Alerts This Week
Warning Icon 1 681
Alerts This Week
Warning Icon 1 681

Arch Linux: 201412-13 Critical Flashplugin Security Threats

Calendar Dec 12, 2014 User Avatar LinuxSecurity Advisories
1 - 2 min read
Archlinux Large Esm H500
Topics%20covered

Topics Covered

security advisory code execution information disclosure Arch Linux flashplugin policy bypass
The package flashplugin before version 11.2.202.425-1 is vulnerable to multiple issues including but not limited to arbitrary code execution, information disclosure and policy bypass. 
Arch Linux Security Advisory ASA-201412-13
=========================================
Severity: Critical
Date    : 2014-12-12
CVE-ID  : CVE-2014-0580 CVE-2014-0587 CVE-2014-8443 CVE-2014-9163
          CVE-2014-9164 CVE-2014-9162
Package : flashplugin
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package flashplugin before version 11.2.202.425-1 is
vulnerable to multiple issues including but not limited to arbitrary
code execution, information disclosure and policy bypass.

Resolution
=========
Upgrade to 11.2.202.425-1.

# pacman -Syu "flashplugin>=11.2.202.425-1"

The problems have been fixed upstream in version 11.2.202.425.

Workaround
=========
None.

Description
==========
- CVE-2014-0580 (policy bypass)
A flaw allows remote attackers to bypass the same origin policy via
unspecified vectors.

- CVE-2014-0587 (arbitrary code execution)
A flaw allows attackers to execute arbitrary code or cause a denial of
service (memory corruption) via unspecified vectors.

- CVE-2014-8443 (arbitrary code execution)
A flaw allows attackers to execute arbitrary code via a use-after-free
vulnerability.

- CVE-2014-9163 (arbitrary code execution)
A flaw allows attackers to execute arbitrary code via a stack-based
buffer overflow vulnerability.

- CVE-2014-9164 (arbitrary code execution)
A flaw allows attackers to execute arbitrary code or cause a denial of
service (memory corruption) via unspecified vectors.

- CVE-2014-9162 (information disclosure)
A flaw allows attackers to obtain sensitive information via unspecified
vectors.

Impact
=====
A remote attacker is able to execute arbitrary code, bypass the same
origin policy, obtain sensitive information or crash the plugin via
various unspecified vectors.

References
=========
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0580
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0587
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8443
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9162
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9163
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9164

Related News

Your message here