Bug 1404307 (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7890, CVE-2016-7892)

Summary: flash-plugin: multiple code execution issues fixed in APSB16-39
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: ajb, ed.costello, emhuang, mmelanso, mtilburg, phil, stransky, toracat
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: flash-plugin 24.0.0.186 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-01 11:06:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1404311, 1404312, 1404313    
Bug Blocks: 1404310    

Description Adam Mariš 2016-12-13 15:10:48 UTC 
Adobe Security Bulletin APSB16-39 for Adobe Flash Player describes multiple flaws that can possibly lead to code execution when Flash Player is used to play a specially crafted SWF file.

Quoting from the APSB16-39:

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-7872, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7892).

These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-7871, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876).

These updates resolve a security bypass vulnerability (CVE-2016-7890).

External References:

https://helpx.adobe.com/security/products/flash-player/apsb16-39.html
Comment 2 errata-xmlrpc 2016-12-14 13:02:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:2947 https://rhn.redhat.com/errata/RHSA-2016-2947.html
Comment 4 Phil Perry 2016-12-26 15:18:02 UTC 
Are there any plans to fix this in RHEL5?
Comment 5 Tomas Hoger 2017-01-02 09:47:41 UTC 
New Flash version is no longer compatible with Red Hat Enterprise Linux 5, see bug 1404590.