Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 322855 (CVE-2010-1297) - <www-plugins/adobe-flash-10.1.53.64: authplay ACE (APSA10-01) (CVE-2009-3793,CVE-2010-{1297,2160,2162,2163,2164,2165,2166,2167,2169,2170,2171,2172,2173,2174,2175,2176,2177,2178,2179,2180,2181,2182,2183,2184,2185,2186,2187,2188,2189})
Summary: <www-plugins/adobe-flash-10.1.53.64: authplay ACE (APSA10-01) (CVE-2009-3793,...
Status: RESOLVED FIXED
Alias: CVE-2010-1297
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-05 13:56 UTC by Alex Legler (RETIRED)
Modified: 2011-01-21 17:20 UTC (History)
27 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-05 13:56:57 UTC
Quoting $URL:

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-08 22:08:07 UTC
From http://blogs.adobe.com/asset/2010/06/background_on_apsa10-01_patch.html:

The security update for Flash Player will be available by June 10, 2010. The security update for Adobe Reader and Acrobat will be available by June 29, 2010. 
Comment 2 Sunit Das 2010-06-10 22:30:55 UTC
Fix released upstream:

http://www.adobe.com/support/security/bulletins/apsb10-14.html
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-10 22:58:25 UTC
The exploit is spreading in the wild and available for download. I'd appreciate to see this bumped fast, so if it's possible, do it ASAP, stabilization should follow shortly (1 day?!).
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-10 23:02:17 UTC
It's a bump from 10.0.x to 10.1.x so 1 day between ~arch and stabling is probably not enough time.
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-06-11 12:07:57 UTC
There's no 64bit version it seems :(
Comment 6 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-06-11 16:24:11 UTC
(In reply to comment #5)
> There's no 64bit version it seems :(

/me tears my hear out   *AAAAAUGH*  ADOBE!!! :(

I suppose this means 64-bit flash is dead again.  I'll version-bump shortly but my heart won't be in it.
Comment 7 Jan Killian 2010-06-11 17:53:24 UTC
(In reply to comment #5)
> There's no 64bit version it seems :(

Yes, there's only commitment [1] to release 64bit for Linux with the next release after 10.1. 

Maybe, if the 10.1 64bit beta3 is stable enough, we could use an ebuild from piczu repository [2].

There's probably a reason for not releasing the 64bit 10.1 to public now,
but it still might be a good alternative to a stable 10.0 with vulnerability, that's rated 'higly critical' and reported to be actively exploited [3].

[1] http://kb2.adobe.com/cps/000/6b3af6c9.html
Adobe is working on Flash Player support for 64-bit platforms as part of our ongoing commitment to the cross-platform compatibility of Flash Player. We expect to provide native support for 64-bit platforms in an upcoming release of Flash Player following the release of Flash Player 10.1

[2] http://gpo.zugaina.org/www-plugins/adobe-flash
[3] http://secunia.com/advisories/40026/
Comment 8 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-06-11 19:45:16 UTC
Problem: Testing 10.1.63.64 in a 64-bit browser with nspluginwrapper: Major issues including hanging the browser.  I'd rather take my chances with a remote exploit.

I'm honestly not sure how to proceed here.  The cure may be worse than the disease.
Comment 9 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-06-11 19:46:40 UTC
I have committed 10.1.53.64 into ~arch for now, but I can't recommend stabilizing it until it somehow becomes more... stable.
Comment 10 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-06-11 20:38:10 UTC
Update: I have removed ~amd64 from www-plugins/adobe-flash-10.1.53.64 due to total brokenness with nspluginwrapper, and made explicit note of this security issue in the www-plugins/adobe-flash-10.0.45.2

I suppose I can recommend that www-plugins/adobe-flash-10.1.53.64 can go stable on x86 any time, but amd64 will still be suffering from this exploit until Adobe comes up with something better.
Comment 11 Michael Weber (RETIRED) gentoo-dev 2010-06-12 00:31:51 UTC
Why isn't that PMASK'ed?
As we no __nobody__ reads elog messages, it needs more interaction to umask a package.
Comment 12 Michael Weber (RETIRED) gentoo-dev 2010-06-12 01:37:05 UTC
(In reply to comment #10)
> Update: I have removed ~amd64 from www-plugins/adobe-flash-10.1.53.64 due to
> total brokenness with nspluginwrapper, and made explicit note of this security
> issue in the www-plugins/adobe-flash-10.0.45.2

Can you please provide a URI were www-plugins/adobe-flash-10.1.53.64 breaks? I use it on amd64 w/ www-plugins/nspluginwrapper-1.2.2-r2 and www-client/mozilla-firefox-3.6.3 w/o any problems.
Comment 13 Enrico Tagliavini 2010-06-12 10:51:11 UTC
(In reply to comment #12)
> Can you please provide a URI were www-plugins/adobe-flash-10.1.53.64 breaks? I
> use it on amd64 w/ www-plugins/nspluginwrapper-1.2.2-r2 and
> www-client/mozilla-firefox-3.6.3 w/o any problems.

same here works great. i just installed it ( putting  www-plugins/adobe-flash ** in p.keywords) and running 

nspluginwrapper -i //usr/lib32/nsbrowser/plugins/libflashplayer.so
Comment 14 Brian Beardall 2010-06-12 20:38:36 UTC
Right clicking on any flash object causes the browser to stop responding until npviewer.bin is killed. I've been able to cause that at youtube, and the flash based advertisements that are everywhere.
Comment 15 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-06-13 14:32:18 UTC
Brian: That's the exact issue I was experiencing.  Right-click on any flash object causes a browser hang.  I've also had some flash applets (youtube for example) stop accepting any input at all (ie, cannot pause video), but this is more haphazard.  The issue of right-click hanging the browser is much more consistent.
Comment 16 Paulo da Silva 2010-06-13 17:55:57 UTC
I did not experience any hangs of the ffx browser but found 2 problems:

Major: does not work in konqueror.

Minor: scrolling the page, for example youtube, causes the image to flick a lot (quick display/no display). Stopping the scrolling backs to normal.
Comment 17 Enrico Tagliavini 2010-06-13 21:40:36 UTC
right click on youtube works here, no hang at all. But i have the minor issue described in comment #16 . almost harmless anyway
Comment 18 Paolo Pedroni 2010-06-17 07:03:36 UTC
Right click on YouTube works here as well, on Firefox 64bit. I have both issues in comment #16, though: no flash in konqueror, and flickering when scrolling the page.

Has anyone been able to have flash working in konqueror 64bit, and how?

Thanks a lot.
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-19 09:44:41 UTC
As per Alex's request:

Arches, please test and mark stable:
=www-plugins/adobe-flash-10.1.53.64
Target keywords : "amd64 x86"
Comment 20 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-19 10:06:41 UTC
x86 stable
Comment 21 blackdream 2010-06-19 12:18:16 UTC
(In reply to comment #12)
> (In reply to comment #10)
> > Update: I have removed ~amd64 from www-plugins/adobe-flash-10.1.53.64 due to
> > total brokenness with nspluginwrapper, and made explicit note of this security
> > issue in the www-plugins/adobe-flash-10.0.45.2
> 
> Can you please provide a URI were www-plugins/adobe-flash-10.1.53.64 breaks? I
> use it on amd64 w/ www-plugins/nspluginwrapper-1.2.2-r2 and
> www-client/mozilla-firefox-3.6.3 w/o any problems.
> 

I did the same things what u did.

But firefox always hangs.So I masked the adobe-flash-10.0.53.64 to my package.mask, and now I 'm using 10.0.45.2-r1.

~amd64
Comment 22 Pacho Ramos gentoo-dev 2010-06-19 15:44:49 UTC
It also hangs here even with a local nspluginwraper-1.3.0 version (applying all patches from mandriva and fedora). Simply visiting http://www.publico.es and right clicking on flash objects make it hang
Comment 23 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-19 16:46:57 UTC
For later reference:

I've discussed the amd64 issue with Jim and we're going with the following procedure:
The 10.1 package that is being stabilized installs the 32-bit plugin version on amd64, but does not invoke nspluginwrapper as this setup has shown to be overly unstable. Instead, amd64 users are advised to use a 32-bit browser such as firefox-bin with the 32-bit flash plugin that is not vulnerable to this issue.

Additionally, the old vulnerable package will stay in the tree, but hardmasked for users where the 32-bit browser solution is not an option. These users can continue to use the 64-bit 10.0 flash plugin but they need to be willing to take the risk of exploitation. This option is not endorsed by Gentoo.

Generally, all Flash users on Gentoo are advised to only run trusted Flash files from trusted sources. Additional measures such as flashblock should be considered.

