Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646724 (CVE-2018-4871, CVE-2018-4877, CVE-2018-4878) - <www-plugins/adobe-flash-28.0.0.161: multiple vulnerabilities (APSA18-01)
Summary: <www-plugins/adobe-flash-28.0.0.161: multiple vulnerabilities (APSA18-01)
Status: RESOLVED FIXED
Alias: CVE-2018-4871, CVE-2018-4877, CVE-2018-4878
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://helpx.adobe.com/security/prod...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-06 00:48 UTC by Viktor Levin
Modified: 2018-03-19 01:12 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jonas Stein gentoo-dev 2018-02-06 12:11:14 UTC
"These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Adobe will address this vulnerability in a release planned for the week of February 5."
Comment 2 Viktor Levin 2018-02-06 17:04:32 UTC
Security updates available for Adobe Flash Player (APSB18-03)
http://blogs.adobe.com/psirt/?p=1522
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2018-02-08 15:59:24 UTC
CVE-2018-4878 (https://nvd.nist.gov/vuln/detail/CVE-2018-4878):
  A use-after-free vulnerability was discovered in Adobe Flash Player before
  28.0.0.161. This vulnerability occurs due to a dangling pointer in the
  Primetime SDK related to the handling of listener objects. A successful
  attack can lead to arbitrary code execution. This was exploited in the wild
  in January and February 2018.

CVE-2018-4877 (https://nvd.nist.gov/vuln/detail/CVE-2018-4877):
  A use-after-free vulnerability was discovered in Adobe Flash Player before
  28.0.0.161. This vulnerability occurs due to a dangling pointer in the
  Primetime SDK related to quality of service functionality. A successful
  attack can lead to arbitrary code execution.

CVE-2018-4871 (https://nvd.nist.gov/vuln/detail/CVE-2018-4871):
  An Out-of-bounds Read issue was discovered in Adobe Flash Player before
  28.0.0.137. This vulnerability occurs because of computation that reads data
  that is past the end of the target buffer. The use of an invalid
  (out-of-range) pointer offset during access of internal data structure
  fields causes the vulnerability. A successful attack can lead to sensitive
  data exposure.
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-02-08 16:02:13 UTC
(In reply to Viktor Levin from comment #0)
> https://helpx.adobe.com/security/products/flash-player/apsa18-01.html

Thank you Viktor for the report. I'm adding a couple of CVEs included in this version.
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-03-13 18:12:17 UTC
New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 01:12:09 UTC
This issue was resolved and addressed in
 GLSA 201803-08 at https://security.gentoo.org/glsa/201803-08
by GLSA coordinator Christopher Diaz Riveros (chrisadr).