Security update for flash-player SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:3148-1 Final 1 1 2016-12-14T10:10:26Z current 2016-12-14T10:10:26Z 2016-12-14T10:10:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for flash-player This update for flash-player fixes the following issues: - Security update to 24.0.0.186 (bsc#1015379) APSB16-39: * These updates resolve use-after-free vulnerabilities that could have lead to code execution (CVE-2016-7872, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7892). * These updates resolve buffer overflow vulnerabilities that could have lead to code execution (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870). * These updates resolve memory corruption vulnerabilities that could have lead to code execution (CVE-2016-7871, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876). * These updates resolve a security bypass vulnerability (CVE-2016-7890). - Keep standalone flashplayer at version 11, no newer version exists (INSECURE!). - Update EULA to version 24.0. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP1-2016-1816,SUSE-SLE-WE-12-SP1-2016-1816 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ Link for SUSE-SU-2016:3148-1 https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00064.html E-Mail link for SUSE-SU-2016:3148-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1015379 SUSE Bug 1015379 https://www.suse.com/security/cve/CVE-2016-7867/ SUSE CVE CVE-2016-7867 page https://www.suse.com/security/cve/CVE-2016-7868/ SUSE CVE CVE-2016-7868 page https://www.suse.com/security/cve/CVE-2016-7869/ SUSE CVE CVE-2016-7869 page https://www.suse.com/security/cve/CVE-2016-7870/ SUSE CVE CVE-2016-7870 page https://www.suse.com/security/cve/CVE-2016-7871/ SUSE CVE CVE-2016-7871 page https://www.suse.com/security/cve/CVE-2016-7872/ SUSE CVE CVE-2016-7872 page https://www.suse.com/security/cve/CVE-2016-7873/ SUSE CVE CVE-2016-7873 page https://www.suse.com/security/cve/CVE-2016-7874/ SUSE CVE CVE-2016-7874 page https://www.suse.com/security/cve/CVE-2016-7875/ SUSE CVE CVE-2016-7875 page https://www.suse.com/security/cve/CVE-2016-7876/ SUSE CVE CVE-2016-7876 page https://www.suse.com/security/cve/CVE-2016-7877/ SUSE CVE CVE-2016-7877 page https://www.suse.com/security/cve/CVE-2016-7878/ SUSE CVE CVE-2016-7878 page https://www.suse.com/security/cve/CVE-2016-7879/ SUSE CVE CVE-2016-7879 page https://www.suse.com/security/cve/CVE-2016-7880/ SUSE CVE CVE-2016-7880 page https://www.suse.com/security/cve/CVE-2016-7881/ SUSE CVE CVE-2016-7881 page https://www.suse.com/security/cve/CVE-2016-7890/ SUSE CVE CVE-2016-7890 page https://www.suse.com/security/cve/CVE-2016-7892/ SUSE CVE CVE-2016-7892 page SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Workstation Extension 12 SP1 flash-player-24.0.0.186-152.1 flash-player-gnome-24.0.0.186-152.1 flash-player-24.0.0.186-152.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 flash-player-gnome-24.0.0.186-152.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 flash-player-24.0.0.186-152.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP1 flash-player-gnome-24.0.0.186-152.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP1 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class related to bookmarking in searches. Successful exploitation could lead to arbitrary code execution. CVE-2016-7867 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7867.html CVE-2016-7867 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class related to alternation functionality. Successful exploitation could lead to arbitrary code execution. CVE-2016-7868 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7868.html CVE-2016-7868 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class related to backtrack search functionality. Successful exploitation could lead to arbitrary code execution. CVE-2016-7869 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7869.html CVE-2016-7869 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class for specific search strategies. Successful exploitation could lead to arbitrary code execution. CVE-2016-7870 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7870.html CVE-2016-7870 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the Worker class. Successful exploitation could lead to arbitrary code execution. CVE-2016-7871 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7871.html CVE-2016-7871 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the MovieClip class related to objects at multiple presentation levels. Successful exploitation could lead to arbitrary code execution. CVE-2016-7872 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7872.html CVE-2016-7872 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the PSDK class related to ad policy functionality method. Successful exploitation could lead to arbitrary code execution. CVE-2016-7873 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7873.html CVE-2016-7873 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the NetConnection class when handling the proxy types. Successful exploitation could lead to arbitrary code execution. CVE-2016-7874 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7874.html CVE-2016-7874 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable integer overflow vulnerability in the BitmapData class. Successful exploitation could lead to arbitrary code execution. CVE-2016-7875 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7875.html CVE-2016-7875 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the Clipboard class related to data handling functionality. Successful exploitation could lead to arbitrary code execution. CVE-2016-7876 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7876.html CVE-2016-7876 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the Action Message Format serialization (AFM0). Successful exploitation could lead to arbitrary code execution. CVE-2016-7877 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7877.html CVE-2016-7877 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the PSDK's MediaPlayer class. Successful exploitation could lead to arbitrary code execution. CVE-2016-7878 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7878.html CVE-2016-7878 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the NetConnection class when handling an attached script object. Successful exploitation could lead to arbitrary code execution. CVE-2016-7879 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7879.html CVE-2016-7879 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability when setting the length property of an array object. Successful exploitation could lead to arbitrary code execution. CVE-2016-7880 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7880.html CVE-2016-7880 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the MovieClip class when handling conversion to an object. Successful exploitation could lead to arbitrary code execution. CVE-2016-7881 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7881.html CVE-2016-7881 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have security bypass vulnerability in the implementation of the same origin policy. CVE-2016-7890 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7890.html CVE-2016-7890 https://bugzilla.suse.com/1015379 SUSE Bug 1015379 Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the TextField class. Successful exploitation could lead to arbitrary code execution. CVE-2016-7892 SUSE Linux Enterprise Desktop 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Desktop 12 SP1:flash-player-gnome-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-24.0.0.186-152.1 SUSE Linux Enterprise Workstation Extension 12 SP1:flash-player-gnome-24.0.0.186-152.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163148-1/ https://www.suse.com/security/cve/CVE-2016-7892.html CVE-2016-7892 https://bugzilla.suse.com/1015379 SUSE Bug 1015379