549388 – (CVE-2015-3044) <www-plugins/adobe-flash-11.2.202.460 - multiple vulnerabilities (CVE-2015-{3044,3077,3078,3079,3080,3081,3082,3083,3084,3085,3086,3087,3088,3089,3090,3091,3092,3093})

Bug 549388 (CVE-2015-3044) - <www-plugins/adobe-flash-11.2.202.460 - multiple vulnerabilities (CVE-2015-{3044,3077,3078,3079,3080,3081,3082,3083,3084,3085,3086,3087,3088,3089,3090,3091,3092,3093})

Summary: <www-plugins/adobe-flash-11.2.202.460 - multiple vulnerabilities (CVE-2015-{3...

Status:	RESOLVED FIXED

Alias:	CVE-2015-3044

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://helpx.adobe.com/security/prod...
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-05-13 16:07 UTC by Jeroen Roovers (RETIRED)
Modified:	2015-06-14 20:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen Roovers (RETIRED) gentoo-dev

2015-05-13 16:07:33 UTC

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2015-05-13 16:08:57 UTC

Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.460
Targeted stable KEYWORDS : amd64 x86

Comment 2 Mikle Kolyada (RETIRED) archtester

2015-05-14 08:49:32 UTC

amd64 stable

Comment 3 Mikle Kolyada (RETIRED) archtester

2015-05-14 08:50:11 UTC

x86 stable

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2015-05-31 19:16:22 UTC

This issue was resolved and addressed in
 GLSA 201505-02 at https://security.gentoo.org/glsa/201505-02
by GLSA coordinator Kristian Fiskerstrand (K_F).

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2015-06-14 20:39:53 UTC

CVE-2015-3093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3093):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-3078, CVE-2015-3089, and CVE-2015-3090.

CVE-2015-3092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3092):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 do not properly restrict discovery of memory addresses,
  which allows attackers to bypass the ASLR protection mechanism via
  unspecified vectors, a different vulnerability than CVE-2015-3091.

CVE-2015-3091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3091):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 do not properly restrict discovery of memory addresses,
  which allows attackers to bypass the ASLR protection mechanism via
  unspecified vectors, a different vulnerability than CVE-2015-3092.

CVE-2015-3090 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3090):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-3078, CVE-2015-3089, and CVE-2015-3093.

CVE-2015-3089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3089):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-3078, CVE-2015-3090, and CVE-2015-3093.

CVE-2015-3088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3088):
  Heap-based buffer overflow in Adobe Flash Player before 13.0.0.289 and 14.x
  through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460
  on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and
  Adobe AIR SDK & Compiler before 17.0.0.172 allows attackers to execute
  arbitrary code via unspecified vectors.

CVE-2015-3087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3087):
  Integer overflow in Adobe Flash Player before 13.0.0.289 and 14.x through
  17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux,
  Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR
  SDK & Compiler before 17.0.0.172 allows attackers to execute arbitrary code
  via unspecified vectors.

CVE-2015-3086 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3086):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow attackers to execute arbitrary code by leveraging an
  unspecified "type confusion," a different vulnerability than CVE-2015-3077
  and CVE-2015-3084.

CVE-2015-3085 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3085):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow remote attackers to bypass intended restrictions on
  filesystem write operations via unspecified vectors, a different
  vulnerability than CVE-2015-3082 and CVE-2015-3083.

CVE-2015-3084 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3084):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow attackers to execute arbitrary code by leveraging an
  unspecified "type confusion," a different vulnerability than CVE-2015-3077
  and CVE-2015-3086.

CVE-2015-3083 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3083):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow remote attackers to bypass intended restrictions on
  filesystem write operations via unspecified vectors, a different
  vulnerability than CVE-2015-3082 and CVE-2015-3085.

CVE-2015-3082 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3082):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow remote attackers to bypass intended restrictions on
  filesystem write operations via unspecified vectors, a different
  vulnerability than CVE-2015-3083 and CVE-2015-3085.

CVE-2015-3081 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3081):
  Race condition in Adobe Flash Player before 13.0.0.289 and 14.x through 17.x
  before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux,
  Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR
  SDK & Compiler before 17.0.0.172 allows attackers to bypass the Internet
  Explorer Protected Mode protection mechanism via unspecified vectors.

CVE-2015-3080 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3080):
  Use-after-free vulnerability in Adobe Flash Player before 13.0.0.289 and
  14.x through 17.x before 17.0.0.188 on Windows and OS X and before
  11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before
  17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allows attackers
  to execute arbitrary code via unspecified vectors.

CVE-2015-3079 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3079):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow attackers to bypass intended access restrictions and
  obtain sensitive information via unspecified vectors.

CVE-2015-3078 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3078):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2015-3089, CVE-2015-3090, and CVE-2015-3093.

CVE-2015-3077 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3077):
  Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188
  on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before
  17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler
  before 17.0.0.172 allow attackers to execute arbitrary code by leveraging an
  unspecified "type confusion," a different vulnerability than CVE-2015-3084
  and CVE-2015-3086.