[arch-security] [Arch Linux Security Advisory ASA-201411-11] flashplugin: remote code execution

Remi Gacogne rgacogne at archlinux.org
Thu Nov 13 09:16:15 UTC 2014


Arch Linux Security Advisory ASA-201411-11
==========================================

Severity: Critical
Date    : 2014-11-13
CVE-ID  : CVE-2014-0573, CVE-2014-0574, CVE-2014-0576, CVE-2014-0577,
CVE-2014-0581, CVE-2014-0582, CVE-2014-0583, CVE-2014-0584,
CVE-2014-0585, CVE-2014-0586, CVE-2014-0588, CVE-2014-0589,
CVE-2014-0590, CVE-2014-8437, CVE-2014-8438, CVE-2014-8440,
CVE-2014-8441, CVE-2014-8442
Package : flashplugin
Type    : remote code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package flashplugin before version 11.2.202.418-1 is
vulnerable to multiple flaws, allowing arbitrary remote code execution.

Resolution
==========

Upgrade to 11.2.202.418-1.

# pacman -Syu "flashplugin>=11.2.202.418-1"

The problem has been fixed upstream in version 11.2.202.418.

Workaround
==========

Disable or remove the flash plugin.

Description
===========

These updates resolve memory corruption vulnerabilities that could lead
to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440,
CVE-2014-8441).

These updates resolve use-after-free vulnerabilities that could lead to
code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438).

These updates resolve a double free vulnerability that could lead to
code execution (CVE-2014-0574).

These updates resolve type confusion vulnerabilities that could lead to
code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585,
CVE-2014-0586, CVE-2014-0590).

These updates resolve heap buffer overflow vulnerabilities that could
lead to code execution (CVE-2014-0582, CVE-2014-0589).

These updates resolve an information disclosure vulnerability that could
be exploited to disclose session tokens (CVE-2014-8437).

These updates resolve a heap buffer overflow vulnerability that could be
exploited to perform privilege escalation from low to medium integrity
level (CVE-2014-0583).

These updates resolve a permission issue that could be exploited to
perform privilege escalation from low to medium integrity level
(CVE-2014-8442).

Impact
======

A remote attacker in position of a man-in-the-middle or a malicious
website can remotely execute arbitrary code with the privileges of the
current user.

References
==========

https://helpx.adobe.com/security/products/flash-player/apsb14-24.html
https://bugs.archlinux.org/task/42769
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0573
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0574
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0576
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0581
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0582
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0583
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0584
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0585
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0586
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0588
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0589
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0590
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8437
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8438
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8441
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8442

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141113/9a2ad773/attachment.bin>


More information about the arch-security mailing list