615244 – (CVE-2017-3058, CVE-2017-3059, CVE-2017-3060, CVE-2017-3061, CVE-2017-3062, CVE-2017-3063, CVE-2017-3064) <www-plugins/adobe-flash-25.0.0.148: Multiple vulnerabilities

Bug 615244 (CVE-2017-3058, CVE-2017-3059, CVE-2017-3060, CVE-2017-3061, CVE-2017-3062, CVE-2017-3063, CVE-2017-3064) - <www-plugins/adobe-flash-25.0.0.148: Multiple vulnerabilities

Summary: <www-plugins/adobe-flash-25.0.0.148: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2017-3058, CVE-2017-3059, CVE-2017-3060, CVE-2017-3061, CVE-2017-3062, CVE-2017-3063, CVE-2017-3064

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://helpx.adobe.com/security/prod...
Whiteboard:	A2 [glsa cve]
Keywords:

Duplicates (1):	615292 (view as bug list)
Depends on:
Blocks:

Reported:	2017-04-11 08:07 UTC by Thomas Deutschmann (RETIRED)
Modified:	2017-04-27 05:38 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-04-11 08:07:16 UTC

Upstream has already released v25.0.0.148. No information available yet.

Comment 1 Harri Nieminen (Moiman) 2017-04-11 17:34:41 UTC

Duplicate of 615292 ?

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-04-11 18:24:44 UTC


*** This bug has been marked as a duplicate of bug 615292 ***

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2017-04-12 10:15:30 UTC

(In reply to Harri Nieminen (Moiman) from comment #1)
> Duplicate of 615292 ?

No, that's backward.

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2017-04-12 10:16:09 UTC

*** Bug 615292 has been marked as a duplicate of this bug. ***

Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-04-12 10:18:59 UTC

(In reply to Jeroen Roovers from comment #3)
> (In reply to Harri Nieminen (Moiman) from comment #1)
> > Duplicate of 615292 ?
> 
> No, that's backward.

No, that action was intentional given that this bug lacks any information about the vulnerabilities involved. Why would you go ahead and break that? please update with sufficient information in this bug to make it useful when doing so.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2017-04-13 15:18:58 UTC

CVE-2017-3059 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3059):
  Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable use
  after free vulnerability in the internal script object. Successful
  exploitation could lead to arbitrary code execution.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2017-04-13 15:19:30 UTC

CVE-2017-3064 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3064):
  Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable
  memory corruption vulnerability when parsing a shape outline. Successful
  exploitation could lead to arbitrary code execution.

CVE-2017-3063 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3063):
  Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable use
  after free vulnerability in the ActionScript2 NetStream class. Successful
  exploitation could lead to arbitrary code execution.

CVE-2017-3062 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3062):
  Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable use
  after free vulnerability in ActionScript2 when creating a getter/setter
  property. Successful exploitation could lead to arbitrary code execution.

CVE-2017-3061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3061):
  Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable
  memory corruption vulnerability in the SWF parser. Successful exploitation
  could lead to arbitrary code execution.

CVE-2017-3060 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3060):
  Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable
  memory corruption vulnerability in the ActionScript2 code parser. Successful
  exploitation could lead to arbitrary code execution.

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2017-04-13 15:20:57 UTC

New GLSA request filed.

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2017-04-13 16:51:42 UTC

Downgrading to A2.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2017-04-27 05:38:21 UTC

This issue was resolved and addressed in
 GLSA 201704-04 at https://security.gentoo.org/glsa/201704-04
by GLSA coordinator Yury German (BlueKnight).