Discover Government News

Arch Linux Security Advisory ASA-201607-7
========================================
Severity: Critical
Date    : 2016-07-18
CVE-ID  : CVE-2016-4173 CVE-2016-4174 CVE-2016-4175 CVE-2016-4176
          CVE-2016-4177 CVE-2016-4179 CVE-2016-4180 CVE-2016-4181
          CVE-2016-4182 CVE-2016-4183 CVE-2016-4184 CVE-2016-4185
          CVE-2016-4186 CVE-2016-4187 CVE-2016-4188 CVE-2016-4189
          CVE-2016-4190 CVE-2016-4217 CVE-2016-4218 CVE-2016-4219
          CVE-2016-4220 CVE-2016-4221 CVE-2016-4222 CVE-2016-4223
          CVE-2016-4224 CVE-2016-4225 CVE-2016-4226 CVE-2016-4227
          CVE-2016-4228 CVE-2016-4229 CVE-2016-4230 CVE-2016-4231
          CVE-2016-4232 CVE-2016-4233 CVE-2016-4234 CVE-2016-4235
          CVE-2016-4236 CVE-2016-4237 CVE-2016-4238 CVE-2016-4239
          CVE-2016-4240 CVE-2016-4241 CVE-2016-4242 CVE-2016-4243
          CVE-2016-4244 CVE-2016-4245 CVE-2016-4246 CVE-2016-4247
          CVE-2016-4248
Package : lib32-flashplugin
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
======
The package lib32-flashplugin before version 11.2.202.632-1 is
vulnerable to multiple issues including arbitrary code execution, denial
of service and information disclosure.

Resolution
=========
Upgrade to 11.2.202.632-1.

# pacman -Syu "lib32-flashplugin>=11.2.202.632-1"

The problems have been fixed upstream in version 11.2.202.632.

Workaround
=========
None.

Description
==========
- CVE-2016-4175 CVE-2016-4179 CVE-2016-4180 CVE-2016-4181 CVE-2016-4182
  CVE-2016-4183 CVE-2016-4184 CVE-2016-4185 CVE-2016-4186 CVE-2016-4187
  CVE-2016-4188 CVE-2016-4189 CVE-2016-4190 CVE-2016-4217 CVE-2016-4218
  CVE-2016-4219 CVE-2016-4220 CVE-2016-4221 CVE-2016-4233 CVE-2016-4234
  CVE-2016-4235 CVE-2016-4236 CVE-2016-4237 CVE-2016-4238 CVE-2016-4239
  CVE-2016-4240 CVE-2016-4241 CVE-2016-4242 CVE-2016-4243 CVE-2016-4244
  CVE-2016-4245 CVE-2016-4246 (arbitrary code execution)

Multiple Memory corruption vulnerabilities that could lead to arbitrary
code execution have been found. These vulnerabilities were discovered by
willJ of Tencent PC Manager, Sébastien Morin of COSIG, Yuki Chen of
Qihoo 360 Vulcan Team, Wen Guanxing from Pangu LAB, and Jie Zeng of
Tencent Zhanlu Lab.

- CVE-2016-4247 (information disclosure)

A race condition that could lead to information disclosure has been
discovered. This vulnerability has been discovered by Stefan Kanthak.

- CVE-2016-4223 CVE-2016-4224 CVE-2016-4225 (arbitrary code execution)

Three type confusion vulnerabilities that could lead to arbitrary code
execution have been found. These vulnerabilities were discovered by
Ohara Rinne, Kurutsu Karen, and Garandou Sara working with Trend Micro's
Zero Day Initiative.

- CVE-2016-4173 CVE-2016-4174 CVE-2016-4222 CVE-2016-4226
  CVE-2016-4227 CVE-2016-4228 CVE-2016-4229 CVE-2016-4230
  CVE-2016-4231 CVE-2016-4248 (arbitrary code execution)

Multiple use-after-free vulnerabilities that could lead to arbitrary
code execution have been found. These vulnerabilities have been
discovered by Nicolas Joly of Microsoft Vulnerability Research, Kai Kang
(a.k.a 4B5F5F4B) working with Trend Micro's Zero Day Initiative, Jaehun
Jeong(@n3sk) of WINS WSEC Analysis Team working with Trend Micro's Zero
Day Initiative, and Natalie Silvanovich of Google Project Zero, and Wen
Guanxing from Pangu LAB.

- CVE-2016-4249 (arbitrary code execution)

A heap buffer overflow vulnerability that could lead to arbitrary code
execution has been found. This vulnerability has been discovered to
Yuki Chen of Qihoo 360 Vulcan Team working with the Chromium
Vulnerability Rewards Program.

- CVE-2016-4232 (memory leak)

A memory leak vulnerability has been discovered. This vulnerability has
been discovered by Natalie Silvanovich of Google Project Zero.

- CVE-2016-4176 CVE-2016-4177 (arbitrary code execution)

Two stack corruption vulnerabilities that could lead to arbitrary code
execution have been found. These have been found by Francis Provencher
of COSIG.

- CVE-2016-4178 (information disclosure)

A security bypass vulnerability that could lead to information
disclosure has been discovered. These issues have been discovered by
Soroush Dalili and Matthew Evans from NCC Group.

Impact
=====
A remote attacker can execute arbitrary code, crash the process, or
disclose information on the affected host via unspecified vectors.

References
=========
https://helpx.adobe.com/security/products/flash-player/apsb16-25.html
https://access.redhat.com/security/cve/CVE-2016-4173
https://access.redhat.com/security/cve/CVE-2016-4174
https://access.redhat.com/security/cve/CVE-2016-4175
https://access.redhat.com/security/cve/CVE-2016-4176
https://access.redhat.com/security/cve/CVE-2016-4177
https://access.redhat.com/security/cve/CVE-2016-4179
https://access.redhat.com/security/cve/CVE-2016-4180
https://access.redhat.com/security/cve/CVE-2016-4181
https://access.redhat.com/security/cve/CVE-2016-4182
https://access.redhat.com/security/cve/CVE-2016-4183
https://access.redhat.com/security/cve/CVE-2016-4184
https://access.redhat.com/security/cve/CVE-2016-4185
https://access.redhat.com/security/cve/CVE-2016-4186
https://access.redhat.com/security/cve/CVE-2016-4187
https://access.redhat.com/security/cve/CVE-2016-4188
https://access.redhat.com/security/cve/CVE-2016-4189
https://access.redhat.com/security/cve/CVE-2016-4190
https://access.redhat.com/security/cve/CVE-2016-4217
https://access.redhat.com/security/cve/CVE-2016-4218
https://access.redhat.com/security/cve/CVE-2016-4219
https://access.redhat.com/security/cve/CVE-2016-4220
https://access.redhat.com/security/cve/CVE-2016-4221
https://access.redhat.com/security/cve/CVE-2016-4222
https://access.redhat.com/security/cve/CVE-2016-4223
https://access.redhat.com/security/cve/CVE-2016-4224
https://access.redhat.com/security/cve/CVE-2016-4225
https://access.redhat.com/security/cve/CVE-2016-4226
https://access.redhat.com/security/cve/CVE-2016-4227
https://access.redhat.com/security/cve/CVE-2016-4228
https://access.redhat.com/security/cve/CVE-2016-4229
https://access.redhat.com/security/cve/CVE-2016-4230
https://access.redhat.com/security/cve/CVE-2016-4231
https://access.redhat.com/security/cve/CVE-2016-4232
https://access.redhat.com/security/cve/CVE-2016-4233
https://access.redhat.com/security/cve/CVE-2016-4234
https://access.redhat.com/security/cve/CVE-2016-4235
https://access.redhat.com/security/cve/CVE-2016-4236
https://access.redhat.com/security/cve/CVE-2016-4237
https://access.redhat.com/security/cve/CVE-2016-4238
https://access.redhat.com/security/cve/CVE-2016-4239
https://access.redhat.com/security/cve/CVE-2016-4240
https://access.redhat.com/security/cve/CVE-2016-4241
https://access.redhat.com/security/cve/CVE-2016-4242
https://access.redhat.com/security/cve/CVE-2016-4243
https://access.redhat.com/security/cve/CVE-2016-4244
https://access.redhat.com/security/cve/CVE-2016-4245
https://access.redhat.com/security/cve/CVE-2016-4246
https://access.redhat.com/security/cve/CVE-2016-4247
https://access.redhat.com/security/cve/CVE-2016-4248

ArchLinux: 201607-7: lib32-flashplugin: multiple issues

July 18, 2016

Summary

- CVE-2016-4175 CVE-2016-4179 CVE-2016-4180 CVE-2016-4181 CVE-2016-4182 CVE-2016-4183 CVE-2016-4184 CVE-2016-4185 CVE-2016-4186 CVE-2016-4187 CVE-2016-4188 CVE-2016-4189 CVE-2016-4190 CVE-2016-4217 CVE-2016-4218 CVE-2016-4219 CVE-2016-4220 CVE-2016-4221 CVE-2016-4233 CVE-2016-4234 CVE-2016-4235 CVE-2016-4236 CVE-2016-4237 CVE-2016-4238 CVE-2016-4239 CVE-2016-4240 CVE-2016-4241 CVE-2016-4242 CVE-2016-4243 CVE-2016-4244 CVE-2016-4245 CVE-2016-4246 (arbitrary code execution) Multiple Memory corruption vulnerabilities that could lead to arbitrary code execution have been found. These vulnerabilities were discovered by willJ of Tencent PC Manager, Sébastien Morin of COSIG, Yuki Chen of Qihoo 360 Vulcan Team, Wen Guanxing from Pangu LAB, and Jie Zeng of Tencent Zhanlu Lab.
- CVE-2016-4247 (information disclosure)
A race condition that could lead to information disclosure has been discovered. This vulnerability has been discovered by Stefan Kanthak.
- CVE-2016-4223 CVE-2016-4224 CVE-2016-4225 (arbitrary code execution)
Three type confusion vulnerabilities that could lead to arbitrary code execution have been found. These vulnerabilities were discovered by Ohara Rinne, Kurutsu Karen, and Garandou Sara working with Trend Micro's Zero Day Initiative.
- CVE-2016-4173 CVE-2016-4174 CVE-2016-4222 CVE-2016-4226 CVE-2016-4227 CVE-2016-4228 CVE-2016-4229 CVE-2016-4230 CVE-2016-4231 CVE-2016-4248 (arbitrary code execution)
Multiple use-after-free vulnerabilities that could lead to arbitrary code execution have been found. These vulnerabilities have been discovered by Nicolas Joly of Microsoft Vulnerability Research, Kai Kang (a.k.a 4B5F5F4B) working with Trend Micro's Zero Day Initiative, Jaehun Jeong(@n3sk) of WINS WSEC Analysis Team working with Trend Micro's Zero Day Initiative, and Natalie Silvanovich of Google Project Zero, and Wen Guanxing from Pangu LAB.
- CVE-2016-4249 (arbitrary code execution)
A heap buffer overflow vulnerability that could lead to arbitrary code execution has been found. This vulnerability has been discovered to Yuki Chen of Qihoo 360 Vulcan Team working with the Chromium Vulnerability Rewards Program.
- CVE-2016-4232 (memory leak)
A memory leak vulnerability has been discovered. This vulnerability has been discovered by Natalie Silvanovich of Google Project Zero.
- CVE-2016-4176 CVE-2016-4177 (arbitrary code execution)
Two stack corruption vulnerabilities that could lead to arbitrary code execution have been found. These have been found by Francis Provencher of COSIG.
- CVE-2016-4178 (information disclosure)
A security bypass vulnerability that could lead to information disclosure has been discovered. These issues have been discovered by Soroush Dalili and Matthew Evans from NCC Group.

Resolution

Upgrade to 11.2.202.632-1. # pacman -Syu "lib32-flashplugin>=11.2.202.632-1"
The problems have been fixed upstream in version 11.2.202.632.

References

https://helpx.adobe.com/security/products/flash-player/apsb16-25.html https://access.redhat.com/security/cve/CVE-2016-4173 https://access.redhat.com/security/cve/CVE-2016-4174 https://access.redhat.com/security/cve/CVE-2016-4175 https://access.redhat.com/security/cve/CVE-2016-4176 https://access.redhat.com/security/cve/CVE-2016-4177 https://access.redhat.com/security/cve/CVE-2016-4179 https://access.redhat.com/security/cve/CVE-2016-4180 https://access.redhat.com/security/cve/CVE-2016-4181 https://access.redhat.com/security/cve/CVE-2016-4182 https://access.redhat.com/security/cve/CVE-2016-4183 https://access.redhat.com/security/cve/CVE-2016-4184 https://access.redhat.com/security/cve/CVE-2016-4185 https://access.redhat.com/security/cve/CVE-2016-4186 https://access.redhat.com/security/cve/CVE-2016-4187 https://access.redhat.com/security/cve/CVE-2016-4188 https://access.redhat.com/security/cve/CVE-2016-4189 https://access.redhat.com/security/cve/CVE-2016-4190 https://access.redhat.com/security/cve/CVE-2016-4217 https://access.redhat.com/security/cve/CVE-2016-4218 https://access.redhat.com/security/cve/CVE-2016-4219 https://access.redhat.com/security/cve/CVE-2016-4220 https://access.redhat.com/security/cve/CVE-2016-4221 https://access.redhat.com/security/cve/CVE-2016-4222 https://access.redhat.com/security/cve/CVE-2016-4223 https://access.redhat.com/security/cve/CVE-2016-4224 https://access.redhat.com/security/cve/CVE-2016-4225 https://access.redhat.com/security/cve/CVE-2016-4226 https://access.redhat.com/security/cve/CVE-2016-4227 https://access.redhat.com/security/cve/CVE-2016-4228 https://access.redhat.com/security/cve/CVE-2016-4229 https://access.redhat.com/security/cve/CVE-2016-4230 https://access.redhat.com/security/cve/CVE-2016-4231 https://access.redhat.com/security/cve/CVE-2016-4232 https://access.redhat.com/security/cve/CVE-2016-4233 https://access.redhat.com/security/cve/CVE-2016-4234 https://access.redhat.com/security/cve/CVE-2016-4235 https://access.redhat.com/security/cve/CVE-2016-4236 https://access.redhat.com/security/cve/CVE-2016-4237 https://access.redhat.com/security/cve/CVE-2016-4238 https://access.redhat.com/security/cve/CVE-2016-4239 https://access.redhat.com/security/cve/CVE-2016-4240 https://access.redhat.com/security/cve/CVE-2016-4241 https://access.redhat.com/security/cve/CVE-2016-4242 https://access.redhat.com/security/cve/CVE-2016-4243 https://access.redhat.com/security/cve/CVE-2016-4244 https://access.redhat.com/security/cve/CVE-2016-4245 https://access.redhat.com/security/cve/CVE-2016-4246 https://access.redhat.com/security/cve/CVE-2016-4247 https://access.redhat.com/security/cve/CVE-2016-4248

Severity
CVE-2016-4177 CVE-2016-4179 CVE-2016-4180 CVE-2016-4181
CVE-2016-4182 CVE-2016-4183 CVE-2016-4184 CVE-2016-4185
CVE-2016-4186 CVE-2016-4187 CVE-2016-4188 CVE-2016-4189
CVE-2016-4190 CVE-2016-4217 CVE-2016-4218 CVE-2016-4219
CVE-2016-4220 CVE-2016-4221 CVE-2016-4222 CVE-2016-4223
CVE-2016-4224 CVE-2016-4225 CVE-2016-4226 CVE-2016-4227
CVE-2016-4228 CVE-2016-4229 CVE-2016-4230 CVE-2016-4231
CVE-2016-4232 CVE-2016-4233 CVE-2016-4234 CVE-2016-4235
CVE-2016-4236 CVE-2016-4237 CVE-2016-4238 CVE-2016-4239
CVE-2016-4240 CVE-2016-4241 CVE-2016-4242 CVE-2016-4243
CVE-2016-4244 CVE-2016-4245 CVE-2016-4246 CVE-2016-4247
CVE-2016-4248
Package : lib32-flashplugin
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE

Workaround

None.

Related News