19664 – flash-player-plugin security update 11.2.202.643

Bug 19664 - flash-player-plugin security update 11.2.202.643

Summary: flash-player-plugin security update 11.2.202.643

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5-32-OK MGA5-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-10-27 09:23 CEST by Nicolas Salguero
Modified:	2016-11-01 01:34 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	flash-player-plugin
CVE:	CVE-2016-7855
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2016-10-27 09:23:16 CEST

Hi,

Version 11.2.202.643 fixes a use-after-free vulnerability that could lead to code execution (CVE-2016-7855).

Best regards,

Nico.

Nicolas Salguero 2016-10-27 09:24:14 CEST

CVE: (none) => CVE-2016-7855
Source RPM: (none) => flash-player-plugin
Whiteboard: (none) => MGA5TOO

Rémi Verschelde 2016-10-27 09:34:20 CEST

Assignee: bugsquad => anssi.hannula

Comment 1 Thomas Backlund 2016-10-29 21:29:16 CEST


SRPM:
flash-player-plugin-11.2.202.643-1.mga5.nonfree.src.rpm


i586:
flash-player-plugin-11.2.202.643-1.mga5.nonfree.i586.rpm
flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.i586.rpm


x86_64:
flash-player-plugin-11.2.202.643-1.mga5.nonfree.x86_64.rpm
flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.x86_64.rpm





Advisory:
This update fixes a use-after-free issue that can be triggered by attackers
for arbitrary code execution, potentially allow the attacker to take control
of the affected system (CVE-2016-7855).


References:
https://helpx.adobe.com/security/products/flash-player/apsb16-36.html

CC: (none) => tmb
Assignee: anssi.hannula => qa-bugs

Thomas Backlund 2016-10-29 21:29:31 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 James Kerr 2016-10-30 10:59:39 CET

On mga5-64

Installed packages:
flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.x86_64.rpm 
flash-player-plugin-11.2.202.643-1.mga5.nonfree.x86_64

KDE systems Settings module seems to be fully functional

Streaming video and video playing OK, including those where firefox had been reporting the previous flash-player version as insecure.

OK for me on mga5-64

CC: (none) => jim

Comment 3 William Kenney 2016-10-30 17:56:35 CET

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
flash-player-plugin flash-player-plugin-kde

default install of flash-player-plugin & flash-player-plugin-kde

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-11.2.202.637-1.mga5.nonfree.i586 is already installed
[root@localhost wilcal]# urpmi flash-player-plugin-kde
Package flash-player-plugin-kde-11.2.202.637-1.mga5.nonfree.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 11,2,202,637
Various sites indicate that flash is out of date.

install flash-player-plugin & flash-player-plugin-kde from updates_testing

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-11.2.202.643-1.mga5.nonfree.i586 is already installed
[root@localhost wilcal]# urpmi flash-player-plugin-kde
Package flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.i586 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 11,2,202,643
No indication of out of date flash player.

CC: (none) => wilcal.int

William Kenney 2016-10-30 17:56:51 CET

Whiteboard: (none) => MGA5-32-OK

Comment 4 William Kenney 2016-10-30 18:11:58 CET

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
flash-player-plugin flash-player-plugin-kde

default install of flash-player-plugin & flash-player-plugin-kde

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-11.2.202.637-1.mga5.nonfree.x86_64 is already installed
[root@localhost wilcal]# urpmi flash-player-plugin-kde
Package flash-player-plugin-kde-11.2.202.637-1.mga5.nonfree.x86_64 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 11,2,202,637
Various sites indicate that flash is out of date.

install flash-player-plugin & flash-player-plugin-kde from updates_testing

[root@localhost wilcal]# urpmi flash-player-plugin
Package flash-player-plugin-11.2.202.643-1.mga5.nonfree.x86_64 is already installed
[root@localhost wilcal]# urpmi flash-player-plugin-kde
Package flash-player-plugin-kde-11.2.202.643-1.mga5.nonfree.x86_64 is already installed

https://www.adobe.com/software/flash/about/
works, reloads and works again. Shows I am using flash: 11,2,202,643
No indication of out of date flash player.

William Kenney 2016-10-30 18:12:13 CET

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 5 William Kenney 2016-10-30 18:12:32 CET

This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

William Kenney 2016-10-30 18:12:43 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Fred Thuillier 2016-10-30 21:25:48 CET

KDE/Firefox i386 

Tested on scratch projects, scratch editor and streaming site. It works :)

CC: (none) => fred.thuillier

Comment 7 Thomas Andrews 2016-10-31 00:23:44 CET

Adding my voice to the chorus. This update working on my 64-bit AMD/nvidia machine as it should. The notice that it was out of date is gone.

CC: (none) => andrewsfarm

Dave Hodgins 2016-10-31 19:16:43 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 8 Mageia Robot 2016-11-01 01:34:00 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0360.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.