Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 370215 (CVE-2011-2107) - <www-plugins/adobe-flash-10.3.181.26: Multiple vulnerabilities (CVE-2011-{2107,2110})
Summary: <www-plugins/adobe-flash-10.3.181.26: Multiple vulnerabilities (CVE-2011-{210...
Status: RESOLVED FIXED
Alias: CVE-2011-2107
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: B2 [glsa]
Keywords:
: 371709 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-06-06 01:44 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-13 23:54 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-06-06 01:44:19 UTC
From $URL:

An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX). Adobe expects to make available an update for Flash Player 10.3.185.22 for Android during the week of June 6, 2011.
Comment 1 Marius Brehler 2011-06-09 20:34:54 UTC
Adobe released flash player version 10.3.181.22, which should fix this issue. Wouldn't a version bump be useful?
Comment 2 Jim Ramsay (lack) (RETIRED) gentoo-dev 2011-06-10 04:24:44 UTC
(In reply to comment #1)
> Adobe released flash player version 10.3.181.22, which should fix this issue.
> Wouldn't a version bump be useful?

Yes, of course, if I weren't out of the country this week.

I hope just renaming the latest ebuild should work, so please give this a shot and bump this package for me if possible. I probably won't be able to get to it for another week yet.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-06-10 14:14:45 UTC
(In reply to comment #2)
> I hope just renaming the latest ebuild should work, so please give this a shot
> and bump this package for me if possible. I probably won't be able to get to it
> for another week yet.

This worked for me (amd64 w/ hardened userland).

@desktop-misc, would you mind bumping while Jim is out of pocket?
Comment 4 Marius Brehler 2011-06-10 19:36:29 UTC
Worked for me too (amd64).
Comment 5 Olivier Calle 2011-06-14 18:30:42 UTC
Renamed ebuild to version 10.3.181.22 and emerged on x86.  Flash works in Firefox.
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-06-14 18:35:28 UTC
+*adobe-flash-10.3.181.22 (14 Jun 2011)
+
+  14 Jun 2011; Alex Legler <a3li@gentoo.org> +adobe-flash-10.3.181.22.ebuild:
+  Non-maintainer commit: Version bump for security bug 370215
+
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-06-14 18:36:21 UTC
Arches, please test and mark stable:
=www-plugins/adobe-flash-10.3.181.22
Target keywords : "amd64 x86"
Comment 8 John Gibson 2011-06-14 21:50:59 UTC
Unfortunately it looks like Adobe just released another update to version 10.3.181.26:
http://www.adobe.com/support/security/bulletins/apsb11-18.html

We may want to move directly to this version rather than bothering to test and stabilize 10.3.181.22.
Comment 9 Olivier Calle 2011-06-14 22:15:26 UTC
FYI: Renamed ebuild to version 10.3.181.26 and emerged, again :-), on x86.  Flash still works in Firefox.
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-06-15 08:41:29 UTC
Arches, target update:

Arches, please test and mark stable:
=www-plugins/adobe-flash-10.3.181.26
Target keywords : "amd64 x86"
Comment 11 Tony Vroon gentoo-dev 2011-06-15 12:29:29 UTC
*** Bug 371709 has been marked as a duplicate of this bug. ***
Comment 12 Thomas Kahle (RETIRED) gentoo-dev 2011-06-16 04:41:40 UTC
x86 stabl
Comment 13 Ian Delaney (RETIRED) gentoo-dev 2011-06-16 09:22:53 UTC
amd64:

amd64 ok
Comment 14 Jim Ramsay (lack) (RETIRED) gentoo-dev 2011-06-16 17:23:31 UTC
(In reply to comment #6)
> +  14 Jun 2011; Alex Legler <a3li@gentoo.org> +adobe-flash-10.3.181.22.ebuild:
> +  Non-maintainer commit: Version bump for security bug 370215

Thanks very much, Alex!

I'm back around now but I truly appreciate you (and all those users doing the testing) while I was away.
Comment 15 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-06-17 08:45:10 UTC
(In reply to comment #14)
> (In reply to comment #6)
> > +  14 Jun 2011; Alex Legler <a3li@gentoo.org> +adobe-flash-10.3.181.22.ebuild:
> > +  Non-maintainer commit: Version bump for security bug 370215
> 
> Thanks very much, Alex!
> 
> I'm back around now but I truly appreciate you (and all those users doing the
> testing) while I was away.

np :)

amd64: ping, please mark the ebuild stable. The current stable 10.3 distfile is no longer available from adobe. As an AT already tested it, I shall mark it stable tonight if you didn't get to it yet.
Comment 16 Agostino Sarubbo gentoo-dev 2011-06-17 12:01:05 UTC
(In reply to comment #15)
> As an AT already tested it, I shall mark it stable tonight if you didn't get to > it yet.

Do it, works also for me ;)
Comment 17 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-06-17 14:09:56 UTC
+  17 Jun 2011; Alex Legler <a3li@gentoo.org>
+  -adobe-flash-10.3.181.14-r1.ebuild, adobe-flash-10.3.181.26.ebuild:
+  amd64 stable for security bug 370215; removing vulnerable version
+

Added to existing GLSA request.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:29:06 UTC
CVE-2011-2110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110):
  Adobe Flash Player before 10.3.181.26 on Windows, Mac OS X, Linux, and
  Solaris, and 10.3.185.23 and earlier on Android, allows remote attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, as exploited in the wild in June 2011.

CVE-2011-2107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107):
  Cross-site scripting (XSS) vulnerability in Adobe Flash Player before
  10.3.181.22 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.22 and
  earlier on Android, allows remote attackers to inject arbitrary web script
  or HTML via unspecified vectors, related to a "universal cross-site
  scripting vulnerability."
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2011-10-13 23:54:08 UTC
This issue was resolved and addressed in
 GLSA 201110-11 at http://security.gentoo.org/glsa/glsa-201110-11.xml
by GLSA coordinator Tim Sammut (underling).