Bug 24643 - flash-player-plugin security update 32.0.0.171
Summary: flash-player-plugin security update 32.0.0.171
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-04-09 16:09 CEST by eric gerbier
Modified: 2019-04-11 00:08 CEST (History)
3 users (show)

See Also:
Source RPM: flash-player-plugin-32.0.0.156-1.mga6.nonfree.src.rpm
CVE: CVE-2019-7108, CVE-2019-7096
Status comment:


Attachments

Description eric gerbier 2019-04-09 16:09:03 CEST
Description of problem:


 urpmi flash-player-plugin
Marque flash-player-plugin comme étant manuellement installé, il ne sera pas considéré comme un paquet orphelin
writing /var/lib/rpm/installed-through-deps.list


    ftp://137.129.150.2/linux/mga/backport6c/RPMS/flash-player-plugin-32.0.0.156-1.mga6.nonfree.x86_64.rpm
SECURITÉ : PAS de vérification du paquet « /var/cache/urpmi/rpms/flash-player-plugin-32.0.0.156-1.mga6.nonfree.x86_64.rpm » (à cause de la configuration)
installation de flash-player-plugin-32.0.0.156-1.mga6.nonfree.x86_64.rpm depuis /var/cache/urpmi/rpms
Préparation...                   #############################################
Note that by downloading the Adobe Flash Player you indicate your acceptance of
the EULA, available at http://www.adobe.com/products/eulas/players/flash/
Downloading from http://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.156/flash-player-ppapi-32.0.0.156-release.x86_64.rpm:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   277  100   277    0     0   2077      0 --:--:-- --:--:-- --:--:--  2495
Error: Unable to download Flash Player. This is likely due to this package
       being too old. Please file a bug report at https://bugs.mageia.org
       so that the package gets updated. Thank you.

       In the meantime, you can download Flash Player manually from
       http://get.adobe.com/flashplayer/
erreur : %prein(flash-player-plugin-32.0.0.156-1.mga6.nonfree.x86_64) scriptlet échoué, état de sortie 1
ERROR: 'script' failed for flash-player-plugin-32.0.0.156-1.mga6.nonfree.x86_64
erreur : flash-player-plugin-32.0.0.156-1.mga6.nonfree.x86_64: installer échoué


Version-Release number of selected component (if applicable):
flash-player-plugin-32.0.0.156

How reproducible:


Steps to Reproduce:
1. urpmi flash-player-plugin
2.
3.
Comment 1 katnatek 2019-04-09 18:53:47 CEST
I think is due the version 32.0.0.171 is now the current in adobe
Comment 2 Nicolas Salguero 2019-04-10 09:21:08 CEST
Suggested advisory:
========================

Updated flash-player-plugin package fixes security vulnerabilities:

An out-of-bounds read that leads to information disclosure. (CVE-2019-7108)

A use after free that leads to arbitrary code execution. (CVE-2019-7096)

References:
https://helpx.adobe.com/security/products/flash-player/apsb19-19.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7096
========================

Updated packages in nonfree/updates_testing:
========================
flash-player-plugin-32.0.0.171-1.mga6.nonfree

from SRPMS:
flash-player-plugin-32.0.0.171-1.mga6.nonfree.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2019-7108, CVE-2019-7096
Component: RPM Packages => Security
Status: NEW => ASSIGNED
QA Contact: (none) => security
Summary: flash-player-plugin does not install => flash-player-plugin security update 32.0.0.171
Severity: normal => critical

Nicolas Salguero 2019-04-10 09:21:57 CEST

Assignee: bugsquad => qa-bugs

Comment 3 Dave Hodgins 2019-04-10 23:20:34 CEST
Tested at http://get.adobe.com/flashplayer/about/ in opera 12.16.
Advisory committed to svn.
Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2019-04-11 00:08:34 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0149.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.