[arch-security] [Arch Linux Security Advisory ASA-201411-11] flashplugin: remote code execution
Remi Gacogne
rgacogne at archlinux.org
Thu Nov 13 09:16:15 UTC 2014
Arch Linux Security Advisory ASA-201411-11
==========================================
Severity: Critical
Date : 2014-11-13
CVE-ID : CVE-2014-0573, CVE-2014-0574, CVE-2014-0576, CVE-2014-0577,
CVE-2014-0581, CVE-2014-0582, CVE-2014-0583, CVE-2014-0584,
CVE-2014-0585, CVE-2014-0586, CVE-2014-0588, CVE-2014-0589,
CVE-2014-0590, CVE-2014-8437, CVE-2014-8438, CVE-2014-8440,
CVE-2014-8441, CVE-2014-8442
Package : flashplugin
Type : remote code execution
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
Summary
=======
The package flashplugin before version 11.2.202.418-1 is
vulnerable to multiple flaws, allowing arbitrary remote code execution.
Resolution
==========
Upgrade to 11.2.202.418-1.
# pacman -Syu "flashplugin>=11.2.202.418-1"
The problem has been fixed upstream in version 11.2.202.418.
Workaround
==========
Disable or remove the flash plugin.
Description
===========
These updates resolve memory corruption vulnerabilities that could lead
to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440,
CVE-2014-8441).
These updates resolve use-after-free vulnerabilities that could lead to
code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438).
These updates resolve a double free vulnerability that could lead to
code execution (CVE-2014-0574).
These updates resolve type confusion vulnerabilities that could lead to
code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585,
CVE-2014-0586, CVE-2014-0590).
These updates resolve heap buffer overflow vulnerabilities that could
lead to code execution (CVE-2014-0582, CVE-2014-0589).
These updates resolve an information disclosure vulnerability that could
be exploited to disclose session tokens (CVE-2014-8437).
These updates resolve a heap buffer overflow vulnerability that could be
exploited to perform privilege escalation from low to medium integrity
level (CVE-2014-0583).
These updates resolve a permission issue that could be exploited to
perform privilege escalation from low to medium integrity level
(CVE-2014-8442).
Impact
======
A remote attacker in position of a man-in-the-middle or a malicious
website can remotely execute arbitrary code with the privileges of the
current user.
References
==========
https://helpx.adobe.com/security/products/flash-player/apsb14-24.html
https://bugs.archlinux.org/task/42769
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0573
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0574
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0576
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0581
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0582
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0583
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0584
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0585
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0586
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0588
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0589
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0590
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8437
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8438
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8441
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8442
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141113/9a2ad773/attachment.bin>
More information about the arch-security
mailing list