Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 565318 (CVE-2015-7651) - <www-plugins/adobe-flash-11.2.202.548: multiple vulnerabilities (CVE-2015-{7651,7652,7653,7654,7655,7656,7657,7658,7659,7660,7661,7662,7663,8042,8043,8044,8046}
Summary: <www-plugins/adobe-flash-11.2.202.548: multiple vulnerabilities (CVE-2015-{76...
Status: RESOLVED FIXED
Alias: CVE-2015-7651
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://helpx.adobe.com/security/prod...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-10 05:36 UTC by Jeroen Roovers (RETIRED)
Modified: 2015-11-17 11:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2015-11-10 05:36:53 UTC
It's Tuesday. No details yet. Ebuild is in the tree.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-10 20:43:44 UTC
The upstream bulletin classify it as priority 3 for linux client so setting A3 for now. 

The full list of vulnerabilities fixed (but not checked which affects the linux client 11.x yet);

Vulnerability Details

    These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-7659).
    These updates resolve a security bypass vulnerability that could be exploited to write arbitrary data to the file system under user permissions (CVE-2015-7662).
    These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: 

    Anonymous working with HP's Zero Day Initiative (CVE-2015-7661)
    Bilou working with HP's Zero Day Initiative (CVE-2015-7651, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7659, CVE-2015-7660, CVE-2015-8042)
    Bilou working with HP's Zero Day Initiative, and Natalie Silvanovich of Google Project Zero (CVE-2015-7652)
    Jordan Rabet (CVE-2015-7662)
    Kenneth Fitch and Aaron Lamb of Endgame (CVE-2015-7663)
    Natalie Silvanovich of Google Project Zero (CVE-2015-8043, CVE-2015-8044, CVE-2015-8046)
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-10 20:51:18 UTC
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.548
Targeted stable KEYWORDS : amd64 x86
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-11 08:18:52 UTC
(In reply to Kristian Fiskerstrand from comment #1)
> The upstream bulletin classify it as priority 3 for linux client so setting
> A3 for now. 

Apart the priority, which is adobe internal, since it says code execution I'd set to A2
Comment 4 Agostino Sarubbo gentoo-dev 2015-11-11 08:55:15 UTC
amd64 stable
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-11 09:09:37 UTC
(In reply to Agostino Sarubbo from comment #3)
> (In reply to Kristian Fiskerstrand from comment #1)
> > The upstream bulletin classify it as priority 3 for linux client so setting
> > A3 for now. 
> 
> Apart the priority, which is adobe internal, since it says code execution
> I'd set to A2

I haven't verified that the linux version is also affected by that CVE, but its Adobe so ... better be cautious (although it doesn't affect handling anyways)
Comment 6 Agostino Sarubbo gentoo-dev 2015-11-11 09:41:19 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Sergey Popov (RETIRED) gentoo-dev 2015-11-17 11:39:37 UTC
Cleanup was done by maintainer, added to GLSA request
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-11-17 11:47:36 UTC
This issue was resolved and addressed in
 GLSA 201511-02 at https://security.gentoo.org/glsa/201511-02
by GLSA coordinator Sergey Popov (pinkbyte).