Arch Linux: ASA-201711-22 Critical Vulnerability in lib32-flashplugin

Ubuntu Security Notice USN-2023-10-15: lib32-gnome-utils Remote Execution

The package lib32-flashplugin before version 27.0.0.187-1 is vulnerable to arbitrary code execution.

Arch Linux Security Advisory ASA-201711-22
=========================================
Severity: Critical
Date    : 2017-11-15
CVE-ID  : CVE-2017-11213 CVE-2017-11215 CVE-2017-11225 CVE-2017-3112
          CVE-2017-3114
Package : lib32-flashplugin
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-493

Summary
======
The package lib32-flashplugin before version 27.0.0.187-1 is vulnerable
to arbitrary code execution.

Resolution
=========
Upgrade to 27.0.0.187-1.

# pacman -Syu "lib32-flashplugin>=27.0.0.187-1"

The problems have been fixed upstream in version 27.0.0.187.

Workaround
=========
None.

Description
==========
- CVE-2017-11213 (arbitrary code execution)

An out-of-bounds access vulnerability has been discovered in
flashplugin before 27.0.0.187 leading to arbitrary code execution when
playing a specially crafted SWF file.

- CVE-2017-11215 (arbitrary code execution)

An use after free vulnerability has been discovered in flashplugin
before 27.0.0.187 leading to arbitrary code execution when playing a
specially crafted SWF file.

- CVE-2017-11225 (arbitrary code execution)

An use after free vulnerability has been discovered in flashplugin
before 27.0.0.187 leading to arbitrary code execution when playing a
specially crafted SWF file.

- CVE-2017-3112 (arbitrary code execution)

An out-of-bounds access vulnerability has been discovered in
flashplugin before 27.0.0.187 leading to arbitrary code execution when
playing a specially crafted SWF file.

- CVE-2017-3114 (arbitrary code execution)

An out-of-bounds access vulnerability has been discovered in
flashplugin before 27.0.0.187 leading to arbitrary code execution when
playing a specially crafted SWF file.

Impact
=====
A remote attacker is able to execute arbitrary code on the affected
host via a specially crafted SWF file.

References
=========
https://security.archlinux.org/CVE-2017-11213
https://security.archlinux.org/CVE-2017-11215
https://security.archlinux.org/CVE-2017-11225
https://security.archlinux.org/CVE-2017-3112
https://security.archlinux.org/CVE-2017-3114