Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 586044 (APSA16-03, CVE-2016-4171)

Summary: <www-plugins/adobe-flash-11.2.202.626: Critical vulnerability (CVE-2016-{4120,4171})
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jer, phmagic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-15 18:14:47 UTC
APSA16-03: Security advisory for Adobe Flash Player

Originally posted: June 14, 2016

Summary:
A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-16 15:10:44 UTC
CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-16 15:12:54 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.626
Targeted stable KEYWORDS : amd64 x86
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-06-17 12:38:06 UTC
(In reply to Jeroen Roovers from comment #1)
> CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127,
> CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132,
> CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137,
> CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142,
> CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147,
> CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152,
> CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166,
> CVE-2016-4171

All of these, except CVE-2016-4171, apply to Microsoft IE and Edge browsers.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-06-17 12:40:24 UTC
CVE-2016-4171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4171):
  Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier
  allows remote attackers to execute arbitrary code via unknown vectors, as
  exploited in the wild in June 2016.

CVE-2016-4120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4120):
  Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0.0.242
  on Windows and OS X and before 11.2.202.621 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-1096,
  CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104,
  CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,
  CVE-2016-4115, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, and
  CVE-2016-4163.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-06-17 23:30:29 UTC
New GLSA request filed.
Comment 6 Agostino Sarubbo gentoo-dev 2016-06-18 08:47:31 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-18 08:47:58 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-06-18 23:51:13 UTC
This issue was resolved and addressed in
 GLSA 201606-08 at https://security.gentoo.org/glsa/201606-08
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-18 23:52:12 UTC
Reopening for cleanup
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-06-22 03:55:50 UTC
Cleanup complete.