Bug 865021 (CVE-2014-0502) - VUL-0: CVE-2014-0502: flash-player: multiple flaws lead to arbitrary code execution (APSB14-07)
Summary: VUL-0: CVE-2014-0502: flash-player: multiple flaws lead to arbitrary code exe...
Status: RESOLVED FIXED
Alias: CVE-2014-0502
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Critical
Target Milestone: ---
Deadline: 2014-02-25
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/96465/
Whiteboard: maint:released:sle11-sp3:56355
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-21 08:45 UTC by Victor Pereira
Modified: 2014-02-26 12:57 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-21 08:45:40 UTC 
CVE-2014-0498 CVE-2014-0499 CVE-2014-0502

Adobe has released Flash Player 11.2.202.341 for Linux to correct the following flaws:

These updates resolve:

-  a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498).

-  a memory leak vulnerability that could be used to defeat memory address layout randomization (CVE-2014-0499).

-  a double free vulnerability that could result in arbitrary code execution (CVE-2014-0502).


References:
http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0498
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0499
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0502
https://bugzilla.redhat.com/show_bug.cgi?id=1067656
Comment 1 Swamp Workflow Management 2014-02-21 08:48:17 UTC 
The SWAMPID for this issue is 56354.
This issue was rated as critical.
Please submit fixed packages until 2014-02-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Stanislav Brabec 2014-02-21 21:10:51 UTC 
openSUSE:Factory:NonFree: created OBS request id 223451
openSUSE (12.3, 13.1): created OBS maintenance request id 223452
SLE11: created IBS request id 33306
SLE12: created IBS request id 33307

Note: There is something strange on Adobe side. The time stamp of the new flashplayer binary is two days older than the previous security update.
Comment 3 Bernhard Wiedemann 2014-02-21 22:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (865021) was mentioned in
https://build.opensuse.org/request/show/223451 Factory:NonFree / flash-player
Comment 5 Swamp Workflow Management 2014-02-21 23:00:18 UTC 
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2014-02-24 07:04:20 UTC 
openSUSE-SU-2014:0277-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 865021
CVE References: CVE-2014-0498,CVE-2014-0499,CVE-2014-0502
Sources used:
Comment 7 Swamp Workflow Management 2014-02-24 10:04:21 UTC 
openSUSE-SU-2014:0278-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 865021
CVE References: CVE-2014-0498,CVE-2014-0499,CVE-2014-0502
Sources used:
Comment 8 Swamp Workflow Management 2014-02-25 15:46:22 UTC 
Update released for: flash-player, flash-player-gnome, flash-player-kde4
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
Comment 9 Swamp Workflow Management 2014-02-25 19:04:23 UTC 
SUSE-SU-2014:0290-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 865021
CVE References: CVE-2014-0498,CVE-2014-0499,CVE-2014-0502
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    flash-player-11.2.202.341-0.3.1
Comment 10 Marcus Meissner 2014-02-26 12:57:45 UTC 
rekleased