Bug 22534

Summary: flash-player-plugin security update 28.0.0.161
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: anssi.hannula, davidwhodgins, j.alberto.vc, marja11, sysadmin-bugs
Version: 6Keywords: Security, advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://helpx.adobe.com/security/products/flash-player/apsb18-03.html
Whiteboard: mga6-64-ok
Source RPM: flash-player-plugin CVE: CVE-2018-4877 CVE-2018-4878
Status comment:

Description Nicolas Salguero 2018-02-06 09:52:22 CET 
Hi,

Version 28.0.0.161 fixes:

A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Reference:
https://helpx.adobe.com/security/products/flash-player/apsa18-01.html

Best regards,

Nico.
Nicolas Salguero 2018-02-06 09:53:17 CET

CVE: (none) => CVE-2018-4878
Whiteboard: (none) => MGA6TOO
Source RPM: (none) => flash-player-plugin

Marja Van Waes 2018-02-06 10:27:01 CET

Assignee: bugsquad => anssi.hannula
CC: (none) => marja11

Comment 1 katnatek 2018-02-06 22:12:34 CET 
Make this package create the necessary links to get flash player in Chromium browser.
https://wiki.mageia.org/en/Mageia_6_Errata#Due_to_packaging_issues_flash_plugin_not_works_in_Chromium_Browser

CC: (none) => j.alberto.vc

Comment 2 Anssi Hannula 2018-02-06 22:28:00 CET 
Advisory:
============
Adobe Flash Player 28.0.0.161 addresses critical use-after-free vulnerabilities that could lead to remote code execution (CVE-2018-4877, CVE-2018-4878). Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

References:
https://helpx.adobe.com/security/products/flash-player/apsb18-03.html
============

Updated Flash Player packages have been submitted to mga6 nonfree/updates_testing and to cauldron nonfree/release.

Source packages:
flash-player-plugin-28.0.0.161-1.mga6.nonfree

Binary packages:
flash-player-plugin

Assignee: anssi.hannula => qa-bugs
CVE: CVE-2018-4878 => CVE-2018-4877 CVE-2018-4878
Keywords: (none) => Security
Status: NEW => ASSIGNED
URL: (none) => https://helpx.adobe.com/security/products/flash-player/apsb18-03.html
CC: (none) => anssi.hannula
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 claire robinson 2018-02-07 00:36:24 CET 
Tested mga6 64

Checked correct version being downloaded.

Note that by downloading the Adobe Flash Player you indicate your acceptance of
the EULA, available at http://www.adobe.com/products/eulas/players/flash/
Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/28.0.0.161/flash-player-ppapi-28.0.0.161-release.x86_64.rpm:


Tested at adobe test page and video plays ok.
http://get.adobe.com/flashplayer/about/

Used the awful settings manager to delete local storage.
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

Validating. I'm not set up on this one to upload the advisory, sorry.

Whiteboard: (none) => mga6-64-ok
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-02-07 13:04:13 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2018-02-07 14:51:23 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0120.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED