Bug 12836

Summary: multiple vulnerabilities in flash-player-plugin (CVE-2014-0498, CVE-2014-0499, CVE-2014-0502)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: anssi.hannula, lewyssmith, napcok, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory
Source RPM: flash-player-plugin CVE: CVE-2014-0498, CVE-2014-0499, CVE-2014-0502
Status comment:

Description Oden Eriksson 2014-02-21 09:13:44 CET 
======================================================
Name: CVE-2014-0498
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0498
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131220
Category: 
Reference: CONFIRM:http://helpx.adobe.com/security/products/flash-player/apsb14-07.html

Stack-based buffer overflow in Adobe Flash Player before 11.7.700.269
and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and
before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android,
Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before
4.0.0.1628 allows attackers to execute arbitrary code via unspecified
vectors.



======================================================
Name: CVE-2014-0499
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0499
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131220
Category: 
Reference: CONFIRM:http://helpx.adobe.com/security/products/flash-player/apsb14-07.html

Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x
before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on
Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before
4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 do not
prevent access to address information, which makes it easier for
attackers to bypass the ASLR protection mechanism via unspecified
vectors.



======================================================
Name: CVE-2014-0502
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0502
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131220
Category: 
Reference: CONFIRM:http://helpx.adobe.com/security/products/flash-player/apsb14-07.html

Double free vulnerability in Adobe Flash Player before 11.7.700.269
and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and
before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android,
Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before
4.0.0.1628 allows remote attackers to execute arbitrary code via
unspecified vectors, as exploited in the wild in February 2014.




Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2014-02-21 09:34:29 CET 
flash-player-plugin-11.2.202.341-1.mga3 and flash-player-plugin-11.2.202.341-1.mga4 has been submitted to nonfree/updates_testing.

flash-player-plugin-11.2.202.341-1.mga5 has been submitted to nonfree/release
Comment 2 Anssi Hannula 2014-02-21 12:56:09 CET 
Thanks Oden :)

Assigning to QA.

Suggested advisory:
============
Adobe Flash Player 11.2.202.341 contains fixes to critical security vulnerabilities found in earlier versions that could cause a crash and potentially allow an attacker to remotely take control of the affected system.

This update resolves a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498).

This update resolves a memory leak vulnerability that could be used to defeat memory address layout randomization (CVE-2014-0499).

This update resolves a double free vulnerability that could result in arbitrary code execution (CVE-2014-0502).

Adobe is aware of reports that CVE-2014-0502 is being exploited in the wild.

References:
http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0502
============

Source packages:
flash-player-plugin-11.2.202.341-1.mga3.nonfree
flash-player-plugin-11.2.202.341-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.341-1.mga3.nonfree
flash-player-plugin-kde-11.2.202.341-1.mga3.nonfree
flash-player-plugin-11.2.202.341-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.341-1.mga4.nonfree

Status: NEW => ASSIGNED
CC: (none) => anssi.hannula
Hardware: i586 => All
CVE: (none) => CVE-2014-0498, CVE-2014-0499, CVE-2014-0502
Version: 3 => 4
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA3TOO

claire robinson 2014-02-21 13:08:52 CET

Severity: normal => critical

Comment 3 claire robinson 2014-02-21 13:25:55 CET 
Testing complete mga3 32

Checked flash videos play ok and deleted all flash storage in kde system settings.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok

Comment 4 Daniel Napora 2014-02-21 14:16:37 CET 
Testing complete mga4 64

CC: (none) => napcok
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 5 claire robinson 2014-02-21 14:20:16 CET 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 6 Daniel Napora 2014-02-21 15:05:10 CET 
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 7 RĂ©mi Verschelde 2014-02-21 15:20:05 CET 
Validating update, advisory has been uploaded.

Please push to 3 & 4 nonfree/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory
CC: (none) => remi, sysadmin-bugs

Comment 8 Lewis Smith 2014-02-21 16:27:36 CET 
(In reply to Daniel Napora from comment #4)
> Testing complete mga4 64
Confirmed (we played in parallel).
FWIW Flash worked for me in Firefox, Opera, Web; but *not* Konqueror.

CC: (none) => lewyssmith

Comment 9 Thomas Backlund 2014-02-21 19:29:08 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0091.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED