ArchLinux: 201701-16: flashplugin: multiple issues
Summary
- CVE-2017-2925 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
memory corruption vulnerability in the JPEG XR codec.
- CVE-2017-2926 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
memory corruption vulnerability related to processing of atoms in MP4
files.
- CVE-2017-2927 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
heap overflow vulnerability when processing Adobe Texture Format files.
- CVE-2017-2928 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
memory corruption vulnerability related to setting visual mode effects.
- CVE-2017-2930 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
memory corruption vulnerability due to a concurrency error when
manipulating a display list. Successful exploitation could lead to
arbitrary code execution.
- CVE-2017-2931 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
memory corruption vulnerability related to the parsing of SWF metadata.
- CVE-2017-2932 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
use after free vulnerability in the ActionScript MovieClip class.
- CVE-2017-2933 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
heap overflow vulnerability related to texture compression.
- CVE-2017-2934 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
heap overflow vulnerability when parsing Adobe Texture Format files.
- CVE-2017-2935 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
heap overflow vulnerability when processing the Flash Video container
file format.
- CVE-2017-2936 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
use after free vulnerability in the ActionScript FileReference class.
- CVE-2017-2937 (arbitrary code execution)
Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable
use after free vulnerability in the ActionScript FileReference class,
when using class inheritance.
- CVE-2017-2938 (information disclosure)
Adobe Flash Player versions 24.0.0.186 and earlier have a security
bypass vulnerability related to handling TCP connections.
Resolution
Upgrade to 24.0.0.194-1.
# pacman -Syu "flashplugin>=24.0.0.194-1"
The problems have been fixed upstream in version 24.0.0.194.
References
https://helpx.adobe.com/support/programs/support-options-free-discontinued-apps-services.html https://security.archlinux.org/CVE-2017-2925 https://security.archlinux.org/CVE-2017-2926 https://security.archlinux.org/CVE-2017-2927 https://security.archlinux.org/CVE-2017-2928 https://security.archlinux.org/CVE-2017-2930 https://security.archlinux.org/CVE-2017-2931 https://security.archlinux.org/CVE-2017-2932 https://security.archlinux.org/CVE-2017-2933 https://security.archlinux.org/CVE-2017-2934 https://security.archlinux.org/CVE-2017-2935 https://security.archlinux.org/CVE-2017-2936 https://security.archlinux.org/CVE-2017-2937 https://security.archlinux.org/CVE-2017-2938
Workaround
None.