593684 – (APSB16-29, CVE-2016-4271, CVE-2016-4272, CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4277, CVE-2016-4278, CVE-2016-4279, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-4287, CVE-2016-6921, CVE-2016-6922, CVE-2016-6923, CVE-2016-6924, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932) <www-plugins/adobe-flash-{11.2.202.635,23.0.0.162}: Multiple vulnerabilities (APSB16-29)

Bug 593684 (APSB16-29, CVE-2016-4271, CVE-2016-4272, CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4277, CVE-2016-4278, CVE-2016-4279, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-4287, CVE-2016-6921, CVE-2016-6922, CVE-2016-6923, CVE-2016-6924, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932) - <www-plugins/adobe-flash-{11.2.202.635,23.0.0.162}: Multiple vulnerabilities (APSB16-29)

Summary: <www-plugins/adobe-flash-{11.2.202.635,23.0.0.162}: Multiple vulnerabilities ...

Status:	RESOLVED FIXED

Alias:	APSB16-29, CVE-2016-4271, CVE-2016-4272, CVE-2016-4274, CVE-2016-4275, CVE-2016-4276, CVE-2016-4277, CVE-2016-4278, CVE-2016-4279, CVE-2016-4280, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, CVE-2016-4285, CVE-2016-4287, CVE-2016-6921, CVE-2016-6922, CVE-2016-6923, CVE-2016-6924, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, CVE-2016-6932

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://helpx.adobe.com/security/prod...
Whiteboard:	A2 [glsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2016-09-13 21:19 UTC by Thomas Deutschmann (RETIRED)
Modified:	2016-10-29 13:25 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-13 21:19:48 UTC

Summary
=======
Adobe has released security updates for Adobe Flash Player for Windows,
Macintosh, Linux and ChromeOS.  These updates address critical
vulnerabilities that could potentially allow an attacker to take control of
the affected system.


Affected Versions
=================
<=www-plugins/adobe-flashadobe-flash-11.2.202.632


Solution
========
Adobe recommends users of Adobe Flash Player for Linux update to Adobe
Flash Player 11.2.202.635.


Vulnerability Details
=====================
 - These updates resolve an integer overflow vulnerability that could lead
   to code execution:
   
    - CVE-2016-4287

 - These updates resolve use-after-free vulnerabilities that could lead to
   code execution:
   
    - CVE-2016-4272
    - CVE-2016-4279
    - CVE-2016-6921
    - CVE-2016-6923
    - CVE-2016-6925
    - CVE-2016-6926
    - CVE-2016-6927
    - CVE-2016-6929
    - CVE-2016-6930
    - CVE-2016-6931
    - CVE-2016-6932

 - These updates resolve security bypass vulnerabilities that could lead to
   information disclosure:
   
    - CVE-2016-4271
    - CVE-2016-4277
    - CVE-2016-4278

 - These updates resolve memory corruption vulnerabilities that could lead
   to code execution:
   
    - CVE-2016-4182
    - CVE-2016-4237
    - CVE-2016-4238
    - CVE-2016-4274
    - CVE-2016-4275
    - CVE-2016-4276
    - CVE-2016-4280
    - CVE-2016-4281
    - CVE-2016-4282
    - CVE-2016-4283
    - CVE-2016-4284
    - CVE-2016-4285
    - CVE-2016-6922
    - CVE-2016-6924


Acknowledgments
================
 - Weizhong Qian of ART&UESTC's Neklab (CVE-2016-4280)

 - Mumei working with Trend Micro's Zero Day Initiative (CVE-2016-4279)

 - Leone Pontorieri (CVE-2016-4271)

 - Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero
   (CVE-2016-4274, CVE-2016-4275)

 - Soroush Dalili and Matthew Evans from NCC Group (CVE-2016-4277)

 - Yuki Chen of Qihoo 360 Vulcan Team working with the Chromium
   Vulnerability Rewards Program (CVE-2016-6925, CVE-2016-6926)

 - willJ of Tencent PC Manager (CVE-2016-6923, CVE-2016-6924)

 - JieZeng of Tencent Zhanlu Lab working with the Chromium Vulnerability
   Rewards Program (CVE-2016-6927, CVE-2016-6930, CVE-2016-6931,
   CVE-2016-6932)

 - Nicolas Joly of Microsoft Vulnerability Research (CVE-2016-4272,
   CVE-2016-4278)

 - Yuki Chen of Qihoo 360 Vulcan Team (CVE-2016-4287, CVE-2016-6921,
   CVE-2016-6922, CVE-2016-6929)

 - b0nd@garage4hackers working with Trend Micro's Zero Day Initiative
   (CVE-2016-4276)

 - Tao Yan (@Ga1ois) of Palo Alto Networks (CVE-2016-4182, CVE-2016-4237,
   CVE-2016-4238, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283,
   CVE-2016-4284, CVE-2016-4285)

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-13 21:25:39 UTC

Note: $URL re-lists CVE-2016-4182, CVE-2016-4237 and CVE-2016-4238 which were already listed in the previous bulletin (https://bugs.gentoo.org/show_bug.cgi?id=APSB16-25).

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-14 06:48:37 UTC

Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.635
Targeted stable KEYWORDS : amd64 x86

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-15 19:08:10 UTC

Stable for amd64 x86.

Comment 4 Yury German Gentoo Infrastructure

2016-09-15 22:34:14 UTC

Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2016-10-29 13:25:55 UTC

This issue was resolved and addressed in
 GLSA 201610-10 at https://security.gentoo.org/glsa/201610-10
by GLSA coordinator Kristian Fiskerstrand (K_F).