CVE-2010-1297: Security Advisory for Flash Player, Adobe Reader and Acrobat

Bug #591001 reported by Martin von Wittich on 2010-06-07
288
This bug affects 5 people
Affects Status Importance Assigned to Milestone
acroread (Ubuntu)
High
Brian Thomason
Nominated for Hardy by Hans Ridder
Nominated for Karmic by Pasi Sjöholm
Nominated for Lucid by Pasi Sjöholm
adobe-flashplugin (Ubuntu)
High
Brian Thomason
Nominated for Hardy by Hans Ridder
Nominated for Karmic by Pasi Sjöholm
Nominated for Lucid by Pasi Sjöholm
flashplugin-nonfree (Ubuntu)
High
Marc Deslauriers
Nominated for Hardy by Hans Ridder
Nominated for Karmic by Pasi Sjöholm
Nominated for Lucid by Pasi Sjöholm

Bug Description

Binary package hint: acroread

http://www.adobe.com/support/security/advisories/apsa10-01.html

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix.

[...]

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

CVE References

Until there's a fix from Adobe, I'd recommend that an update that deletes/chmods 000 /opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so.0.0.0 should be released.

visibility: private → public
Changed in acroread (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Changed in adobe-flashplugin (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Changed in flashplugin-nonfree (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Changed in acroread (Ubuntu):
assignee: nobody → Brian Thomason (brian-thomason)
Changed in adobe-flashplugin (Ubuntu):
assignee: nobody → Brian Thomason (brian-thomason)
Changed in flashplugin-nonfree (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Joel Ebel (jbebel) wrote :

Adobe has release 10.1 which resolves this security issue. Sadly there seem to be some compatibility problems with nspluginwrapper. It works for the most part, but certain operations, like right clicking are failing. But there aren't a lot of options here. 64-bit flash isn't released, and nspluginwrapper is apparently unmaintained.

By the way, now would be a good time to include the patch I provided in bug 314637

tags: added: glucid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flashplugin-nonfree - 10.1.53.64ubuntu1

---------------
flashplugin-nonfree (10.1.53.64ubuntu1) maverick; urgency=low

  * SECURITY UPDATE: New upstream release 10.1.53.64 (LP: #591001)
    - debian/config, debian/postinst: Updated sha256sums and path
    - CVE-2010-1297
 -- Marc Deslauriers <email address hidden> Thu, 10 Jun 2010 16:06:31 -0400

Changed in flashplugin-nonfree (Ubuntu):
status: Confirmed → Fix Released
Joel Ebel (jbebel) wrote :

Maybe some day my patch will get in.

The instability is still there, but I guess it's a bug in nspluginwrapper, which is pretty much dead it seems. I'll go file the bug there just for kicks.

Marc Deslauriers (mdeslaur) wrote :

@Joel: sorry about that, I had already started building the packages.

I'll take a look at your patch for the next update.

Changed in adobe-flashplugin (Ubuntu):
status: Confirmed → Fix Released
Hans Ridder (hans-ridder) wrote :

Any reason flashplugin-nonfree (10.1.53.64ubuntu1) isn't available for Hardy LTS? I just saw an update for flashplugin-nonfree to 10.0.1.218+really9.0.277.0ubuntu1 that said it was a security fix, but according to Adobe this version doesn't have the fix. This page:

https://wiki.ubuntu.com/Releases

says that Hardy is supported until at least April 2011. I thought security fixes was the one major point of LTS releases.

I've nominated this bug for Hardy, but I'm new here so I don't now the correct process to get flashplugin-nonfree (10.1.53.64ubuntu1) on Hardy. Please let me know the correct process.

Marc Deslauriers (mdeslaur) wrote :

@Hans Ridder:

The hardy update is version 9.0.277.0. That version contains the latest fixes that Adobe released last thursday.

Please see:

http://www.adobe.com/support/security/bulletins/apsb10-14.html

Hans Ridder (hans-ridder) wrote :

@Marc Deslauriers:

Ok, apparently one needs to read carefully to see that it is fixed. After saying repeatedly that the vulnerability affects "Adobe Flash Player version 10.0.45.2 and earlier" which would appear to rule out 9.0.277.0, the last paragraph under Solution for Flash Player says "For users who cannot update to Flash Player 10.1.53.64, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.277.0".

Perhaps off topic for this bug, but is there any reason 10.1 is not available for Hardy? There are more and more sites that don't support Flash 9. Adobe has a 10.1 .deb that seems to work on Hardy.

Marc Deslauriers (mdeslaur) wrote :

I think there were some problems with v10 on hardy, which is why it got reverted to v9. I think it was sound problems, but I don't recall off-hand.

If you want 10.1 on hardy, you can install the "adobe-flashplugin" package out of the partner repo.

Joel Ebel (jbebel) wrote :

Flash 10 wasn't included in Hardy because on 64-bit systems, ia32-libs was missing a bunch of newly required libraries. Possibly nspluginwrapper needed an update too.

Hans Ridder (hans-ridder) wrote :

I was getting Firefox crashes with the Hardy update version, 9.0.277.0, so I'd say there is still a problem with the CVE fix on Hardy that needs to be addressed. I don't know how to gather data to diagnose the crash or if anyone is willing to work on it.

To try 10.1, I didn't have the partner repository mentioned previously, despite the claim the Hardy Release Notes that it should have been added during an upgrade:

https://wiki.ubuntu.com/HardyReleaseNotes#Commercial/partner%20repository

I have upgraded this system "automatically", all the way from Breezy.

I added the partner repository using Synaptic: Settings -> Repositories -> Third-Party Software -> Add. Enter the APT line from the above web page, click on Add Source, then click Close. If a warning dialog pops up, click Close. Click the Reload button. Search for "adobe" and install the "adobe-flashplugin" package.

This currently gets you adobe-flashplayer version 10.1.53.64-1, which is the same as you would find at:

http://get.adobe.com/flashplayer/

It hasn't crashed, so far, and it supports those sites that require Flash 10+.

Changed in acroread (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers