Arch Linux Security Advisory ASA-201507-13 ==========================================
Severity: Critical Date : 2015-07-16 CVE-ID : CVE-2015-5122 CVE-2015-5123 Package : flashplugin Type : arbitrary code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package flashplugin before version 11.2.202.491-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 11.2.202.491-1. # pacman -Syu "flashplugin>=11.2.202.491-1" The problems have been fixed upstream in version 11.2.202.491. Workaround ========== None. Description =========== - CVE-2015-5122 (arbitrary code execution) Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property. - CVE-2015-5123 (arbitrary code execution) Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function. Impact ====== A remote attacker is able to use a specially crafted flash application to execute arbitrary code. References ========== https://helpx.adobe.com/security/products/flash-player/apsb15-18.html https://access.redhat.com/security/cve/CVE-2015-5122 https://access.redhat.com/security/cve/CVE-2015-5123
signature.asc
Description: OpenPGP digital signature
