Bug 901334 - (CVE-2014-0558) VUL-0: CVE-2014-0564 CVE-2014-0558 CVE-2014-0569: flash-plugin: multiple code execution flaws (APSB14-22)
(CVE-2014-0558)
VUL-0: CVE-2014-0564 CVE-2014-0558 CVE-2014-0569: flash-plugin: multiple code...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/109192/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-15 12:59 UTC by Sebastian Krahmer
Modified: 2015-04-16 11:05 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2014-10-15 12:59:33 UTC
rh#1152775

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Flash Player. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.

The specific flaw exists within the implementation of casi32.  The issue lies in
the failure to properly sanitize a user-supplied length value with a specific
array implementation. An attacker can leverage this vulnerability to execute
code within the context of the current process.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1152775
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0569
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0564
http://www.zerodayinitiative.com/advisories/ZDI-14-365/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0558
Comment 3 Stanislav Brabec 2014-10-15 14:57:03 UTC
openSUSE:Factory:NonFree: created obs request id 256734.
openSUSE:Maintenance (12.3, 13.1): created obs maintenance request id 256736.

SUSE:SLE-11-SP1:Update: created ibs request id 45441.
SUSE:SLE-12:Update: created obs maintenance request id 45442

TODO: Submit for 13.2. It will be done once it will be accepted for Factory.
Comment 5 Bernhard Wiedemann 2014-10-15 15:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (901334) was mentioned in
https://build.opensuse.org/request/show/256734 Factory:NonFree / flash-player
Comment 6 Swamp Workflow Management 2014-10-20 08:24:42 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-10-27.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59445
Comment 7 Swamp Workflow Management 2014-10-28 15:05:22 UTC
openSUSE-SU-2014:1329-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 901334
CVE References: CVE-2014-0558,CVE-2014-0564,CVE-2014-0569
Sources used:
Comment 8 Swamp Workflow Management 2014-11-05 18:04:58 UTC
SUSE-SU-2014:1360-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 901334
CVE References: CVE-2014-0558,CVE-2014-0564,CVE-2014-0569
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    flash-player-11.2.202.411-0.3.1
Comment 9 Johannes Segitz 2014-11-13 15:37:08 UTC
Everything got fixed
Comment 10 Swamp Workflow Management 2014-11-13 16:05:11 UTC
SUSE-SU-2014:1423-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 901334
CVE References: CVE-2014-0558,CVE-2014-0564,CVE-2014-0569
Sources used:
Comment 11 Swamp Workflow Management 2015-04-16 11:05:13 UTC
openSUSE-SU-2015:0725-1: An update that fixes 45 vulnerabilities is now available.

Category: security (important)
Bug References: 856386,901334,905032,907257,909219,913057,914333,914463,922033,927089
CVE References: CVE-2014-0558,CVE-2014-0564,CVE-2014-0569,CVE-2014-0573,CVE-2014-0574,CVE-2014-0576,CVE-2014-0577,CVE-2014-0581,CVE-2014-0582,CVE-2014-0583,CVE-2014-0584,CVE-2014-0585,CVE-2014-0586,CVE-2014-0588,CVE-2014-0589,CVE-2014-0590,CVE-2014-8437,CVE-2014-8438,CVE-2014-8440,CVE-2014-8441,CVE-2014-8442,CVE-2015-0331,CVE-2015-0332,CVE-2015-0346,CVE-2015-0347,CVE-2015-0348,CVE-2015-0349,CVE-2015-0350,CVE-2015-0351,CVE-2015-0352,CVE-2015-0353,CVE-2015-0354,CVE-2015-0355,CVE-2015-0356,CVE-2015-0357,CVE-2015-0358,CVE-2015-0359,CVE-2015-0360,CVE-2015-3038,CVE-2015-3039,CVE-2015-3040,CVE-2015-3041,CVE-2015-3042,CVE-2015-3043,CVE-2015-3044
Sources used: