SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Adobe Flash Player Vendors:   Adobe Systems Incorporated
(Gentoo Issues Fix) Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code and Obtain Information
SecurityTracker Alert ID:  1026946
SecurityTracker URL:  http://securitytracker.com/id/1026946
CVE Reference:   CVE-2012-0768, CVE-2012-0769   (Links to External Site)
Date:  Apr 18 2012
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 11.1.102.63; prior to 11.1.111.7 and 11.1.115.7 for Android
Description:   Two vulnerabilities were reported in Adobe Flash Player. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can obtain potentially information.

A remote user can create specially crafted content that, when loaded by the target user, will trigger a memory corruption error in Matrix3D and execute arbitrary code on the target system [CVE-2012-0768]. The code will run with the privileges of the target user. Tavis Ormandy of the Google Security Team reported this vulnerability.

A remote user can create specially crafted content that, when loaded by the target user, will trigger integer errors and disclose potentially sensitive information [CVE-2012-0769]. Fermin J. Serna of the Google Security Team reported this vulnerability.

Impact:   A remote user can create Flash content that, when loaded by the target user, will execute arbitrary code on the target user's system or obtain potentially sensitive information.
Solution:   Gentoo has issued a fix.

The Gentoo advisory is available at:

http://security.gentoo.org/glsa/glsa-201204-07.xml

Vendor URL:  www.adobe.com/support/security/bulletins/apsb12-05.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Gentoo)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 6 2012 Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code and Obtain Information



 Source Message Contents

Subject:  [gentoo-announce] [ GLSA 201204-07 ] Adobe Flash Player: Multiple vulnerabilities

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig8BE7D62B5AD77810B99CDF71
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201204-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: Adobe Flash Player: Multiple vulnerabilities
     Date: April 17, 2012
     Bugs: #390149, #404101, #407023, #410005
       ID: 201204-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities in Adobe Flash Player, the worst of which
might allow remote attackers to execute arbitrary code.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  www-plugins/adobe-flash   < 11.2.202.228         >=3D 11.2.202.228

Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.

Impact
=3D=3D=3D=3D=3D=3D

A remote attacker could entice a user to open a specially crafted SWF
file, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
Furthermore, a remote attacker may be able to bypass intended access
restrictions, bypass cross-domain policy, inject arbitrary web script,
or obtain sensitive information.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

There is no known workaround at this time.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All Adobe Flash Player users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=3Dwww-plugins/adobe-flash-11.2.202.228"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[  1 ] CVE-2011-2445
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2445
[  2 ] CVE-2011-2450
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2450
[  3 ] CVE-2011-2451
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2451
[  4 ] CVE-2011-2452
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2452
[  5 ] CVE-2011-2453
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2453
[  6 ] CVE-2011-2454
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2454
[  7 ] CVE-2011-2455
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2455
[  8 ] CVE-2011-2456
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2456
[  9 ] CVE-2011-2457
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2457
[ 10 ] CVE-2011-2458
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2458
[ 11 ] CVE-2011-2459
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2459
[ 12 ] CVE-2011-2460
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2011-2460
[ 13 ] CVE-2012-0752
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2012-0752
[ 14 ] CVE-2012-0753
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2012-0753
[ 15 ] CVE-2012-0754
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2012-0754
[ 16 ] CVE-2012-0755
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2012-0755
[ 17 ] CVE-2012-0756
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2012-0756
[ 18 ] CVE-2012-0767
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2012-0767
[ 19 ] CVE-2012-0768
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2012-0768
[ 20 ] CVE-2012-0769
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2012-0769
[ 21 ] CVE-2012-0773
       http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2012-0773

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201204-07.xml

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


--------------enig8BE7D62B5AD77810B99CDF71
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk+OAMMACgkQAnl3SfnYR/jp1QD9GulbwHrkRh25kIBSojTdBuDe
zgmxqfrRu1ceAVFKqYYA/jFug275ZvtYqfJO0g9FHDYVLUigGbn4wKKD48kNUKhH
=fLHI
-----END PGP SIGNATURE-----

--------------enig8BE7D62B5AD77810B99CDF71--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC