====================================================== Name: CVE-2013-0504 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0504 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20121216 Category: Reference: CONFIRM:http://www.adobe.com/support/security/bulletins/apsb13-08.html Buffer overflow in the broker service in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows attackers to execute arbitrary code via unspecified vectors. ====================================================== Name: CVE-2013-0643 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0643 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20121218 Category: Reference: CONFIRM:http://www.adobe.com/support/security/bulletins/apsb13-08.html The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, does not properly restrict privileges, which makes it easier for remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013. ====================================================== Name: CVE-2013-0648 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0648 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20121218 Category: Reference: CONFIRM:http://www.adobe.com/support/security/bulletins/apsb13-08.html Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013. Reproducible: Steps to Reproduce:
11.2.202.273 has been submitted to mga2, nonfree/updates_testing and to cauldron. Someone has to submit it to cauldron, I will ask guillomovitch to do it.
*** Bug 9192 has been marked as a duplicate of this bug. ***
CC: (none) => lemonzest
guillomovitch has just submitted 11.2.202.273 to cauldron, so fixed there.
Please don't forget to assign bugs to QA when they're ready for testing.
CC: (none) => luigiwalserAssignee: bugsquad => qa-bugs
installing flash-player-plugin-11.2.202.273-1.1.mga2.nonfree.i586.rpm flash-player-plugin-kde-11.2.202.273-1.1.mga2.nonfree.i586.rpm from /var/cache/urpmi/rpms Preparing... ############################################### Note that by downloading the Adobe Flash Player you indicate your acceptance of the EULA, available at http://www.adobe.com/products/eulas/players/flash/ Downloading from http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.273/flash-plugin-11.2.202.273-release.i386.rpm: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6740k 100 6740k 0 0 1895k 0 0:00:03 0:00:03 --:--:-- 1926k Error: Unable to download Flash Player. This is likely due to this package being too old. Please file a bug report at https://bugs.mageia.org so that the package gets updated. Thank you. In the meantime, you can download Flash Player manually from http://get.adobe.com/flashplayer/ error: %pre(flash-player-plugin-11.2.202.273-1.1.mga2.nonfree.i586) scriptlet failed, exit status 1 error: flash-player-plugin-11.2.202.273-1.1.mga2.nonfree.i586: install failed 1/2: flash-player-plugin-kde ############################################### head: cannot open `/var/lib/flash-player-plugin/flash-plugin-11.2.202.270-release.i386.rpm' for reading: No such file or directory tar (child): /var/lib/flash-player-plugin/flash-plugin-11.2.202.270-release.i386.rpm: Cannot open: No such file or directory tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error is not recoverable: exiting now Warning: usr/lib/kde4/kcm_adobe_flash_player.so not found in the Flash Player archive, skipping installation of /usr/lib/kde4/kcm_adobe_flash_player.so. Please file a bug report at https://bugs.mageia.org/ . Warning: usr/share/kde4/services/kcm_adobe_flash_player.desktop not found in the Flash Player archive, skipping installation of /usr/share/kde4/services/kcm_adobe_flash_player.desktop. Please file a bug report at https://bugs.mageia.org/ . error: flash-player-plugin-11.2.202.270-1.mga2.nonfree.i586: erase skipped
CC: (none) => anssi.hannula
I'd vote to skip the md5sum check there.
When I downloaded the files the md5sum file for flash-plugin-11.2.202.273-release.i386.rpm was 3a983d14af0f9fef3ee5a35cc909a0f3 i just re-downloaded the same file and now it's 164a331d00a09fc951aae96e64e4b969 I really don't see the point of this md5sum check?
It looks like it's trying to open the wrong file after downloading the correct one. It downloads -273 then tries to open -270 and fails with file not found.
[root@localhost /]# urpmi flash-player-plugin --excludemedia "Nonfree Updates Testing" http://n0.nux.se/mageia/2/x86_64/media/nonfree/updates/flash-player-plugin-11.2.202.270-1.mga2.nonfree.x86_64.rpm installerar flash-player-plugin-11.2.202.270-1.mga2.nonfree.x86_64.rpm från /var/cache/urpmi/rpms Förbereder... ################################################################################################################################################################################ Note that by downloading the Adobe Flash Player you indicate your acceptance of the EULA, available at http://www.adobe.com/products/eulas/players/flash/ Downloading from http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.270/flash-plugin-11.2.202.270-release.x86_64.rpm: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 7047k 100 7047k 0 0 5734k 0 0:00:01 0:00:01 --:--:-- 5902k 1/1: flash-player-plugin ################################################################################################################################################################################ Adobe Flash Player installation successful. [root@localhost /]# urpmi flash-player-plugin http://n0.nux.se/mageia/2/x86_64/media/nonfree/updates_testing/flash-player-plugin-11.2.202.273-1.1.mga2.nonfree.x86_64.rpm installerar flash-player-plugin-11.2.202.273-1.1.mga2.nonfree.x86_64.rpm från /var/cache/urpmi/rpms Förbereder... ################################################################################################################################################################################ Note that by downloading the Adobe Flash Player you indicate your acceptance of the EULA, available at http://www.adobe.com/products/eulas/players/flash/ Downloading from http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.273/flash-plugin-11.2.202.273-release.x86_64.rpm: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 7047k 100 7047k 0 0 4134k 0 0:00:01 0:00:01 --:--:-- 4217k 1/1: flash-player-plugin ################################################################################################################################################################################ Adobe Flash Player installation successful.
Confirmed that Oden x86_64 is OK but i586 fails
There are two urls: http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.273/flash-plugin-11.2.202.273-release.i386.rpm http://linuxdownload.adobe.com/linux/i386/flash-plugin-11.2.202.273-release.i386.rpm One of those has the other md5sum, and one has the other (as noted in the .spec file). @Oden, is there a possibility you mistakenly checked the md5sum from the latter URL first? Anyway, fixed packages (and now with both urls and md5sums enabled) submitted with version 11.2.202.273-1.2.mga2.nonfree.
tested x86_64 verified build (-1.2mga2) through whatismyflash.com tested youtube videos and a game, all looks good.
CC: (none) => wrw105Whiteboard: (none) => MGA2-64-OK
Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpm flash-player-plugin-11.2.202.273-1.2.mga2.nonfree.src.rpm from Mageia 2 Nonfree Updates Testing to Nonfree Updates. Advisory: Flash player update corrects the following security problems. CVE-2013-0504 - Buffer overflow in the broker service CVE-2013-0643 - Sandbox privilege restrictions CVE-2013-0648 - Vulnerability in the ExternalInterface ActionScript References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0504 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0648 http://www.adobe.com/support/security/bulletins/apsb13-08.html http://www.adobe.com/support/security/bulletins/apsb13-08.html http://www.adobe.com/support/security/bulletins/apsb13-08.html https://bugs.mageia.org/show_bug.cgi?id=9194
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA2-64-OK => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0075
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED