[arch-security] [ASA-201512-7] flashplugin: multiple issues

Levente Polyak anthraxx at archlinux.org
Wed Dec 9 20:10:55 UTC 2015


Arch Linux Security Advisory ASA-201512-7
=========================================

Severity: Critical
Date    : 2015-12-09
CVE-ID  : CVE-2015-8045 CVE-2015-8047 CVE-2015-8048 CVE-2015-8049
          CVE-2015-8050 CVE-2015-8055 CVE-2015-8056 CVE-2015-8057
          CVE-2015-8058 CVE-2015-8059 CVE-2015-8060 CVE-2015-8061
          CVE-2015-8062 CVE-2015-8063 CVE-2015-8064 CVE-2015-8065
          CVE-2015-8066 CVE-2015-8067 CVE-2015-8068 CVE-2015-8069
          CVE-2015-8070 CVE-2015-8071 CVE-2015-8401 CVE-2015-8402
          CVE-2015-8403 CVE-2015-8404 CVE-2015-8405 CVE-2015-8406
          CVE-2015-8407 CVE-2015-8408 CVE-2015-8409 CVE-2015-8410
          CVE-2015-8411 CVE-2015-8412 CVE-2015-8413 CVE-2015-8414
          CVE-2015-8415 CVE-2015-8416 CVE-2015-8417 CVE-2015-8418
          CVE-2015-8419 CVE-2015-8420 CVE-2015-8421 CVE-2015-8422
          CVE-2015-8423 CVE-2015-8424 CVE-2015-8425 CVE-2015-8426
          CVE-2015-8427 CVE-2015-8428 CVE-2015-8429 CVE-2015-8430
          CVE-2015-8431 CVE-2015-8432 CVE-2015-8433 CVE-2015-8434
          CVE-2015-8435 CVE-2015-8436 CVE-2015-8437 CVE-2015-8438
          CVE-2015-8439 CVE-2015-8440 CVE-2015-8441 CVE-2015-8442
          CVE-2015-8443 CVE-2015-8444 CVE-2015-8445 CVE-2015-8446
          CVE-2015-8447 CVE-2015-8448 CVE-2015-8449 CVE-2015-8450
          CVE-2015-8451 CVE-2015-8452 CVE-2015-8453 CVE-2015-8454
          CVE-2015-8455
Package : flashplugin
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package flashplugin before version 11.2.202.554-1 is vulnerable to
multiple issues including but not limited to arbitrary code execution,
security restriction bypass, denial of service and possibly other
unspecified impact.

Resolution
==========

Upgrade to 11.2.202.554-1.

# pacman -Syu "flashplugin>=11.2.202.554-1"

The problems have been fixed upstream in version 11.2.202.554.

Workaround
==========

None.

Description
===========

- CVE-2015-8045 CVE-2015-8060 CVE-2015-8408 CVE-2015-8416 CVE-2015-8417
  CVE-2015-8418 CVE-2015-8419 CVE-2015-8443 CVE-2015-8444 CVE-2015-8047
  CVE-2015-8451 CVE-2015-8455 (arbitrary code execution)

Memory corruption vulnerabilities have been discovered that could lead
to arbitrary code execution.

- CVE-2015-8438 CVE-2015-8446 (arbitrary code execution)

Heap buffer overflow vulnerabilities have been discovered that could
lead to arbitrary code execution.

- CVE-2015-8409 CVE-2015-8440 CVE-2015-8453
  (security restriction bypass)

Multiple issues have been discovered that are lading to security
restriction bypass.

- CVE-2015-8407 (arbitrary code execution)

A stack overflow vulnerability has been discovered that could lead to
arbitrary code execution.

- CVE-2015-8439 (arbitrary code execution)

A type confusion vulnerability has been discovered that could lead to
arbitrary code execution.

- CVE-2015-8445 (arbitrary code execution)

An integer overflow vulnerability has been discovered that could lead to
arbitrary code execution.

- CVE-2015-8415 (arbitrary code execution)

A buffer overflow vulnerability has been discovered that could lead to
arbitrary code execution.

- CVE-2015-8050 CVE-2015-8049 CVE-2015-8437 CVE-2015-8450 CVE-2015-8449
  CVE-2015-8448 CVE-2015-8436 CVE-2015-8452 CVE-2015-8048 CVE-2015-8413
  CVE-2015-8412 CVE-2015-8410 CVE-2015-8411 CVE-2015-8424 CVE-2015-8422
  CVE-2015-8420 CVE-2015-8421 CVE-2015-8423 CVE-2015-8425 CVE-2015-8433
  CVE-2015-8432 CVE-2015-8431 CVE-2015-8426 CVE-2015-8430 CVE-2015-8427
  CVE-2015-8428 CVE-2015-8429 CVE-2015-8434 CVE-2015-8435 CVE-2015-8414
  CVE-2015-8454 CVE-2015-8059 CVE-2015-8058 CVE-2015-8055 CVE-2015-8057
  CVE-2015-8056 CVE-2015-8061 CVE-2015-8067 CVE-2015-8066 CVE-2015-8062
  CVE-2015-8068 CVE-2015-8064 CVE-2015-8065 CVE-2015-8063 CVE-2015-8405
  CVE-2015-8404 CVE-2015-8402 CVE-2015-8403 CVE-2015-8071 CVE-2015-8401
  CVE-2015-8406 CVE-2015-8069 CVE-2015-8070 CVE-2015-8441 CVE-2015-8442
  CVE-2015-8447 (arbitrary code execution)

Multiple use-after-free vulnerabilities have been discovered that could
lead to arbitrary code execution.


Impact
======

A remote attacker is able to create a specially crafted SWF file that,
when played, is leading to arbitrary code execution, denial of service,
security restriction bypass or possibly other unspecified impact via
various vectors.

References
==========

https://access.redhat.com/security/cve/CVE-2015-8045
https://access.redhat.com/security/cve/CVE-2015-8047
https://access.redhat.com/security/cve/CVE-2015-8048
https://access.redhat.com/security/cve/CVE-2015-8049
https://access.redhat.com/security/cve/CVE-2015-8050
https://access.redhat.com/security/cve/CVE-2015-8055
https://access.redhat.com/security/cve/CVE-2015-8056
https://access.redhat.com/security/cve/CVE-2015-8057
https://access.redhat.com/security/cve/CVE-2015-8058
https://access.redhat.com/security/cve/CVE-2015-8059
https://access.redhat.com/security/cve/CVE-2015-8060
https://access.redhat.com/security/cve/CVE-2015-8061
https://access.redhat.com/security/cve/CVE-2015-8062
https://access.redhat.com/security/cve/CVE-2015-8063
https://access.redhat.com/security/cve/CVE-2015-8064
https://access.redhat.com/security/cve/CVE-2015-8065
https://access.redhat.com/security/cve/CVE-2015-8066
https://access.redhat.com/security/cve/CVE-2015-8067
https://access.redhat.com/security/cve/CVE-2015-8068
https://access.redhat.com/security/cve/CVE-2015-8069
https://access.redhat.com/security/cve/CVE-2015-8070
https://access.redhat.com/security/cve/CVE-2015-8071
https://access.redhat.com/security/cve/CVE-2015-8401
https://access.redhat.com/security/cve/CVE-2015-8402
https://access.redhat.com/security/cve/CVE-2015-8403
https://access.redhat.com/security/cve/CVE-2015-8404
https://access.redhat.com/security/cve/CVE-2015-8405
https://access.redhat.com/security/cve/CVE-2015-8406
https://access.redhat.com/security/cve/CVE-2015-8407
https://access.redhat.com/security/cve/CVE-2015-8408
https://access.redhat.com/security/cve/CVE-2015-8409
https://access.redhat.com/security/cve/CVE-2015-8410
https://access.redhat.com/security/cve/CVE-2015-8411
https://access.redhat.com/security/cve/CVE-2015-8412
https://access.redhat.com/security/cve/CVE-2015-8413
https://access.redhat.com/security/cve/CVE-2015-8414
https://access.redhat.com/security/cve/CVE-2015-8415
https://access.redhat.com/security/cve/CVE-2015-8416
https://access.redhat.com/security/cve/CVE-2015-8417
https://access.redhat.com/security/cve/CVE-2015-8418
https://access.redhat.com/security/cve/CVE-2015-8419
https://access.redhat.com/security/cve/CVE-2015-8420
https://access.redhat.com/security/cve/CVE-2015-8421
https://access.redhat.com/security/cve/CVE-2015-8422
https://access.redhat.com/security/cve/CVE-2015-8423
https://access.redhat.com/security/cve/CVE-2015-8424
https://access.redhat.com/security/cve/CVE-2015-8425
https://access.redhat.com/security/cve/CVE-2015-8426
https://access.redhat.com/security/cve/CVE-2015-8427
https://access.redhat.com/security/cve/CVE-2015-8428
https://access.redhat.com/security/cve/CVE-2015-8429
https://access.redhat.com/security/cve/CVE-2015-8430
https://access.redhat.com/security/cve/CVE-2015-8431
https://access.redhat.com/security/cve/CVE-2015-8432
https://access.redhat.com/security/cve/CVE-2015-8433
https://access.redhat.com/security/cve/CVE-2015-8434
https://access.redhat.com/security/cve/CVE-2015-8435
https://access.redhat.com/security/cve/CVE-2015-8436
https://access.redhat.com/security/cve/CVE-2015-8437
https://access.redhat.com/security/cve/CVE-2015-8438
https://access.redhat.com/security/cve/CVE-2015-8439
https://access.redhat.com/security/cve/CVE-2015-8440
https://access.redhat.com/security/cve/CVE-2015-8441
https://access.redhat.com/security/cve/CVE-2015-8442
https://access.redhat.com/security/cve/CVE-2015-8443
https://access.redhat.com/security/cve/CVE-2015-8444
https://access.redhat.com/security/cve/CVE-2015-8445
https://access.redhat.com/security/cve/CVE-2015-8446
https://access.redhat.com/security/cve/CVE-2015-8447
https://access.redhat.com/security/cve/CVE-2015-8448
https://access.redhat.com/security/cve/CVE-2015-8449
https://access.redhat.com/security/cve/CVE-2015-8450
https://access.redhat.com/security/cve/CVE-2015-8451
https://access.redhat.com/security/cve/CVE-2015-8452
https://access.redhat.com/security/cve/CVE-2015-8453
https://access.redhat.com/security/cve/CVE-2015-8454
https://access.redhat.com/security/cve/CVE-2015-8455
https://helpx.adobe.com/security/products/flash-player/apsb15-32.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151209/fb3cc3cc/attachment.asc>


More information about the arch-security mailing list