Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596896 (APSB16-32, CVE-2016-4273, CVE-2016-4286, CVE-2016-6981, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6987, CVE-2016-6989, CVE-2016-6990, CVE-2016-6992) - <www-plugins/adobe-flash-11.2.202.637: Multiple vulnerabilities (CVE-2016-{4273,4286,6981,6982,6983,6984,6985,6986,6987,6989,6990,6992})
Summary: <www-plugins/adobe-flash-11.2.202.637: Multiple vulnerabilities (CVE-2016-{42...
Status: RESOLVED FIXED
Alias: APSB16-32, CVE-2016-4273, CVE-2016-4286, CVE-2016-6981, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6987, CVE-2016-6989, CVE-2016-6990, CVE-2016-6992
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://helpx.adobe.com/security/prod...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-11 17:57 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-10-29 13:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-10-11 17:57:36 UTC 
Adobe recommends users of Adobe Flash Player for Linux update to Adobe Flash Player 11.2.202.637 by visiting the Adobe Flash Player Download Center.

Vulnerability Details

    These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2016-6992). 
    These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-6981, CVE-2016-6987). 
    These updates resolve a security bypass vulnerability (CVE-2016-4286). 
    These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4273, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989, CVE-2016-6990).
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-11 18:09:31 UTC 
Arch teams, please test and mark stable:
=www-plugins/adobe-flash-11.2.202.637
Targeted stable KEYWORDS : amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2016-10-12 12:35:31 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-10-12 12:35:57 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-10-14 09:49:26 UTC 
CVE-2016-6992 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6992):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  execute arbitrary code by leveraging an unspecified "type confusion."

CVE-2016-6990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6990):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-4273,
  CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986,
  and CVE-2016-6989.

CVE-2016-6989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6989):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-4273,
  CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986,
  and CVE-2016-6990.

CVE-2016-6987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6987):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.382 and
  19.x through 23.x before 23.0.0.185 on Windows and OS X and before
  11.2.202.637 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2016-6981.

CVE-2016-6986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6986):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-4273,
  CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6989,
  and CVE-2016-6990.

CVE-2016-6985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6985):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-4273,
  CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6986, CVE-2016-6989,
  and CVE-2016-6990.

CVE-2016-6984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6984):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-4273,
  CVE-2016-6982, CVE-2016-6983, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989,
  and CVE-2016-6990.

CVE-2016-6983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6983):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-4273,
  CVE-2016-6982, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989,
  and CVE-2016-6990.

CVE-2016-6982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6982):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-4273,
  CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989,
  and CVE-2016-6990.

CVE-2016-6981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6981):
  Use-after-free vulnerability in Adobe Flash Player before 18.0.0.382 and
  19.x through 23.x before 23.0.0.185 on Windows and OS X and before
  11.2.202.637 on Linux allows attackers to execute arbitrary code via
  unspecified vectors, a different vulnerability than CVE-2016-6987.

CVE-2016-4286 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4286):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  bypass intended access restrictions via unspecified vectors.

CVE-2016-4273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4273):
  Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185
  on Windows and OS X and before 11.2.202.637 on Linux allows attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unspecified vectors, a different vulnerability than CVE-2016-6982,
  CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989,
  and CVE-2016-6990.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-10-14 09:52:02 UTC 
Added to existing GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-10-29 13:26:02 UTC 
This issue was resolved and addressed in
 GLSA 201610-10 at https://security.gentoo.org/glsa/201610-10
by GLSA coordinator Kristian Fiskerstrand (K_F).