PT-2015-2898 · Adobe+3 · Air Sdk & Compiler+6

Bilou

·

Published

2015-12-08

·

Updated

2017-02-17

·

CVE-2015-8445

CVSS v2.0

9.3

High

VectorAV:N/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Adobe Flash Player versions prior to 18.0.0.268 Adobe Flash Player versions 19.x Adobe Flash Player versions 20.x prior to 20.0.0.228 Adobe AIR versions prior to 20.0.0.204 Adobe AIR SDK versions prior to 20.0.0.204 Adobe AIR SDK & Compiler versions prior to 20.0.0.204 Adobe Flash Player version prior to 11.2.202.554 on Linux
Description The issue is caused by an integer overflow in the Shader filter implementation, allowing attackers to execute arbitrary code via a large BitmapData source object. This can be exploited by a remote attacker to execute arbitrary code.
Recommendations For Adobe Flash Player versions prior to 18.0.0.268, update to version 18.0.0.268 or later. For Adobe Flash Player versions 19.x, update to a version that includes the fix. For Adobe Flash Player versions 20.x prior to 20.0.0.228, update to version 20.0.0.228 or later. For Adobe AIR versions prior to 20.0.0.204, update to version 20.0.0.204 or later. For Adobe AIR SDK versions prior to 20.0.0.204, update to version 20.0.0.204 or later. For Adobe AIR SDK & Compiler versions prior to 20.0.0.204, update to version 20.0.0.204 or later. For Adobe Flash Player version prior to 11.2.202.554 on Linux, update to version 11.2.202.554 or later. As a temporary workaround, consider restricting the use of large BitmapData source objects until a patch is available.

Fix

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-189CWE-190

Related Identifiers

ALT-PU-2015-2079
BDU:2015-12264
CVE-2015-8445
MGASA-2015-0468
OPENSUSE-SU-2015_2239-1
RHSA-2015:2593
RHSA-2015_2593
SUSE-SU-2015:2236-1
SUSE-SU-2015:2247-1
ZDI-15-608

Affected Products

Alt Linux
Air
Air Sdk
Air Sdk & Compiler
Flash Player
Red Hat
Suse