Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 337204 (CVE-2010-2884) - <www-plugins/adobe-flash- Critical Vulnerabilty (CVE-2010-2884)
Summary: <www-plugins/adobe-flash- Critical Vulnerabilty (CVE-2010-2884)
Alias: CVE-2010-2884
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
: 338529 (view as bug list)
Depends on:
Reported: 2010-09-14 03:26 UTC by Tim Sammut (RETIRED)
Modified: 2011-01-21 17:20 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-09-14 03:26:16 UTC
From $URL:

A critical  vulnerability exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows.

I am creating two bugs--one for www-plugins/adobe-flash, and one for app-text/acroread--so they can be stablized separately since Adobe is planning to release fixed software at different times.
Comment 1 Daniel Santos 2010-09-18 20:27:43 UTC
They never cease to amaze do they?
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-09-20 18:36:23 UTC
Adobe has released

"Adobe recommends users of Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player, and users of Adobe Flash Player for Android update to Adobe Flash Player"

Comment 3 Pavel Shirov 2010-09-24 07:39:18 UTC
*** Bug 338529 has been marked as a duplicate of this bug. ***
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2010-09-25 16:29:43 UTC
CVE-2010-2884 (
  Unspecified vulnerability in Adobe Flash Player and earlier for
  Windows, Macintosh, Linux, Solaris; Flash Player for Android;
  Reader 9.3.4 for Windows, Macintosh and UNIX; and Acrobat 9.3.4 and earlier
  for Windows and Macintosh allows remote attackers to cause a denial of
  service (crash) and execute arbitrary code via unknown vectors, as exploited
  in the wild in September 2010.

Comment 5 Andy Pettinger 2010-09-28 19:11:57 UTC
Recent Updates
September 27, 2010 — Flash Player "Square" has been updated to include the security enhancements described in Security Bulletin APSB10-22
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2010-10-05 03:11:02 UTC
Hi, lack, ping.

Do you think you may have time to create a new ebuild for this?

Copying adobe-flash- to adobe-flash- was sufficient on my machine (amd64) to perform the upgrade.

Comment 7 Jim Ramsay (lack) (RETIRED) gentoo-dev 2010-10-13 01:41:23 UTC
Sorry, sleeping at the switch :)

The good news is that the updated "square" release from Sept 27 was already in the tree, and I hope most people are using that anyway, since it has a native 64-bit version again.

But I have now bumped both the legacy version
And the official release
To complete our fix for this security vulnerability.

Security team: Please feel free to request stable keywords for adobe-flash- at your convenience, no need to wait for any large amount of time for a binary bump like this.  Also, don't bother stabilizing, it can stay in testing.

Until the next time...
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2010-10-13 02:53:02 UTC
Thanks, Jim.

Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-10-13 06:44:02 UTC
x86 stable
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2010-10-13 11:29:47 UTC
amd64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-10-13 13:43:54 UTC
Thanks, folks.

GLSA with bugs 332205 and 322855.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-01-21 17:20:52 UTC
This is GLSA 201101-09; thank you.