Bug 930677 (CVE-2015-3085) - VUL-0: CVE-2015-3085: (Pwn2Own) Adobe Flash Player BrokerCreateFile Broker Method Path Traversal Sandbox Escape Vulnerability
Summary: VUL-0: CVE-2015-3085: (Pwn2Own) Adobe Flash Player BrokerCreateFile Broker Me...
Status: RESOLVED FIXED
Alias: CVE-2015-3085
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2015-05-27
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/116653/
Whiteboard: maint:released:sle11-sp3:61723
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-13 07:25 UTC by Sebastian Krahmer
Modified: 2015-05-29 14:44 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2015-05-13 07:25:16 UTC 
CVE-2015-3085

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Flash Player. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.

The specific flaw exists within the BrokerCreateFile method. An attacker can
force BrokerCreateFile to traverse the path of the output file, allowing the
file to be written anywhere on disk. An attacker can leverage this vulnerability
to execute code at medium integrity.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3085
http://www.zerodayinitiative.com/advisories/ZDI-15-216/

Along with this bug, others have been fixed in latest Adobe
security update:

https://helpx.adobe.com/security/products/flash-player/apsb15-09.html
Comment 2 Alexander Bergmann 2015-05-13 10:15:39 UTC 
This would affect SLE-11-SP3 and SLE-12. No LTSS no TD.
Also openSUSE 13.1 and 13.2.

Just for referencing all CVEs:
----------------------------------------------------------------------------
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

* bilou, working with the Chromium Vulnerability Reward Program
  (CVE-2015-3080, CVE-2015-3093, CVE-2015-3089, CVE-2015-3087, CVE-2015-3088)   
* Chris Evans of Google Project Zero (CVE-2015-3078, CVE-2015-3090,
  CVE-2015-3091, CVE-2015-3092)
* Jietao Yang and Jihui Lu of KeenTeam (@K33nTeam) (CVE-2015-3083)  
* Jietao Yang of KeenTeam (@K33nTeam) (CVE-2015-3082) 
* Jihui Lu of KeenTeam (@K33nTeam) (CVE-2015-3081) 
* Jouko Pynnönen of Klikki Oy (CVE-2015-3044, CVE-2015-3079)
* Natalie Silvanovich of Google Project Zero (CVE-2015-3077, CVE-2015-3084,
  CVE-2015-3086) 
* Nicolas Joly working with HP's Zero Day Initiative (CVE-2015-3085)
----------------------------------------------------------------------------
Comment 3 Swamp Workflow Management 2015-05-13 10:17:05 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-05-27.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61713
Comment 4 Stanislav Brabec 2015-05-13 13:20:07 UTC 
home:sbrabec:branches:multimedia:apps: created request id 306806 (going to auto-accept)
openSUSE:Factory:NonFree: 
New request # 306807
openSUSE:Maintenance: Using target project 'openSUSE:Maintenance'
306808
SUSE:SLE-12:Update: Using target project 'SUSE:Maintenance'
57580
SUSE:SLE-11-SP1:Update:Test: created request id 57582

Report created by 6-flash-player-update-submit-all.sh.

By the way, scripts now work perfectly.
Comment 5 Swamp Workflow Management 2015-05-14 18:05:04 UTC 
SUSE-SU-2015:0878-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 930677
CVE References: CVE-2015-3044,CVE-2015-3077,CVE-2015-3078,CVE-2015-3079,CVE-2015-3080,CVE-2015-3081,CVE-2015-3082,CVE-2015-3083,CVE-2015-3084,CVE-2015-3085,CVE-2015-3086,CVE-2015-3087,CVE-2015-3088,CVE-2015-3089,CVE-2015-3090,CVE-2015-3091,CVE-2015-3092,CVE-2015-3093
Sources used:
Comment 6 Swamp Workflow Management 2015-05-14 22:05:02 UTC 
SUSE-SU-2015:0880-1: An update that fixes 18 vulnerabilities is now available.

Category: security (moderate)
Bug References: 930677
CVE References: CVE-2015-3044,CVE-2015-3077,CVE-2015-3078,CVE-2015-3079,CVE-2015-3080,CVE-2015-3081,CVE-2015-3082,CVE-2015-3083,CVE-2015-3084,CVE-2015-3085,CVE-2015-3086,CVE-2015-3087,CVE-2015-3088,CVE-2015-3089,CVE-2015-3090,CVE-2015-3091,CVE-2015-3092,CVE-2015-3093
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    flash-player-11.2.202.460-0.3.1
Comment 7 Swamp Workflow Management 2015-05-15 22:05:13 UTC 
openSUSE-SU-2015:0890-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 930677
CVE References: CVE-2015-3044,CVE-2015-3077,CVE-2015-3078,CVE-2015-3079,CVE-2015-3080,CVE-2015-3081,CVE-2015-3082,CVE-2015-3083,CVE-2015-3084,CVE-2015-3085,CVE-2015-3086,CVE-2015-3087,CVE-2015-3088,CVE-2015-3089,CVE-2015-3090,CVE-2015-3091,CVE-2015-3092,CVE-2015-3093
Sources used:
Comment 8 Swamp Workflow Management 2015-05-19 15:05:03 UTC 
openSUSE-SU-2015:0914-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 930677
CVE References: CVE-2015-3044,CVE-2015-3077,CVE-2015-3078,CVE-2015-3079,CVE-2015-3080,CVE-2015-3081,CVE-2015-3082,CVE-2015-3083,CVE-2015-3084,CVE-2015-3085,CVE-2015-3086,CVE-2015-3087,CVE-2015-3088,CVE-2015-3089,CVE-2015-3090,CVE-2015-3091,CVE-2015-3092,CVE-2015-3093
Sources used:
Comment 9 Andreas Stieger 2015-05-29 14:44:02 UTC 
All released