Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 461598 (CVE-2013-0646) - <www-plugins/adobe-flash-11.2.202.275: multiple vulnerabilities (CVE-2013-{0646,0650,1371,1375})
Summary: <www-plugins/adobe-flash-11.2.202.275: multiple vulnerabilities (CVE-2013-{06...
Status: RESOLVED FIXED
Alias: CVE-2013-0646
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-13 05:00 UTC by shimi
Modified: 2013-09-14 02:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description shimi 2013-03-13 05:00:07 UTC
Please version bump adobe-flash to 11.2.202.275:

Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.273 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-0646).

These updates resolve a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-1371).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

Source: http://www.adobe.com/support/security/bulletins/apsb13-09.html
Comment 1 Jeroen Roovers gentoo-dev 2013-03-14 15:38:25 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.275
Stable KEYWORDS : amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2013-03-15 11:53:38 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-03-15 11:57:06 UTC
x86 stable
Comment 4 Sean Amoss gentoo-dev Security 2013-03-17 22:23:02 UTC
Adding to existing GLSA draft.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-03-21 18:45:06 UTC
CVE-2013-1375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1375):
  Heap-based buffer overflow in Adobe Flash Player before 10.3.183.68 and 11.x
  before 11.6.602.180 on Windows and Mac OS X, before 10.3.183.68 and 11.x
  before 11.2.202.275 on Linux, before 11.1.111.44 on Android 2.x and 3.x, and
  before 11.1.115.48 on Android 4.x; Adobe AIR before 3.6.0.6090; Adobe AIR
  SDK before 3.6.0.6090; and Adobe AIR SDK & Compiler before 3.6.0.6090 allows
  attackers to execute arbitrary code via unspecified vectors.

CVE-2013-1371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1371):
  Adobe Flash Player before 10.3.183.68 and 11.x before 11.6.602.180 on
  Windows and Mac OS X, before 10.3.183.68 and 11.x before 11.2.202.275 on
  Linux, before 11.1.111.44 on Android 2.x and 3.x, and before 11.1.115.48 on
  Android 4.x; Adobe AIR before 3.6.0.6090; Adobe AIR SDK before 3.6.0.6090;
  and Adobe AIR SDK & Compiler before 3.6.0.6090 allow attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors.

CVE-2013-0650 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0650):
  Use-after-free vulnerability in Adobe Flash Player before 10.3.183.68 and
  11.x before 11.6.602.180 on Windows and Mac OS X, before 10.3.183.68 and
  11.x before 11.2.202.275 on Linux, before 11.1.111.44 on Android 2.x and
  3.x, and before 11.1.115.48 on Android 4.x; Adobe AIR before 3.6.0.6090;
  Adobe AIR SDK before 3.6.0.6090; and Adobe AIR SDK & Compiler before
  3.6.0.6090 allows attackers to execute arbitrary code via unspecified
  vectors.

CVE-2013-0646 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0646):
  Integer overflow in Adobe Flash Player before 10.3.183.68 and 11.x before
  11.6.602.180 on Windows and Mac OS X, before 10.3.183.68 and 11.x before
  11.2.202.275 on Linux, before 11.1.111.44 on Android 2.x and 3.x, and before
  11.1.115.48 on Android 4.x; Adobe AIR before 3.6.0.6090; Adobe AIR SDK
  before 3.6.0.6090; and Adobe AIR SDK & Compiler before 3.6.0.6090 allows
  attackers to execute arbitrary code via unspecified vectors.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-09-14 02:54:49 UTC
This issue was resolved and addressed in
 GLSA 201309-06 at http://security.gentoo.org/glsa/glsa-201309-06.xml
by GLSA coordinator Sean Amoss (ackle).