Bug 886454

Summary: flash-player, multiple vulnerabilities: CVE-2014-0537, CVE-2014-0539, CVE-2014-4671
Product: [openSUSE] openSUSE 13.1 Reporter: Luigi Baldoni <aloisio>
Component: OtherAssignee: Stanislav Brabec <sbrabec>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: ciaran.farrell, fcrozat, forgotten_sM9JzehKpy, lcamp, sbrabec, security-team, vpereira
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 13.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: AdobeICCProfiles.en

Description Luigi Baldoni 2014-07-09 14:10:01 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0

Adobe has released security updates for Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.378 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:

    Users of Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 14.0.0.145.
    Users of Adobe Flash Player 11.2.202.378 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.394.
    Adobe Flash Player 14.0.0.125 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 14.0.0.145 for Windows, Macintosh and Linux.
    Adobe Flash Player 14.0.0.125 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.0.
    Adobe Flash Player 14.0.0.125 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.1.
    Users of the Adobe AIR 14.0.0.110 SDK and earlier versions should update to the Adobe AIR 14.0.0.137 SDK.
    Users of the Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions should update to the Adobe AIR 14.0.0.137 SDK & Compiler.
    Users of Adobe AIR 14.0.0.110 and earlier versions for Android should update to Adobe AIR 14.0.0.137.

Affected software versions

    Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh
    Adobe Flash Player 11.2.202.378 and earlier versions for Linux
    Adobe AIR 14.0.0.110 SDK and earlier versions
    Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions
    Adobe AIR 14.0.0.110 and earlier versions for Android


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Stanislav Brabec 2014-07-09 15:07:44 UTC 
APSB14-17 mentions these CVE numbers: CVE-2014-0537, CVE-2014-0539, CVE-2014-4671
but:
CVE-2014-0515 refers to APSB14-13, and it is already mentioned in the bug 875577
CVE-2014-0539 refers to APSB14-14, but not vice versa
Only CVE-2014-4671 refers to APSB14-17.

References:
http://helpx.adobe.com/security/products/flash-player/apsb14-17.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0515
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0539
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671
Comment 3 Victor Pereira 2014-07-09 15:44:39 UTC 
duplicated from bnc#886472

*** This bug has been marked as a duplicate of bug 886472 ***
Comment 5 Bernhard Wiedemann 2014-07-09 16:00:33 UTC 
This is an autogenerated message for OBS integration:
This bug (886454) was mentioned in
https://build.opensuse.org/request/show/240004 Factory:NonFree / flash-player
Comment 10 SMASH SMASH 2014-07-10 14:45:36 UTC 
Affected packages:

SLE-11-SP1: flash-player
Comment 17 Stanislav Brabec 2014-07-28 20:25:12 UTC 
Adding AdobeICCProfiles.en to devel:openSUSE:Factory openSUSE-EULAs, as it has a different license agreement than flash-player. Keeping deleted only flash-player*.
Comment 20 Stanislav Brabec 2014-07-29 13:51:32 UTC 
Created attachment 600181 [details]
AdobeICCProfiles.en

Click-wrap license agreement for AdobeICCProfiles.
Comment 21 Anja Stock 2014-11-26 13:12:09 UTC 
done since long. No idea, why this is still open
Comment 22 Luigi Baldoni 2014-11-26 15:20:10 UTC 
I must have forgot to close it.
Comment 23 Stanislav Brabec 2015-02-16 17:09:03 UTC 
The bug itself is already long time fixed, but the bug was open for confirmation of comment 20 (only partially related).

The fix was left unsubmitted and I was waiting for a reply.

https://build.opensuse.org/package/show/home:sbrabec:branches:devel:openSUSE:Factory/openSUSE-EULAs
Comment 24 Ciaran Farrell 2015-02-16 18:56:39 UTC 
(In reply to Stanislav Brabec from comment #23)
> The bug itself is already long time fixed, but the bug was open for
> confirmation of comment 20 (only partially related).
> 
> The fix was left unsubmitted and I was waiting for a reply.
> 
> https://build.opensuse.org/package/show/home:sbrabec:branches:devel:openSUSE:
> Factory/openSUSE-EULAs

Please go ahead and submit.