Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Arch Linux: ASA-201501-8 Critical: Flashplugin Remote Code Execution

Archlinux Large Esm H446
The package flashplugin before version 11.2.202.429-1 is vulnerable to multiple issues, including but not limited to remote code execution.
Arch Linux Security Advisory ASA-201501-8
========================================
Severity: Critical
Date    : 2014-01-15
CVE-ID  : CVE-2015-0301 CVE-2015-0302 CVE-2015-0303 CVE-2015-0304
CVE-2015-0305 CVE-2015-0306 CVE-2015-0307 CVE-2015-0308 CVE-2015-0309
Package : flashplugin
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package flashplugin before version 11.2.202.429-1 is vulnerable to
multiple issues, including but not limited to remote code execution.

Resolution
=========
Upgrade to 11.2.202.429-1.

# pacman -Syu "flashplugin>=11.2.202.429-1"

The problem has been fixed upstream in version 11.2.202.429.

Workaround
=========
If an upgrade is not possible, you may want to disable the flashplugin
on your system.

Description
==========
- CVE-2015-0301

Improper file validation issue.

- CVE-2015-0302 (information disclosure)

Information disclosure vulnerability that could be exploited to capture
keystrokes on the affected system.

- CVE-2015-0303, CVE-2015-0306 (arbitrary code execution)

Memory corruption vulnerabilities that could lead to code execution.

- CVE-2015-0304, CVE-2015-0309 (arbitrary code execution)

Heap-based buffer overflow vulnerabilities that could lead to code execution

- CVE-2015-0305 (arbitrary code execution)

Type confusion vulnerability that could lead to code execution.

- CVE-2015-0307 (information disclosure)

Out-of-bounds read vulnerability that could be exploited to leak memory
addresses.

- CVE-2015-0308 (arbitrary code execution)

Use-after-free vulnerability that could lead to code execution.

Impact
=====
An attacker able to supply a malicious flash application may be able to
capture keystrokes or execute arbitrary code on the affected system.

References
=========
https://bugs.archlinux.org/task/43455
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0301
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0302
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0303
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0304
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0305
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0306
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0307
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0308
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0309

Your message here