[arch-security] [ASA-201511-5] flashplugin: multiple issues
Levente Polyak
anthraxx at archlinux.org
Wed Nov 11 16:45:25 UTC 2015
Arch Linux Security Advisory ASA-201511-5
=========================================
Severity: Critical
Date : 2015-11-11
CVE-ID : CVE-2015-7651 CVE-2015-7652 CVE-2015-7653 CVE-2015-7654
CVE-2015-7655 CVE-2015-7656 CVE-2015-7657 CVE-2015-7658
CVE-2015-7659 CVE-2015-7660 CVE-2015-7661 CVE-2015-7662
CVE-2015-7663 CVE-2015-8042 CVE-2015-8043 CVE-2015-8044
CVE-2015-8046
Package : flashplugin
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package flashplugin before version 11.2.202.548-1 is vulnerable to
multiple issues including but not limited to arbitrary code execution
and access restriction bypass.
Resolution
==========
Upgrade to 11.2.202.548-1.
# pacman -Syu "flashplugin>=11.2.202.548-1"
The problems have been fixed upstream in version 11.2.202.548.
Workaround
==========
None.
Description
===========
- CVE-2015-7651 CVE-2015-7652 CVE-2015-7653 CVE-2015-7654
CVE-2015-7655 CVE-2015-7656 CVE-2015-7657 CVE-2015-7658
CVE-2015-7660 CVE-2015-7661 CVE-2015-7663 CVE-2015-8042
CVE-2015-8043 CVE-2015-8044 CVE-2015-8046 (arbitrary code execution)
It has been discovered that multiple use-after-free vulnerabilities
could lead to arbitrary code execution.
- CVE-2015-7659 (arbitrary code execution)
A type confusion vulnerability has been discovered that could lead to
arbitrary code execution.
- CVE-2015-7662 (access restriction bypass)
A security bypass vulnerability has been discovered that could be
exploited to write arbitrary data to the file system under user permissions.
Impact
======
A remote attacker is able to craft a special flash file that, when
visited, executes arbitrary code via multiple vectors or writes
arbitrary data to the file system.
References
==========
https://access.redhat.com/security/cve/CVE-2015-7651
https://access.redhat.com/security/cve/CVE-2015-7652
https://access.redhat.com/security/cve/CVE-2015-7653
https://access.redhat.com/security/cve/CVE-2015-7654
https://access.redhat.com/security/cve/CVE-2015-7655
https://access.redhat.com/security/cve/CVE-2015-7656
https://access.redhat.com/security/cve/CVE-2015-7657
https://access.redhat.com/security/cve/CVE-2015-7658
https://access.redhat.com/security/cve/CVE-2015-7659
https://access.redhat.com/security/cve/CVE-2015-7660
https://access.redhat.com/security/cve/CVE-2015-7661
https://access.redhat.com/security/cve/CVE-2015-7662
https://access.redhat.com/security/cve/CVE-2015-7663
https://access.redhat.com/security/cve/CVE-2015-8042
https://access.redhat.com/security/cve/CVE-2015-8043
https://access.redhat.com/security/cve/CVE-2015-8044
https://access.redhat.com/security/cve/CVE-2015-8046
https://helpx.adobe.com/security/products/flash-player/apsb15-28.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151111/de50fe64/attachment.asc>
More information about the arch-security
mailing list