Secure testing team - May 2008 - Bug#483199: flashplugin-nonfree: Adobe Flash Player is prone to an unspecified remote code-execution vulnerability.

Package: flashplugin-nonfree
Version: 1:1.4
Severity: grave
Tags: security
Justification: user security hole

Adobe Flash Player is prone to an unspecified remote code-execution
vulnerability.

An attacker may exploit this issue to execute arbitrary code in the context of
the affected application. Failed exploit attempts will likely result in
denial-of-service conditions.

Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions may
also be affected.

<http://www.securityfocus.com/bid/29386>

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (530, ''testing''), (520,
''unstable''), (510, ''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages flashplugin-nonfree depends on:
ii  debconf [debconf-2.0]  1.5.22            Debian configuration management sy
ii  fontconfig             2.5.0-2           generic font configuration library
ii  gnupg                  1.4.6-2.2         GNU privacy guard - a free PGP rep
ii  libatk1.0-0            1.22.0-1          The ATK accessibility toolkit
ii  libc6                  2.7-10            GNU C Library: Shared libraries
ii  libcairo2              1.6.4-1+b1        The Cairo 2D vector graphics libra
ii  libexpat1              1.95.8-4          XML parsing C library - runtime li
ii  libfontconfig1         2.5.0-2           generic font configuration library
ii  libfreetype6           2.3.5-1+b1        FreeType 2 font engine, shared lib
ii  libglib2.0-0           2.16.3-2          The GLib library of C routines
ii  libgtk2.0-0            2.12.9-3          The GTK+ graphical user interface 
ii  libice6                2:1.0.4-1         X11 Inter-Client Exchange library
ii  libpango1.0-0          1.20.2-2          Layout and rendering of internatio
ii  libpng12-0             1.2.27-1          PNG library - runtime
ii  libsm6                 2:1.0.3-1+b1      X11 Session Management library
ii  libx11-6               2:1.0.3-7         X11 client-side library
ii  libxau6                1:1.0.3-3         X11 authorisation library
ii  libxcursor1            1:1.1.9-1         X cursor management library
ii  libxdmcp6              1:1.0.2-2         X11 Display Manager Control Protoc
ii  libxext6               2:1.0.4-1         X11 miscellaneous extension librar
ii  libxfixes3             1:4.0.3-2         X11 miscellaneous
''fixes'' extensio
ii  libxi6                 2:1.1.3-1         X11 Input extension library
ii  libxinerama1           2:1.0.3-1         X11 Xinerama extension library
ii  libxrandr2             2:1.2.2-1         X11 RandR extension library
ii  libxrender1            1:0.9.4-1         X Rendering Extension client libra
ii  libxt6                 1:1.0.5-3         X11 toolkit intrinsics library
ii  wget                   1.11.2-1          retrieves files from the web
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

flashplugin-nonfree recommends no packages.

-- debconf information:
  flashplugin-nonfree/httpget: false
  flashplugin-nonfree/not_exist:
  flashplugin-nonfree/http_proxy:
  flashplugin-nonfree/local:
  flashplugin-nonfree/delete: false
  flashplugin-nonfree/failed:

On Tue, 27 May 2008 19:41:23 +0100
Sam Morris <sam at robots.org.uk> wrote:
> Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions
may also be affected.
 No, 9.0.124.0 is not vulnerable.

 "This is not a zero-day exploit. Despite various reports that have been 
 circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 
 are NOT vulnerable to the exploits discussed in conjunction with the previously
 disclosed vulnerability Symantec posted on 5/27/08."
 
 See http://blogs.adobe.com/psirt/2008/05/more_information_on_recent_fla.html


-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/iijmio-mail.jp