ArchLinux: 201512-17: flashplugin, lib32-flashplugin: multiple issues
Summary
- CVE-2015-8459:
Memory corruption vulnerabilities that could lead to code execution.
Credited to Kai Kang of Tencent's Xuanwu LAB.
- CVE-2015-8460:
Memory corruption vulnerabilities that could lead to code execution.
Credited to Jie Zeng of Qihoo 360.
- CVE-2015-8634, CVE-2015-8635:
Use-after-free vulnerabilities that could lead to code execution.
Credited to Ben Hawkes, Mateusz Jurczyk and Natalie Silvanovich of
Google Project Zero.
- CVE-2015-8636:
Memory corruption vulnerabilities that could lead to code execution.
Credited to Ben Hawkes, Mateusz Jurczyk and Natalie Silvanovich of
Google Project Zero.
- CVE-2015-8638, CVE-2015-8639:
Use-after-free vulnerabilities that could lead to code execution.
Credited to Anonymous working with HP's Zero Day Initiative.
- CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643,
CVE-2015-8646:
Use-after-free vulnerabilities that could lead to code execution.
Credited to Yuki Chen of Qihoo 360 Vulcan Team.
- CVE-2015-8644:
Type confusion vulnerability that could lead to code execution. Credited
to Natalie Silvanovich of Google Project Zero.
- CVE-2015-8645:
Memory corruption vulnerabilities that could lead to code execution.
Credited to Jaehun Jeong (@n3sk) of WINS, WSEC Analysis Team working
with Chromium Vulnerability Reward Program.
- CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650:
Use-after-free vulnerabilities that could lead to code execution.
Credited to Anonymous working with HP's Zero Day Initiative.
- CVE-2015-8651:
Integer overflow vulnerability that could lead to code execution.
Credited to Kai Wang and Hunter Gao of Huawei's IT Infrastructure &
Security Dept, BPIT&QM.
Adobe is aware of a report that an exploit for CVE-2015-8651 is being
used in limited, targeted attacks.
Resolution
Upgrade to 11.2.202.559-1.
# pacman -Syu "flashplugin>=11.2.202.559-1"
# pacman -Syu "lib32-flashplugin>=11.2.202.559-1"
The problem has been fixed upstream in version 11.2.202.559.
References
https://helpx.adobe.com/support/programs/support-options-free-discontinued-apps-services.html https://access.redhat.com/security/cve/CVE-2015-8459 https://access.redhat.com/security/cve/CVE-2015-8460 https://access.redhat.com/security/cve/CVE-2015-8634 https://access.redhat.com/security/cve/CVE-2015-8635 https://access.redhat.com/security/cve/CVE-2015-8636 https://access.redhat.com/security/cve/CVE-2015-8638 https://access.redhat.com/security/cve/CVE-2015-8639 https://access.redhat.com/security/cve/CVE-2015-8640 https://access.redhat.com/security/cve/CVE-2015-8641 https://access.redhat.com/security/cve/CVE-2015-8642 https://access.redhat.com/security/cve/CVE-2015-8643 https://access.redhat.com/security/cve/CVE-2015-8644 https://access.redhat.com/security/cve/CVE-2015-8645 https://access.redhat.com/security/cve/CVE-2015-8646 https://access.redhat.com/security/cve/CVE-2015-8647 https://access.redhat.com/security/cve/CVE-2015-8648 https://access.redhat.com/security/cve/CVE-2015-8649 https://access.redhat.com/security/cve/CVE-2015-8650 https://access.redhat.com/security/cve/CVE-2015-8651
Workaround
None.