Arch Linux alert ASA-201507-13 (flashplugin )
| From: | Levente Polyak <anthraxx@archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [arch-security] [ASA-201507-13] flashplugin: arbitrary code execution | |
| Date: | Thu, 16 Jul 2015 16:11:55 +0200 | |
| Message-ID: | <55A7BBAB.2030707@archlinux.org> |
Arch Linux Security Advisory ASA-201507-13 ========================================== Severity: Critical Date : 2015-07-16 CVE-ID : CVE-2015-5122 CVE-2015-5123 Package : flashplugin Type : arbitrary code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package flashplugin before version 11.2.202.491-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 11.2.202.491-1. # pacman -Syu "flashplugin>=11.2.202.491-1" The problems have been fixed upstream in version 11.2.202.491. Workaround ========== None. Description =========== - CVE-2015-5122 (arbitrary code execution) Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property. - CVE-2015-5123 (arbitrary code execution) Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function. Impact ====== A remote attacker is able to use a specially crafted flash application to execute arbitrary code. References ========== https://helpx.adobe.com/security/products/flash-player/ap... https://access.redhat.com/security/cve/CVE-2015-5122 https://access.redhat.com/security/cve/CVE-2015-5123