PLEASE READ BEFORE REPLYING TO THIS BUG: Do NOT post any further support requests or other issues here, as this bug is solely intended to track the vulnerability. Please file new bugs instead. Thanks.
Comment 24 Markos Chandras (RETIRED) gentoo-dev 2010-06-20 15:07:34 UTC
stable on amd64
Comment 25 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:37:14 UTC
CVE-2010-1297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1297):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe
  AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat
  9.x through 9.3.2 allow remote attackers to execute arbitrary code or
  cause a denial of service (memory corruption) via crafted SWF
  content, related to the ActionScript Virtual Machine 2 (AVM2)
  newfunction instruction, as exploited in the wild in June 2010.

Comment 26 matt black 2010-07-05 14:23:46 UTC
Why is adobe-flash-10.0.45.2 in tree and not masked?
Comment 27 Tobias Heinlein (RETIRED) gentoo-dev 2010-07-05 15:35:59 UTC
(In reply to comment #26)
> Why is adobe-flash-10.0.45.2 in tree and not masked?
> 

Matt,

thanks for the reminder. I just added the mask.
Comment 28 Ewgenij Starostin 2010-07-06 11:28:21 UTC
Tobias,

this vulnerability has been fixed in 9.0.277.0 too, if I read the descriptions right. (And 9.0 seems to work slightly better for me on amd64 than 10.1, for some reason.) Would it be possible to make the mask more specific so this version is not masked?

(I know I can do it in /etc/..., but this might confuse other people too.)
Comment 29 Tobias Heinlein (RETIRED) gentoo-dev 2010-07-06 12:19:29 UTC
Ewgenij,

thanks for the information. I just restricted the mask to =www-plugins/adobe-flash-10.0*. Note, however, that 9.x is old and only kept around for older operating systems (http://kb2.adobe.com/cps/406/kb406791.html, bug 254011).

Sorry for the inconvenience.
Comment 30 SpanKY gentoo-dev 2010-07-06 12:24:15 UTC
please keep a adobe-flash-10.0.x in the tree too for the 64bit flash support.  it's useful in dedicated services (like hulu) where the exploits are not an issue.  or when you browse with flashblocker and only use flash on specific "trusted" sites.

as for adobe-flash-10.1.x bugs, there might not be much that can be done.  it's a binary only package, so you have to accept any random bugs adobe has added to it.  if you disagree, complain to adobe.
Comment 31 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-06 13:19:42 UTC
(In reply to comment #30)
> please keep a adobe-flash-10.0.x in the tree too for the 64bit flash support. 
> it's useful in dedicated services (like hulu) where the exploits are not an
> issue.  or when you browse with flashblocker and only use flash on specific
> "trusted" sites.
> 

see comment #23
Comment 32 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 12:54:03 UTC
CVE-2009-3793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3793):
  Unspecified vulnerability in Adobe Flash Player before 9.0.277.0 and
  10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows
  attackers to cause a denial of service (memory consumption) or
  possibly execute arbitrary code via unknown vectors.

CVE-2010-2160 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2160):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via an
  invalid offset in an unspecified undocumented opcode in ActionScript
  Virtual Machine 2, related to getouterscope, a different
  vulnerability than CVE-2010-2165, CVE-2010-2166, CVE-2010-2171,
  CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178,
  CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and
  CVE-2010-2188.

CVE-2010-2162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2162):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (heap memory corruption) or possibly execute arbitrary code
  via vectors related to improper length calculation and the (1) STSC,
  (2) STSZ, and (3) STCO atoms.

CVE-2010-2163 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2163):
  Multiple unspecified vulnerabilities in Adobe Flash Player before
  9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before
  2.0.2.12610, might allow attackers to execute arbitrary code via
  unknown vectors.

CVE-2010-2164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2164):
  Use-after-free vulnerability in Adobe Flash Player before 9.0.277.0
  and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might
  allow attackers to execute arbitrary code via unspecified vectors
  related to an unspecified "image type within a certain function."

CVE-2010-2165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2165):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2166, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176,
  CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182,
  CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188.

CVE-2010-2166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2166):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2165, CVE-2010-2171, CVE-2010-2175, CVE-2010-2176,
  CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182,
  CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188.

CVE-2010-2167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2167):
  Multiple heap-based buffer overflows in Adobe Flash Player before
  9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before
  2.0.2.12610, might allow attackers to execute arbitrary code via
  unspecified vectors related to malformed (1) GIF or (2) JPEG data.

