[Full-disclosure] [ GLSA 201001-02 ] Adobe Flash Player: Multiple vulnerabilities

From: Alex Legler <a3li_at_nospam>
Date: Sun Jan 03 2010 - 17:24:13 GMT
To: gentoo-announce@gentoo.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201001-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal Title: Adobe Flash Player: Multiple vulnerabilities Date: January 03, 2010 Bugs: #296407 ID: 201001-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis

Multiple vulnerabilities in Adobe Flash Player might allow remote attackers to execute arbitrary code or cause a Denial of Service.

Background

The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites.

Affected packages

Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-plugins/adobe-flash < 10.0.42.34 >= 10.0.42.34

Description

Multiple vulnerabilities have been discovered in Adobe Flash Player:

An anonymous researcher working with the Zero Day Initiative reported that Adobe Flash Player does not properly process JPEG files (CVE-2009-3794).
Jim Cheng of EffectiveUI reported an unspecified data injection vulnerability (CVE-2009-3796).
Bing Liu of Fortinet's FortiGuard Labs reported multiple unspecified memory corruption vulnerabilities (CVE-2009-3797, CVE-2009-3798).
Damian Put reported an integer overflow in the Verifier::parseExceptionHandlers() function (CVE-2009-3799).
Will Dormann of CERT reported multiple unspecified Denial of Service vulnerabilities (CVE-2009-3800).

Impact

A remote attacker could entice a user to open a specially crafted SWF file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service via unknown vectors.

Workaround

There is no known workaround at this time.

Resolution

All Adobe Flash Player users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose
    ">=www-plugins/adobe-flash-10.0.42.34"

References

  [ 1 ] CVE-2009-3794
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3794   [ 2 ] CVE-2009-3796
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3796   [ 3 ] CVE-2009-3797
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3797   [ 4 ] CVE-2009-3798
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3798   [ 5 ] CVE-2009-3799
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3799   [ 6 ] CVE-2009-3800
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3800

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201001-02.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: Adriel T. Desautels: "Re: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)"
Previous message: Joxean Koret: "[Full-disclosure] [Tool] DeepToad 1.1.0"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]