Arch Linux update for flashplugin
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2017-2925 CVE-2017-2926 CVE-2017-2927 CVE-2017-2928 CVE-2017-2930 CVE-2017-2931 CVE-2017-2932 CVE-2017-2933 CVE-2017-2934 CVE-2017-2935 CVE-2017-2936 CVE-2017-2937 CVE-2017-2938 |
| CWE-ID | CWE-119 CWE-125 CWE-416 CWE-122 CWE-200 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #10 is available. |
| Vulnerable software |
Arch Linux Operating systems & Components / Operating system |
| Vendor | Arch Linux |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU4096
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-2925
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU4097
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-2926
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Heap-based buffer overflow
EUVDB-ID: #VU4092
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-2927
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Memory corruption
EUVDB-ID: #VU4098
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-2928
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Memory corruption
EUVDB-ID: #VU4099
Risk: High
CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-2930
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Memory corruption
EUVDB-ID: #VU4100
Risk: High
CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-2931
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: Yes
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Use-after-free error
EUVDB-ID: #VU4089
Risk: High
CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-2932
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Heap-based buffer overflow
EUVDB-ID: #VU4093
Risk: High
CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-2933
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: Yes
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing thumbnails within .swf files. A remote attacker can create a specially crafted.thumbnail, trick the victim into opening it using Flash Player, cause heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Heap-based buffer overflow
EUVDB-ID: #VU4094
Risk: High
CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-2934
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: Yes
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when decompressing planar block within .swf files. A remote attacker can create a specially crafted. atf file, trick the victim into opening it using Flash Player, cause heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Heap-based buffer overflow
EUVDB-ID: #VU4095
Risk: High
CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-2935
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: Yes
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing AVC header slicing within .swf files. A remote attacker can create a specially crafted. flv file, trick the victim into opening it using Flash Player, cause heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) Use-after-free error
EUVDB-ID: #VU4090
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-2936
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Use-after-free error
EUVDB-ID: #VU4091
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-2937
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allow a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Information disclosure
EUVDB-ID: #VU4088
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-2938
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive data.
The vulnerability exists due to unknown error when handling .swf files. A remote attacker can create a specially crafted web page, trick the victim into visiting it and obtain potentially sensitive information. MitigationUpdate the affected package flashplugin to version 24.0.0.194-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttps://security.archlinux.org/advisory/ASA-201701-16
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
