full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [ GLSA 201001-02 ] Adobe F

[Full-disclosure] [ GLSA 201001-02 ] Adobe Flash Player: Multiple vulnerabilities

From: Alex Legler <a3li_at_nospam>
Date: Sun Jan 03 2010 - 17:24:13 GMT
To: gentoo-announce@gentoo.org

  • - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201001-02
  • - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/
  • - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal Title: Adobe Flash Player: Multiple vulnerabilities Date: January 03, 2010 Bugs: #296407 ID: 201001-02
  • - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities in Adobe Flash Player might allow remote attackers to execute arbitrary code or cause a Denial of Service.

Background


The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites.

Affected packages



Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-plugins/adobe-flash < 10.0.42.34 >= 10.0.42.34

Description


Multiple vulnerabilities have been discovered in Adobe Flash Player:

  • An anonymous researcher working with the Zero Day Initiative reported that Adobe Flash Player does not properly process JPEG files (CVE-2009-3794).
  • Jim Cheng of EffectiveUI reported an unspecified data injection vulnerability (CVE-2009-3796).
  • Bing Liu of Fortinet's FortiGuard Labs reported multiple unspecified memory corruption vulnerabilities (CVE-2009-3797, CVE-2009-3798).
  • Damian Put reported an integer overflow in the Verifier::parseExceptionHandlers() function (CVE-2009-3799).
  • Will Dormann of CERT reported multiple unspecified Denial of Service vulnerabilities (CVE-2009-3800).

Impact


A remote attacker could entice a user to open a specially crafted SWF file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service via unknown vectors.

Workaround


There is no known workaround at this time.

Resolution


All Adobe Flash Player users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose
    ">=www-plugins/adobe-flash-10.0.42.34"

References


  [ 1 ] CVE-2009-3794
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3794   [ 2 ] CVE-2009-3796
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3796   [ 3 ] CVE-2009-3797
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3797   [ 4 ] CVE-2009-3798
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3798   [ 5 ] CVE-2009-3799
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3799   [ 6 ] CVE-2009-3800
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3800

Availability


This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-201001-02.xml

Concerns?


Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License


Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/