Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484512 (CVE-2013-3361) - <www-plugins/adobe-flash-11.2.202.310 : Multiple Vulnerabilities (CVE-2013-{3361,3362,3363,5324})
Summary: <www-plugins/adobe-flash-11.2.202.310 : Multiple Vulnerabilities (CVE-2013-{3...
Status: RESOLVED FIXED
Alias: CVE-2013-3361
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54697/
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-10 19:15 UTC by Agostino Sarubbo
Modified: 2013-09-14 02:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-10 19:15:10 UTC
From ${URL} :

Description

Multiple vulnerabilities have been reported in Adobe Flash Player and Adobe AIR, which can be exploited by malicious people to compromise a user's system.

1) An unspecified error can be exploited to cause memory corruption.

2) Another unspecified error can be exploited to cause memory corruption.

3) Another unspecified error can be exploited to cause memory corruption.

4) Another unspecified error can be exploited to cause memory corruption.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in following versions and products:
* Adobe Flash Player versions 11.8.800.94 and prior for Windows and Macintosh
* Adobe Flash Player versions 11.2.202.297 and prior for Linux
* Adobe Flash Player versions 11.1.115.69 and prior for Android 4.x
* Adobe Flash Player versions 11.1.111.64 and prior for Android 3.x and 2.x
* Adobe AIR versions 3.8.0.870 and earlier for Windows and Android
* Adobe AIR versions 3.8.0.910 and earlier for Macintosh
* Adobe AIR SDK & Compiler versions 3.8.0.870 and earlier for Windows
* Adobe AIR SDK & Compiler versions 3.8.0.910 and earlier for Macintosh


Solution:
Update to a fixed version.

Further details available to Secunia VIM customers

Provided and/or discovered by:
The vendor credits Mateusz Jurczyk and Ben Hawkes, Google Security Team

Original Advisory:
http://www.adobe.com/support/security/bulletins/apsb13-21.html




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 2 Jeroen Roovers gentoo-dev 2013-09-11 01:49:32 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.310
Targeted stable KEYWORDS : -* amd64 x86
Comment 3 Sergey Popov gentoo-dev Security 2013-09-11 09:05:00 UTC
amd64/x86 stable

Added to existing GLSA draft
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-09-12 22:45:46 UTC
CVE-2013-5324 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5324):
  Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on
  Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on
  Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before
  3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via unspecified vectors, a different vulnerability than CVE-2013-3361,
  CVE-2013-3362, and CVE-2013-3363.

CVE-2013-3363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3363):
  Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on
  Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on
  Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before
  3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via unspecified vectors, a different vulnerability than CVE-2013-3361,
  CVE-2013-3362, and CVE-2013-5324.

CVE-2013-3362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3362):
  Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on
  Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on
  Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before
  3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via unspecified vectors, a different vulnerability than CVE-2013-3361,
  CVE-2013-3363, and CVE-2013-5324.

CVE-2013-3361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3361):
  Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on
  Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on
  Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before
  3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via unspecified vectors, a different vulnerability than CVE-2013-3362,
  CVE-2013-3363, and CVE-2013-5324.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-09-14 02:54:59 UTC
This issue was resolved and addressed in
 GLSA 201309-06 at http://security.gentoo.org/glsa/glsa-201309-06.xml
by GLSA coordinator Sean Amoss (ackle).