Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 278819 (CVE-2009-1862) - <www-plugins/adobe-flash-10.0.32.18 APSA09-03 Execution of arbitrary code (CVE-2009-{1862,1863,1864,1865,1866,1867,1868,1869,1870})
Summary: <www-plugins/adobe-flash-10.0.32.18 APSA09-03 Execution of arbitrary code (CV...
Status: RESOLVED FIXED
Alias: CVE-2009-1862
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 278813
Blocks: 279202 279941
  Show dependency tree
 
Reported: 2009-07-23 09:59 UTC by Robert Buchholz (RETIRED)
Modified: 2009-08-07 12:02 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-23 09:59:54 UTC
+++ This bug was initially created as a clone of Bug #278813 +++

Adobe writes:
A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems... This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. ...

We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009...
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-24 20:02:34 UTC
CVE-2009-1862 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1862):
  Unspecified vulnerability in Adobe Reader and Acrobat 9.x through
  9.1.2, and Adobe Flash Player 9.x through 9.0.159.0 and 10.x through
  10.0.22.87, allows remote attackers to execute arbitrary code via (1)
  a crafted Flash application in a .pdf file or (2) a crafted .swf
  file, related to authplay.dll, as exploited in the wild in July 2009.

Comment 2 Joseph Yasi 2009-07-31 01:57:29 UTC
Flash v10.0.32.18 has been released which is supposed to fix this bug.
Comment 3 Jeroen Roovers gentoo-dev 2009-07-31 03:18:46 UTC
Copying adobe-flash-10.0.22.87-r2.ebuild worked fine on the x86.
Comment 4 Mike Gualtieri 2009-07-31 13:50:34 UTC
I also wanted to note that the flash-10.0.22.87 has been removed from adobe's website (as per usual).
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-01 15:07:16 UTC
CVE-2009-1863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1863):
  Unspecified vulnerability in Adobe Flash Player before 9.0.246.0 and
  10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers
  to cause a denial of service (application crash) or possibly execute
  arbitrary code via unknown vectors, related to a "privilege
  escalation vulnerability."

CVE-2009-1864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1864):
  Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and
  10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers
  to cause a denial of service (application crash) or possibly execute
  arbitrary code via unspecified vectors.

CVE-2009-1865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1865):
  Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and
  Adobe AIR before 1.5.2, allows attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via
  unspecified vectors, related to a "null pointer vulnerability."

CVE-2009-1866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1866):
  Stack-based buffer overflow in Adobe Flash Player before 9.0.246.0
  and 10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows
  attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via unspecified vectors.

CVE-2009-1867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1867):
  Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and
  Adobe AIR before 1.5.2, allows attackers to trick a user into (1)
  selecting a link or (2) completing a dialog, related to a
  "clickjacking vulnerability."

CVE-2009-1868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1868):
  Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and
  10.x before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers
  to cause a denial of service (application crash) or possibly execute
  arbitrary code via unspecified vectors involving URL parsing.

CVE-2009-1869 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1869):
  Integer overflow in Adobe Flash Player before 9.0.246.0 and 10.x
  before 10.0.32.18, and Adobe AIR before 1.5.2, allows attackers to
  cause a denial of service (application crash) or possibly execute
  arbitrary code via unspecified vectors.

CVE-2009-1870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1870):
  Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and
  Adobe AIR before 1.5.2, allows attackers to obtain sensitive
  information via vectors involving saving an SWF file to a hard drive,
  related to a "local sandbox vulnerability."

Comment 6 Jeroen Roovers gentoo-dev 2009-08-02 15:55:25 UTC
Bumped! Don't know if the amd64 stuff actually works but we'll soon find out, won't we?
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-02 15:56:27 UTC
Arches, please test and mark stable:
=www-plugins/adobe-flash-10.0.32.18
Target keywords : "amd64 x86"
Comment 8 Olivier Crete (RETIRED) gentoo-dev 2009-08-02 18:17:47 UTC
amd64 works fine, its stable now
Comment 9 Jim Ramsay (lack) (RETIRED) gentoo-dev 2009-08-03 12:47:08 UTC
(In reply to comment #6)
> Bumped! Don't know if the amd64 stuff actually works but we'll soon find out,
> won't we?

Thanks for doing this!

Next time feel free to bump 9.0.x.0 as well - They release the 2 in tandem, though I'm not 100% sure why I'm carrying the version 9 software, other than because I can.
Comment 10 Markus Meier gentoo-dev 2009-08-03 20:12:50 UTC
x86 stable, all arches done.
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-05 13:17:04 UTC
GLSA with bug 278813.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-08-07 12:02:08 UTC
GLSA 200908-04