Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200908-04 ] Adobe products: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Sat Aug 22, 2009 3:26 am    Post subject: [ GLSA 200908-04 ] Adobe products: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: Adobe products: Multiple vulnerabilities (GLSA 200908-04)
Severity: normal
Exploitable: remote
Date: August 07, 2009
Bug(s): #278813, #278819
ID: 200908-04

Synopsis


Multiple vulnerabilities in Adobe Reader and Adobe Flash Player allow for
attacks including the remote execution of arbitrary code.


Background


Adobe Flash Player is a closed-source playback software for Flash SWF
files. Adobe Reader is a closed-source PDF reader that plays Flash
content as well.


Affected Packages

Package: www-plugins/adobe-flash
Vulnerable: < 10.0.32.18
Unaffected: >= 10.0.32.18
Architectures: All supported architectures

Package: app-text/acroread
Vulnerable: < 9.1.3
Unaffected: >= 9.1.3
Architectures: All supported architectures


Description


Multiple vulnerabilities have been reported in Adobe Flash Player:
  • lakehu of Tencent Security Center reported an unspecified
    memory corruption vulnerability (CVE-2009-1862).
  • Mike Wroe
    reported an unspecified vulnerability, related to "privilege
    escalation" (CVE-2009-1863).
  • An anonymous researcher through
    iDefense reported an unspecified heap-based buffer overflow
    (CVE-2009-1864).
  • Chen Chen of Venustech reported an
    unspecified "null pointer vulnerability" (CVE-2009-1865).
  • Chen
    Chen of Venustech reported an unspecified stack-based buffer overflow
    (CVE-2009-1866).
  • Joran Benker reported that Adobe Flash Player
    facilitates "clickjacking" attacks (CVE-2009-1867).
  • Jun Mao of
    iDefense reported a heap-based buffer overflow, related to URL parsing
    (CVE-2009-1868).
  • Roee Hay of IBM Rational Application Security
    reported an unspecified integer overflow (CVE-2009-1869).
  • Gareth Heyes and Microsoft Vulnerability Research reported that the
    sandbox in Adobe Flash Player allows for information disclosure, when
    "SWFs are saved to the hard drive" (CVE-2009-1870).


Impact


A remote attacker could entice a user to open a specially crafted PDF
file or web site containing Adobe Flash (SWF) contents, possibly
resulting in the execution of arbitrary code with the privileges of the
user running the application, or a Denial of Service (application
crash). Furthermore, a remote attacker could trick a user into clicking
a button on a dialog by supplying a specially crafted SWF file and
disclose sensitive information by exploiting a sandbox issue.


Workaround


There is no known workaround at this time.


Resolution


All Adobe Flash Player users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-10.0.32.18"

All Adobe Reader users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/acroread-9.1.3"


References

CVE-2009-1862
CVE-2009-1863
CVE-2009-1864
CVE-2009-1865
CVE-2009-1866
CVE-2009-1867
CVE-2009-1868
CVE-2009-1869
CVE-2009-1870
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum