Bug 15207

Summary: Security update request for flash-player-plugin, to 11.2.202.442
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: olchal, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA4-64-OK MGA4-32-OK
Source RPM: flash-player-plugin CVE: CVE-2015-0313, CVE-2015-0314, CVE-2015-0315, CVE-2015-0316, CVE-2015-0317, CVE-2015-0318, CVE-2015-0319, CVE-2015-0320, CVE-2015-0321, CVE-2015-0322, CVE-2015-0323, CVE-2015-0324, CVE-2015-0325, CVE-2015-0326, CVE-2015-0327, CVE-2015-0328, CVE-2015-0329
Status comment:

Description Anssi Hannula 2015-02-05 18:07:59 CET 
Advisory:
============
Adobe Flash Player 11.2.202.442 contains fixes to critical security vulnerabilities found in earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system.

This updates resolves use-after-free vulnerabilities that could lead to code execution (CVE-2015-0313, CVE-2015-0315, CVE-2015-0320, CVE-2015-0322). 

This updates resolves memory corruption vulnerabilities that could lead to code execution (CVE-2015-0314, CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, CVE-2015-0329, CVE-2015-0330). 

This updates resolves type confusion vulnerabilities that could lead to code execution (CVE-2015-0317, CVE-2015-0319). 

This updates resolves heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-0323, CVE-2015-0327). 

This updates resolves a buffer overflow vulnerability that could lead to code execution (CVE-2015-0324). 

This updates resolves null pointer dereference issues (CVE-2015-0325, CVE-2015-0326, CVE-2015-0328).

Adobe reports that CVE-2015-0313 is already being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows, but it also reports that this specific vulnerability is not exploitable on any Flash Player version 11.x or older, which is what is provided on Mageia 4.

References:
http://helpx.adobe.com/security/products/flash-player/apsb15-04.html
http://helpx.adobe.com/security/products/flash-player/apsa15-02.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0314
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0316
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0317
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0318
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0319
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0320
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0323
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0327
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0329
============

NOTE: I decided to include CVE-2015-0313 even though 11.x should not be affected by it, for completeness and because the Security Bulletin implies it is affected even though the earlier Security Advisory explicitly said it does not affect 11.x.

Updated Flash Player 11.2.202.442 packages are in mga4 nonfree/updates_testing.

Source packages:
flash-player-plugin-11.2.202.442-1.mga4.nonfree

Binary packages:
flash-player-plugin-11.2.202.442-1.mga4.nonfree
flash-player-plugin-kde-11.2.202.442-1.mga4.nonfree
Comment 1 Anssi Hannula 2015-02-05 18:17:59 CET 
Oops, copypaste typo in advisory, should be "This update resolves" instead of "This updates resolves", times x6.
Comment 2 claire robinson 2015-02-05 18:21:11 CET 
Well spotted, thanks Anssi :)
Comment 3 claire robinson 2015-02-05 18:28:38 CET 
Advisory uploaded.

Whiteboard: (none) => advisory

claire robinson 2015-02-05 18:29:00 CET

Severity: normal => critical

Comment 4 olivier charles 2015-02-05 18:43:14 CET 
On Mageia 4x64 real hardware,

updated to :
- flash-player-plugin-11.2.202.442-1.mga4.nonfree.x86_64
- flash-player-plugin-kde-11.2.202.442-1.mga4.nonfree.x86_64

https://www.mozilla.org/en-US/plugincheck/
Shockwave FlashShockwave Flash 11.2 r202	Up to Date
11.2.202.442

https://www.adobe.com/software/flash/about/
You have version 11,2,202,442 installed

Could browse to various site over http or https visualizing flash videos, could use KDE adobe flash configuration, consult and delete storage, change some settings.

OK for me.

CC: (none) => olchal
Whiteboard: advisory => advisory MGA4-64-OK

Comment 5 David Walser 2015-02-06 03:23:22 CET 
Also good on i586.  Validating now.  Please push to nonfree/updates.

Keywords: Security => validated_update
Whiteboard: advisory MGA4-64-OK => advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 6 William Kenney 2015-02-06 17:44:15 CET 
Please push ASAP. Flash is causing a mess out there.
Thanks.

CC: (none) => wilcal.int

Comment 7 Mageia Robot 2015-02-06 17:52:09 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0054.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED