Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 459368 (CVE-2013-0504) - <www-plugins/adobe-flash-11.2.202.273: multiple vulnerabilities (CVE-2013-{0504,0643,0648})
Summary: <www-plugins/adobe-flash-11.2.202.273: multiple vulnerabilities (CVE-2013-{05...
Status: RESOLVED FIXED
Alias: CVE-2013-0504
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.adobe.com/support/securit...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-26 21:40 UTC by Agostino Sarubbo
Modified: 2013-09-14 02:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-26 21:40:02 UTC
From ${URL} :

Adobe has released security updates for Adobe Flash Player 11.6.602.168 and earlier versions for 
Windows, Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, and Adobe Flash Player 
11.2.202.270 and earlier versions for Linux. These updates address vulnerabilities that could cause 
a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in 
targeted attacks designed to trick the user into clicking a link which directs to a website serving 
malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to 
target the Firefox browser.

Users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux should update to Adobe 
Flash Player 11.2.202.273.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-27 05:10:47 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.273
Stable KEYWORDS : amd64 x86
Comment 2 Sergey Popov gentoo-dev 2013-02-27 13:22:08 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-02-27 13:45:58 UTC
x86 stable
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 01:24:51 UTC
Added to existing GLSA draft.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 01:25:10 UTC
CVE-2013-0648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0648):
  Unspecified vulnerability in the ExternalInterface ActionScript
  functionality in Adobe Flash Player before 10.3.183.67 and 11.x before
  11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before
  11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via
  crafted SWF content, as exploited in the wild in February 2013.

CVE-2013-0643 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0643):
  The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before
  11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before
  11.2.202.273 on Linux, does not properly restrict privileges, which makes it
  easier for remote attackers to execute arbitrary code via crafted SWF
  content, as exploited in the wild in February 2013.

CVE-2013-0504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0504):
  Buffer overflow in the broker service in Adobe Flash Player before
  10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before
  10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows attackers to
  execute arbitrary code via unspecified vectors.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-09-14 02:54:47 UTC
This issue was resolved and addressed in
 GLSA 201309-06 at http://security.gentoo.org/glsa/glsa-201309-06.xml
by GLSA coordinator Sean Amoss (ackle).