CVE-2010-2169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2169):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allow attackers to cause a denial of
  service (pointer memory corruption) or possibly execute arbitrary
  code via unspecified vectors.

CVE-2010-2170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2170):
  Integer overflow in Adobe Flash Player before 9.0.277.0 and 10.x
  before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2010-2181 and CVE-2010-2183.

CVE-2010-2171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2171):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  vectors related to SWF files, decompression of embedded JPEG image
  data, and the DefineBits and other unspecified tags, a different
  vulnerability than CVE-2010-2160, CVE-2010-2165, CVE-2010-2166,
  CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178,
  CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, CVE-2010-2187, and
  CVE-2010-2188.

CVE-2010-2172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2172):
  Adobe Flash Player 9 before 9.0.277.0 on unspecified UNIX platforms
  allows attackers to cause a denial of service via unknown vectors.

CVE-2010-2173 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2173):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, might allow attackers to execute
  arbitrary code via unspecified vectors, related to an "invalid
  pointer vulnerability" and the newclass (0x58) operator, a different
  vulnerability than CVE-2010-2174.

CVE-2010-2174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2174):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, might allow attackers to execute
  arbitrary code via unspecified vectors, related to an "invalid
  pointer vulnerability" and the newfunction (0x44) operator, a
  different vulnerability than CVE-2010-2173.

CVE-2010-2175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2175):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2176,
  CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182,
  CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188.

CVE-2010-2176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2176):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175,
  CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182,
  CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188.

CVE-2010-2177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2177):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175,
  CVE-2010-2176, CVE-2010-2178, CVE-2010-2180, CVE-2010-2182,
  CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188.

CVE-2010-2178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2178):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175,
  CVE-2010-2176, CVE-2010-2177, CVE-2010-2180, CVE-2010-2182,
  CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188.

CVE-2010-2179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2179):
  Cross-site scripting (XSS) vulnerability in Adobe Flash Player before
  9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before
  2.0.2.12610, when Firefox or Chrome is used, allows remote attackers
  to inject arbitrary web script or HTML via unspecified vectors
  related to URL parsing.

CVE-2010-2180 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2180):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175,
  CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2182,
  CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188.

CVE-2010-2181 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2181):
  Integer overflow in Adobe Flash Player before 9.0.277.0 and 10.x
  before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2010-2170 and CVE-2010-2183.

CVE-2010-2182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2182):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175,
  CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180,
  CVE-2010-2184, CVE-2010-2187, and CVE-2010-2188.

CVE-2010-2183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2183):
  Integer overflow in Adobe Flash Player before 9.0.277.0 and 10.x
  before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2010-2170 and CVE-2010-2181.

CVE-2010-2184 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2184):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175,
  CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180,
  CVE-2010-2182, CVE-2010-2187, and CVE-2010-2188.

CVE-2010-2185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2185):
  Buffer overflow in Adobe Flash Player before 9.0.277.0 and 10.x
  before 10.1.53.64, and Adobe AIR before 2.0.2.12610, might allow
  attackers to execute arbitrary code via unspecified vectors.

CVE-2010-2186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2186):
  Unspecified vulnerability in Adobe Flash Player before 9.0.277.0 and
  10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, allows
  attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via unknown vectors.

CVE-2010-2187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2187):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2010-2160,
  CVE-2010-2165, CVE-2010-2166, CVE-2010-2171, CVE-2010-2175,
  CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180,
  CVE-2010-2182, CVE-2010-2184, and CVE-2010-2188.

CVE-2010-2188 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2188):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code by
  calling the ActionScript native object 2200 connect method multiple
  times with different arguments, a different vulnerability than
  CVE-2010-2160, CVE-2010-2165, CVE-2010-2166, CVE-2010-2171,
  CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178,
  CVE-2010-2180, CVE-2010-2182, CVE-2010-2184, and CVE-2010-2187.

CVE-2010-2189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2189):
  Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and
  Adobe AIR before 2.0.2.12610, when used in conjunction with VMWare
  Tools on a VMWare platform, allows attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors.

Comment 33 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-12 07:58:31 UTC
GLSA request filed together with bug 332205.
Comment 34 Tim Sammut (RETIRED) gentoo-dev 2011-01-21 17:20:25 UTC
This is GLSA 201101-09; thank you.