Arch Linux Security Advisory ASA-201411-11
=========================================
Severity: Critical
Date    : 2014-11-13
CVE-ID  : CVE-2014-0573, CVE-2014-0574, CVE-2014-0576, CVE-2014-0577,
CVE-2014-0581, CVE-2014-0582, CVE-2014-0583, CVE-2014-0584,
CVE-2014-0585, CVE-2014-0586, CVE-2014-0588, CVE-2014-0589,
CVE-2014-0590, CVE-2014-8437, CVE-2014-8438, CVE-2014-8440,
CVE-2014-8441, CVE-2014-8442
Package : flashplugin
Type    : remote code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package flashplugin before version 11.2.202.418-1 is
vulnerable to multiple flaws, allowing arbitrary remote code execution.

Resolution
=========
Upgrade to 11.2.202.418-1.

# pacman -Syu "flashplugin>=11.2.202.418-1"

The problem has been fixed upstream in version 11.2.202.418.

Workaround
=========
Disable or remove the flash plugin.

Description
==========
These updates resolve memory corruption vulnerabilities that could lead
to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440,
CVE-2014-8441).

These updates resolve use-after-free vulnerabilities that could lead to
code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438).

These updates resolve a double free vulnerability that could lead to
code execution (CVE-2014-0574).

These updates resolve type confusion vulnerabilities that could lead to
code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585,
CVE-2014-0586, CVE-2014-0590).

These updates resolve heap buffer overflow vulnerabilities that could
lead to code execution (CVE-2014-0582, CVE-2014-0589).

These updates resolve an information disclosure vulnerability that could
be exploited to disclose session tokens (CVE-2014-8437).

These updates resolve a heap buffer overflow vulnerability that could be
exploited to perform privilege escalation from low to medium integrity
level (CVE-2014-0583).

These updates resolve a permission issue that could be exploited to
perform privilege escalation from low to medium integrity level
(CVE-2014-8442).

Impact
=====
A remote attacker in position of a man-in-the-middle or a malicious
website can remotely execute arbitrary code with the privileges of the
current user.

References
=========
https://bugs.archlinux.org/task/42769
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0573
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0574
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0576
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0581
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0582
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0583
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0584
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0585
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0586
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0588
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0589
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0590
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8437
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8438
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8441
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8442

ArchLinux: 201411-11: flashplugin: remote code execution

November 13, 2014

Summary

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440, CVE-2014-8441). These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438).
These updates resolve a double free vulnerability that could lead to code execution (CVE-2014-0574).
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0590).
These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2014-0582, CVE-2014-0589).
These updates resolve an information disclosure vulnerability that could be exploited to disclose session tokens (CVE-2014-8437).
These updates resolve a heap buffer overflow vulnerability that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-0583).
These updates resolve a permission issue that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-8442).

Resolution

Upgrade to 11.2.202.418-1. # pacman -Syu "flashplugin>=11.2.202.418-1"
The problem has been fixed upstream in version 11.2.202.418.

References

https://bugs.archlinux.org/task/42769 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0573 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0574 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0576 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0577 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0581 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0582 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0583 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0584 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0585 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0586 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0588 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0589 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0590 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8437 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8438 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8440 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8441 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8442

Severity
CVE-2014-0581, CVE-2014-0582, CVE-2014-0583, CVE-2014-0584,
CVE-2014-0585, CVE-2014-0586, CVE-2014-0588, CVE-2014-0589,
CVE-2014-0590, CVE-2014-8437, CVE-2014-8438, CVE-2014-8440,
CVE-2014-8441, CVE-2014-8442
Package : flashplugin
Type : remote code execution
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE-2014

Workaround

Disable or remove the flash plugin.

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved