Bug 19664

Summary: flash-player-plugin security update 11.2.202.643
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, fred.thuillier, jim, sysadmin-bugs, tmb, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: flash-player-plugin CVE: CVE-2016-7855
Status comment:

Description Nicolas Salguero 2016-10-27 09:23:16 CEST 
Hi,

Version 11.2.202.643 fixes a use-after-free vulnerability that could lead to code execution (CVE-2016-7855).

Best regards,

Nico.
Nicolas Salguero 2016-10-27 09:24:14 CEST

CVE: (none) => CVE-2016-7855
Source RPM: (none) => flash-player-plugin
Whiteboard: (none) => MGA5TOO

RĂ©mi Verschelde 2016-10-27 09:34:20 CEST

Assignee: bugsquad => anssi.hannula

Comment 1 Thomas Backlund 2016-10-29 21:29:16 CEST 

SRPM:
flash-player-plugin-11.2.202.643-1.mga5.nonfree.src.rpm


i586:
flash-player-plugin-11.2.202.643-1.mga5.nonfree.i586.rpm
flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.i586.rpm


x86_64:
flash-player-plugin-11.2.202.643-1.mga5.nonfree.x86_64.rpm
flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.x86_64.rpm





Advisory:
This update fixes a use-after-free issue that can be triggered by attackers
for arbitrary code execution, potentially allow the attacker to take control
of the affected system (CVE-2016-7855).


References:
https://helpx.adobe.com/security/products/flash-player/apsb16-36.html

CC: (none) => tmb
Assignee: anssi.hannula => qa-bugs

Thomas Backlund 2016-10-29 21:29:31 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 James Kerr 2016-10-30 10:59:39 CET 
On mga5-64

Installed packages:
flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.x86_64.rpm 
flash-player-plugin-11.2.202.643-1.mga5.nonfree.x86_64

KDE systems Settings module seems to be fully functional

Streaming video and video playing OK, including those where firefox had been reporting the previous flash-player version as insecure.

OK for me on mga5-64

CC: (none) => jim

Comment 3 William Kenney 2016-10-30 17:56:35 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
flash-player-plugin flash-player-plugin-kde

default install of flash-player-plugin & flash-player-plugin-kde

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-11.2.202.637-1.mga5.nonfree.i586 is already installed
[root@localhost wilcal]# urpmi flash-player-plugin-kde
Package flash-player-plugin-kde-11.2.202.637-1.mga5.nonfree.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 11,2,202,637
Various sites indicate that flash is out of date.

install flash-player-plugin & flash-player-plugin-kde from updates_testing

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-11.2.202.643-1.mga5.nonfree.i586 is already installed
[root@localhost wilcal]# urpmi flash-player-plugin-kde
Package flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 11,2,202,643
No indication of out of date flash player.

CC: (none) => wilcal.int

William Kenney 2016-10-30 17:56:51 CET

Whiteboard: (none) => MGA5-32-OK

Comment 4 William Kenney 2016-10-30 18:11:58 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
flash-player-plugin flash-player-plugin-kde

default install of flash-player-plugin & flash-player-plugin-kde

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-11.2.202.637-1.mga5.nonfree.x86_64 is already installed
[root@localhost wilcal]# urpmi flash-player-plugin-kde
Package flash-player-plugin-kde-11.2.202.637-1.mga5.nonfree.x86_64 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 11,2,202,637
Various sites indicate that flash is out of date.

install flash-player-plugin & flash-player-plugin-kde from updates_testing

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-11.2.202.643-1.mga5.nonfree.x86_64 is already installed
[root@localhost wilcal]# urpmi flash-player-plugin-kde
Package flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.x86_64 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 11,2,202,643
No indication of out of date flash player.
William Kenney 2016-10-30 18:12:13 CET

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 5 William Kenney 2016-10-30 18:12:32 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks
William Kenney 2016-10-30 18:12:43 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Fred Thuillier 2016-10-30 21:25:48 CET 
KDE/Firefox i386 

Tested on scratch projects, scratch editor and streaming site. It works :)

CC: (none) => fred.thuillier

Comment 7 Thomas Andrews 2016-10-31 00:23:44 CET 
Adding my voice to the chorus. This update working on my 64-bit AMD/nvidia machine as it should. The notice that it was out of date is gone.

CC: (none) => andrewsfarm

Dave Hodgins 2016-10-31 19:16:43 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 8 Mageia Robot 2016-11-01 01:34:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0360.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED