922033 – (CVE-2015-0314) VUL-0: flash-player: Multiple vulerabilities fixed in Adobe Flash player 11.2.202.451 (APSB15-05)

Bug 922033 (CVE-2015-0314) - VUL-0: flash-player: Multiple vulerabilities fixed in Adobe Flash player 11.2.202.451 (APSB15-05)

Summary: VUL-0: flash-player: Multiple vulerabilities fixed in Adobe Flash player 11.2...

Status:	RESOLVED FIXED

Alias:	CVE-2015-0314

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Critical
Target Milestone:	---
Deadline:	2015-03-16
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://helpx.adobe.com/security/prod...
Whiteboard:	maint:released:sle11-sp3:61096
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-03-12 15:15 UTC by Andreas Stieger
Modified:	2015-04-16 11:06 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-03-12 15:15:51 UTC

Announcement is not you yet up...
https://helpx.adobe.com/security/products/flash-player/apsb15-05.html

But https://www.adobe.com/support/flashplayer/downloads.html says 
3/12/2015 – Updated debugger and standalone versions of Flash player. These versions contain fixes for critical vulnerabilities identified in Security Bulletin APSB 15-05.

Comment 1 Stanislav Brabec 2015-03-12 15:26:30 UTC

Should I wait for CVE numbers or should I submit it now?

Comment 2 Andreas Stieger 2015-03-12 15:45:07 UTC

(In reply to Stanislav Brabec from comment #1)
> Should I wait for CVE numbers or should I submit it now?

Let's wait until the upstream annoucement is available. I'll clear the needinfo when it arrives.

Comment 3 Andreas Stieger 2015-03-12 15:55:50 UTC

APSB15-04 - Security updates for Adobe Flash Player

CVE list from http://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000697.aspx

CVE-2015-0313
CVE-2015-0314
CVE-2015-0315
CVE-2015-0316
CVE-2015-0317
CVE-2015-0318
CVE-2015-0319
CVE-2015-0320
CVE-2015-0321
CVE-2015-0322
CVE-2015-0323
CVE-2015-0324
CVE-2015-0325
CVE-2015-0326
CVE-2015-0327
CVE-2015-0328
CVE-2015-0329
CVE-2015-0330

Comment 4 Stanislav Brabec 2015-03-12 16:37:00 UTC

home:sbrabec:branches:multimedia:apps: created request id 290463 (auto-accepting and forwarding)
openSUSE:Factory:NonFree: New request # 290465
openSUSE:Maintenance: Using target project 'openSUSE:Maintenance'
290466
SUSE:SLE-12:Update: Using target project 'SUSE:Maintenance'
53130
SUSE:SLE-11-SP1:Update:Test: created request id 53132

Report created by 6-flash-player-update-submit-all.sh.


Please review these request carefully. It is my first run of auto-update scripts on a real issue.

Comment 6 Stanislav Brabec 2015-03-12 16:54:41 UTC

I just noticed that Adobe added a directory LGPL with LGPL.txt and notice.txt to all tarbals.

notice.txt: This product links to certain Linux system libraries licensed under LGPL.

Should we do anything with it? I guess that no. It is valid for all our packages.

Comment 7 Swamp Workflow Management 2015-03-12 18:37:02 UTC

An update workflow for this issue was started.
This issue was rated as critical.
Please submit fixed packages until 2015-03-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61095

Comment 8 Stanislav Brabec 2015-03-12 18:45:55 UTC

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html was finally created. CVE list does not match, APSB15-04 additionally lists CVE-2015-0331.

Re-submiting everything again:

home:sbrabec:branches:multimedia:apps: created request id 290480 (going to auto-accept)
openSUSE:Factory:NonFree: New request # 290481
openSUSE:Maintenance: Using target project 'openSUSE:Maintenance'
290482
SUSE:SLE-12:Update: Using target project 'SUSE:Maintenance'
53136
SUSE:SLE-11-SP1:Update:Test: created request id 53138

Report created by 6-flash-player-update-submit-all.sh.


OBS maintenance request 290466 was already accepted, I cannot supersede it.

Comment 9 Johannes Segitz 2015-03-12 19:04:57 UTC

(In reply to Stanislav Brabec from comment #8)
Unfortunately that's not the only problem. Those are the CVEs of the last flash update. The correct CVEs are:
- Memory corruption vulnerabilities that could lead to code execution (CVE-2016-0332, CVE-2015-0333, CVE-2015-0335, CVE-2015-0339).
- Type confusion vulnerabilities that could lead to code execution (CVE-2015-0334, CVE-2015-0336).
- A vulnerability that could lead to a cross-domain policy bypass (CVE-2015-0337).
- A vulnerability that could lead to a file upload restriction bypass (CVE-2015-0340).
- An integer overflow vulnerability that could lead to code execution (CVE-2015-0338).
- Use-after-free vulnerabilities that could lead to code execution (CVE-2015-0341, CVE-2015-0342).

