[arch-security] [ASA-201507-7] flashplugin: remote code execution
Remi Gacogne
rgacogne at archlinux.org
Wed Jul 8 11:54:23 UTC 2015
Arch Linux Security Advisory ASA-201507-7
=========================================
Severity: Critical
Date : 2015-07-08
CVE-ID : CVE-2015-5119
Package : flashplugin
Type : remote code execution
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package flashplugin before version 11.2.202.481-1 is vulnerable to
remote code execution.
Resolution
==========
Upgrade to 11.2.202.481-1.
# pacman -Syu "flashplugin>=11.2.202.481-1"
The problem has been fixed upstream in version 11.2.202.481.
Workaround
==========
None.
Description
===========
A critical vulnerability (use-after-free in the AS3 ByteArray class) has
been identified in Adobe Flash Player 18.0.0.194 and earlier versions
for Windows, Macintosh and Linux. Successful exploitation could cause a
crash and potentially allow an attacker to take control of the affected
system.
Adobe is aware of reports that an exploit targeting this vulnerability
has been published publicly.
Impact
======
A remote attacker can execute arbitrary code on the affected host using
a crafted flash application.
References
==========
https://access.redhat.com/security/cve/CVE-2015-5119
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
https://www.kb.cert.org/vuls/id/561288
http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150708/4a516fc2/attachment.asc>
More information about the arch-security
mailing list