Arch Linux Security Advisory ASA-201411-11
=========================================
Severity: Critical
Date    : 2014-11-13
CVE-ID  : CVE-2014-0573, CVE-2014-0574, CVE-2014-0576, CVE-2014-0577,
CVE-2014-0581, CVE-2014-0582, CVE-2014-0583, CVE-2014-0584,
CVE-2014-0585, CVE-2014-0586, CVE-2014-0588, CVE-2014-0589,
CVE-2014-0590, CVE-2014-8437, CVE-2014-8438, CVE-2014-8440,
CVE-2014-8441, CVE-2014-8442
Package : flashplugin
Type    : remote code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package flashplugin before version 11.2.202.418-1 is
vulnerable to multiple flaws, allowing arbitrary remote code execution.

Resolution
=========
Upgrade to 11.2.202.418-1.

# pacman -Syu "flashplugin>=11.2.202.418-1"

The problem has been fixed upstream in version 11.2.202.418.

Workaround
=========
Disable or remove the flash plugin.

Description
==========
These updates resolve memory corruption vulnerabilities that could lead
to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440,
CVE-2014-8441).

These updates resolve use-after-free vulnerabilities that could lead to
code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438).

These updates resolve a double free vulnerability that could lead to
code execution (CVE-2014-0574).

These updates resolve type confusion vulnerabilities that could lead to
code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585,
CVE-2014-0586, CVE-2014-0590).

These updates resolve heap buffer overflow vulnerabilities that could
lead to code execution (CVE-2014-0582, CVE-2014-0589).

These updates resolve an information disclosure vulnerability that could
be exploited to disclose session tokens (CVE-2014-8437).

These updates resolve a heap buffer overflow vulnerability that could be
exploited to perform privilege escalation from low to medium integrity
level (CVE-2014-0583).

These updates resolve a permission issue that could be exploited to
perform privilege escalation from low to medium integrity level
(CVE-2014-8442).

Impact
=====
A remote attacker in position of a man-in-the-middle or a malicious
website can remotely execute arbitrary code with the privileges of the
current user.

References
=========
https://helpx.adobe.com/support/programs/support-options-free-discontinued-apps-services.html
https://bugs.archlinux.org/task/42769
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0573
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0574
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0576
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0581
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0582
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0583
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0584
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0585
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0586
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0588
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0589
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0590
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8437
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8438
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8441
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8442

ArchLinux: 201411-11: flashplugin: remote code execution

November 13, 2014

Summary

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440, CVE-2014-8441). These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438).
These updates resolve a double free vulnerability that could lead to code execution (CVE-2014-0574).
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0590).
These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2014-0582, CVE-2014-0589).
These updates resolve an information disclosure vulnerability that could be exploited to disclose session tokens (CVE-2014-8437).
These updates resolve a heap buffer overflow vulnerability that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-0583).
These updates resolve a permission issue that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-8442).

Resolution

Upgrade to 11.2.202.418-1. # pacman -Syu "flashplugin>=11.2.202.418-1"
The problem has been fixed upstream in version 11.2.202.418.

References

https://helpx.adobe.com/support/programs/support-options-free-discontinued-apps-services.html https://bugs.archlinux.org/task/42769 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0573 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0574 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0576 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0577 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0581 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0582 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0583 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0584 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0585 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0586 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0588 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0589 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0590 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8437 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8438 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8441 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8442

Severity
CVE-2014-0581, CVE-2014-0582, CVE-2014-0583, CVE-2014-0584,
CVE-2014-0585, CVE-2014-0586, CVE-2014-0588, CVE-2014-0589,
CVE-2014-0590, CVE-2014-8437, CVE-2014-8438, CVE-2014-8440,
CVE-2014-8441, CVE-2014-8442
Package : flashplugin
Type : remote code execution
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE-2014

Workaround

Disable or remove the flash plugin.

Related News