[arch-security] [ASA-201412-13] flashplugin: multiple issues
Levente Polyak
anthraxx at archlinux.org
Fri Dec 12 03:25:41 UTC 2014
Arch Linux Security Advisory ASA-201412-13
==========================================
Severity: Critical
Date : 2014-12-12
CVE-ID : CVE-2014-0580 CVE-2014-0587 CVE-2014-8443 CVE-2014-9163
CVE-2014-9164 CVE-2014-9162
Package : flashplugin
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
Summary
=======
The package flashplugin before version 11.2.202.425-1 is
vulnerable to multiple issues including but not limited to arbitrary
code execution, information disclosure and policy bypass.
Resolution
==========
Upgrade to 11.2.202.425-1.
# pacman -Syu "flashplugin>=11.2.202.425-1"
The problems have been fixed upstream in version 11.2.202.425.
Workaround
==========
None.
Description
===========
- CVE-2014-0580 (policy bypass)
A flaw allows remote attackers to bypass the same origin policy via
unspecified vectors.
- CVE-2014-0587 (arbitrary code execution)
A flaw allows attackers to execute arbitrary code or cause a denial of
service (memory corruption) via unspecified vectors.
- CVE-2014-8443 (arbitrary code execution)
A flaw allows attackers to execute arbitrary code via a use-after-free
vulnerability.
- CVE-2014-9163 (arbitrary code execution)
A flaw allows attackers to execute arbitrary code via a stack-based
buffer overflow vulnerability.
- CVE-2014-9164 (arbitrary code execution)
A flaw allows attackers to execute arbitrary code or cause a denial of
service (memory corruption) via unspecified vectors.
- CVE-2014-9162 (information disclosure)
A flaw allows attackers to obtain sensitive information via unspecified
vectors.
Impact
======
A remote attacker is able to execute arbitrary code, bypass the same
origin policy, obtain sensitive information or crash the plugin via
various unspecified vectors.
References
==========
https://helpx.adobe.com/security/products/flash-player/apsb14-27.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0580
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0587
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8443
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9162
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9163
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9164
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141212/99109a79/attachment.bin>
More information about the arch-security
mailing list