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows
  and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213,
  Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before
  19.0.0.213 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-7625, CVE-2015-7626, CVE-2015-7627,
  CVE-2015-7633, and CVE-2015-7634.

CVE-2015-7629 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7629):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and
  19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux,
  Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR
  SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code
  via a TextFormat object with a crafted tabStops property, a different
  vulnerability than CVE-2015-7631, CVE-2015-7643, and CVE-2015-7644.

CVE-2015-7628 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7628):
  Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows
  and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213,
  Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before
  19.0.0.213 allow remote attackers to bypass the Same Origin Policy and
  obtain sensitive information via unspecified vectors.

CVE-2015-7627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7627):
  Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows
  and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213,
  Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before
  19.0.0.213 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-7625, CVE-2015-7626, CVE-2015-7630,
  CVE-2015-7633, and CVE-2015-7634.

CVE-2015-7626 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7626):
  Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows
  and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213,
  Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before
  19.0.0.213 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-7625, CVE-2015-7627, CVE-2015-7630,
  CVE-2015-7633, and CVE-2015-7634.

CVE-2015-7625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7625):
  Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows
  and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213,
  Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before
  19.0.0.213 allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-7626, CVE-2015-7627, CVE-2015-7630,
  CVE-2015-7633, and CVE-2015-7634.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-31 14:56:22 UTC
New GLSA request filed
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-11-17 11:47:22 UTC
This issue was resolved and addressed in
 GLSA 201511-02 at https://security.gentoo.org/glsa/201511-02
by GLSA coordinator Sergey Popov (pinkbyte).