I'm sorry, but you'll need to resubmit everything.

Comment 10 Stanislav Brabec 2015-03-12 20:23:06 UTC

Adobe first took the old advisory, and later fixed CVE list.

I see that last update missed CVE-2015-0331. Adding it to the previous changes entry.

And fixing CVE-2016-0332 => CVE-2016-0332.


home:sbrabec:branches:multimedia:apps: created request id 290490 (going to auto-accept)
openSUSE:Factory:NonFree: New request # 290491
openSUSE:Maintenance: Using target project 'openSUSE:Maintenance'
290492
SUSE:SLE-12:Update: Using target project 'SUSE:Maintenance'
53140
SUSE:SLE-11-SP1:Update:Test: created request id 53142

Comment 11 Swamp Workflow Management 2015-03-13 11:04:59 UTC

openSUSE-SU-2015:0490-1: An update that fixes 11 vulnerabilities is now available.

Category: security (critical)
Bug References: 922033
CVE References: CVE-2015-0333,CVE-2015-0334,CVE-2015-0335,CVE-2015-0336,CVE-2015-0337,CVE-2015-0338,CVE-2015-0339,CVE-2015-0340,CVE-2015-0341,CVE-2015-0342,CVE-2016-0332
Sources used:

Comment 12 Swamp Workflow Management 2015-03-13 11:05:19 UTC

SUSE-SU-2015:0491-1: An update that fixes 11 vulnerabilities is now available.

Category: security (critical)
Bug References: 922033
CVE References: CVE-2015-0333,CVE-2015-0334,CVE-2015-0335,CVE-2015-0336,CVE-2015-0337,CVE-2015-0338,CVE-2015-0339,CVE-2015-0340,CVE-2015-0341,CVE-2015-0342,CVE-2016-0332
Sources used:

Comment 13 Johannes Segitz 2015-03-13 11:36:25 UTC

all updates released

Comment 14 Johannes Segitz 2015-03-13 12:57:08 UTC

(In reply to Johannes Segitz from comment #9)
And the list from Adobes page was wrong once again. They meanwhile changed CVE-2016-0332 to CVE-2015-0332
       ^                ^

Comment 15 Stanislav Brabec 2015-03-13 13:20:30 UTC

Comment 14: Hopefully (and thanks to the patchinfo generator which sorts CVE), I seen this bug and fixed it on changes (I made the typo just in the comment 10).

Comment 16 Johannes Segitz 2015-03-13 13:39:14 UTC

(In reply to Stanislav Brabec from comment #15)
Unfortunately I didn't use the changelog entry, since there were only the CVE numbers, but the description from Adobes site. Because of that all updates reference the 2016 CVE in the text, the update for SLE 12 and openSUSE also in the metadata :(

Comment 17 Swamp Workflow Management 2015-03-13 17:05:01 UTC

SUSE-SU-2015:0493-1: An update that fixes 11 vulnerabilities is now available.

Category: security (critical)
Bug References: 922033
CVE References: CVE-2015-0332,CVE-2015-0333,CVE-2015-0334,CVE-2015-0335,CVE-2015-0336,CVE-2015-0337,CVE-2015-0338,CVE-2015-0339,CVE-2015-0340,CVE-2015-0341,CVE-2015-0342
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    flash-player-11.2.202.451-0.3.1

Comment 18 Swamp Workflow Management 2015-04-16 11:06:29 UTC

openSUSE-SU-2015:0725-1: An update that fixes 45 vulnerabilities is now available.

Category: security (important)
Bug References: 856386,901334,905032,907257,909219,913057,914333,914463,922033,927089
CVE References: CVE-2014-0558,CVE-2014-0564,CVE-2014-0569,CVE-2014-0573,CVE-2014-0574,CVE-2014-0576,CVE-2014-0577,CVE-2014-0581,CVE-2014-0582,CVE-2014-0583,CVE-2014-0584,CVE-2014-0585,CVE-2014-0586,CVE-2014-0588,CVE-2014-0589,CVE-2014-0590,CVE-2014-8437,CVE-2014-8438,CVE-2014-8440,CVE-2014-8441,CVE-2014-8442,CVE-2015-0331,CVE-2015-0332,CVE-2015-0346,CVE-2015-0347,CVE-2015-0348,CVE-2015-0349,CVE-2015-0350,CVE-2015-0351,CVE-2015-0352,CVE-2015-0353,CVE-2015-0354,CVE-2015-0355,CVE-2015-0356,CVE-2015-0357,CVE-2015-0358,CVE-2015-0359,CVE-2015-0360,CVE-2015-3038,CVE-2015-3039,CVE-2015-3040,CVE-2015-3041,CVE-2015-3042,CVE-2015-3043,CVE-2015-3044
Sources used: