Bug 20293 - flash-player-plugin security update 24.0.0.221
Summary: flash-player-plugin security update 24.0.0.221
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-02-15 09:55 CET by Nicolas Salguero
Modified: 2017-03-12 21:34 CET (History)
6 users (show)

See Also:
Source RPM: flash-player-plugin
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2017-02-15 09:55:27 CET
Hi,

Version 24.0.0.221 fixes:

A type confusion vulnerability that could lead to code execution (CVE-2017-2995).

An integer overflow vulnerability that could lead to code execution (CVE-2017-2987).

Use-after-free vulnerabilities that could lead to code execution (CVE-2017-2982, CVE-2017-2985, CVE-2017-2993, CVE-2017-2994).

Heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017- 2984, CVE-2017-2986, CVE-2017-2992).

Memory corruption vulnerabilities that could lead to code execution (CVE-2017-2988, CVE-2017-2990, CVE-2017-2991, CVE-2017-2996).

Reference: https://helpx.adobe.com/security/products/flash-player/apsb17-04.html

Best regards,

Nico.
Nicolas Salguero 2017-02-15 09:56:36 CET

Source RPM: (none) => flash-player-plugin
Whiteboard: (none) => MGA5TOO

David Walser 2017-02-15 11:33:53 CET

Assignee: bugsquad => anssi.hannula

Comment 1 Thomas Andrews 2017-02-16 20:53:41 CET
I'm glad to see this one in the pipeline. I discovered this morning when I wanted to look up a John Deere part number that the 64-bit flash player installer that's currently in the Cauldron repositories no longer works. 

This is probably because it pulls in the plugin from Adobe, and Adobe no longer lists that version as available for download. I just made this Cauldron install a few days ago, and I installed the plugin at that time, but didn't realize it had not worked. 

I wound up having to download the latest version directly from Adobe.

CC: (none) => andrewsfarm

Comment 2 Daniel Tartavel 2017-02-22 23:05:02 CET
Hi,

i modified the spec file to match the new version, move two url that are not good, files download well but the function  checksha256sum return always false and the script do not install package..
Without the test of checksha256sum the downloaded file is correctly installed.

CC: (none) => contact

Comment 3 Mike Rambo 2017-02-23 01:26:33 CET
An updated package (version 24.0.0.221) was pushed for cauldron earlier today.

CC: (none) => mrambo

Comment 4 Mike Rambo 2017-03-06 14:43:29 CET
Updated package uploaded for Mageia 5.

Advisory:
========================

Updated flash-player-plugin package fixes security vulnerabilities:

* A type confusion vulnerability that could lead to code execution (CVE-2017-2995).
* An integer overflow vulnerability that could lead to code execution (CVE-2017-2987).
* Use-after-free vulnerabilities that could lead to code execution (CVE-2017-2982, CVE-2017-2985, CVE-2017-2993, CVE-2017-2994).
* Heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017- 2984, CVE-2017-2986, CVE-2017-2992).
* Memory corruption vulnerabilities that could lead to code execution (CVE-2017-2988, CVE-2017-2990, CVE-2017-2991, CVE-2017-2996).


References:
https://helpx.adobe.com/security/products/flash-player/apsb17-04.html
========================

Updated packages in nonfree/updates_testing:
========================
flash-player-plugin-24.0.0.221-1.mga5
flash-player-plugin-kde-24.0.0.221-1.mga5

from flash-player-plugin-24.0.0.221-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: anssi.hannula => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 5 Len Lawrence 2017-03-07 17:58:42 CET
x86_64

Tried Youtube and Vevo in firefox and youtube-dl for good measure.  Sound and vision working fine.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2017-03-07 19:59:01 CET
Installed the plugins in i586 virtualbox and played Youtube videos in firefox.  pavucontrol showed that sound was being processed.

Searched the system for plugin references.
$ locate flash-player-plugin
/usr/lib/flash-player-plugin
/usr/lib/flash-player-plugin/doc
/usr/lib/flash-player-plugin/libflashplayer.so
/usr/lib/flash-player-plugin/doc/LGPL.txt
/usr/lib/flash-player-plugin/doc/license.pdf
/usr/lib/flash-player-plugin/doc/notice.txt
/usr/lib/flash-player-plugin/doc/readme.txt
/usr/share/flash-player-plugin
/usr/share/doc/flash-player-plugin
/usr/share/doc/flash-player-plugin/README.mageia
/usr/share/flash-player-plugin/functions
/usr/share/mageiawelcome/img/flash-player-plugin.png
/var/lib/flash-player-plugin
/var/lib/flash-player-plugin/flash-player-npapi-24.0.0.221-release.i386.rpm
The plugin registry for firefox was changed at this time. 
$ ls -l .mozilla/firefox/t0ka4zqf.default/pluginreg.dat
-rw------- 1 lcl lcl 9596 Mar  7 18:08 .mozilla/firefox/t0ka4zqf.default/pluginreg.dat
$ strings pluginreg.dat | grep flashplayer
libflashplayer.so:$
/usr/lib/flash-player-plugin/libflashplayer.so:$
Len Lawrence 2017-03-07 19:59:26 CET

Whiteboard: (none) => MGA5-32-OK

Dave Hodgins 2017-03-07 23:01:19 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 7 Dave Hodgins 2017-03-07 23:46:21 CET
Fine here with https://www.adobe.com/software/flash/about/ and various other
websites.

Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-03-12 21:34:21 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0075.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.