Issue metadata
Sign in to add a comment
|
Security: type confusion vulnerability in flash player latest version
Reported by
jiezengo...@gmail.com,
Aug 23 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS There is a type confusion vulnerability in flash player. In particular, the vulnerability is caused by BitmapData.draw method checking parameter not strict. VERSION Flash player 22.0.0.209 in Chrome windows 7 x86(chrome 52.0.2743.116 m) Please drag the test_crash.swf into chrome will crash. Please not public in MAPP and public it in chrome issues list 14 weeks after being marked as Fixed. Credit is to "JieZeng of Tencent Zhanlu Lab". Please report it as soon as possible.And right after you report it to Adobe, Please tell me the PSIRT number. Thanks! CRASH INFORMATION: chrome crash tate: 623bf78e 894628 mov dword ptr [esi+28h],eax 623bf791 8b4718 mov eax,dword ptr [edi+18h] 623bf794 3b462c cmp eax,dword ptr [esi+2Ch] 623bf797 7e03 jle pepflashplayer!PPP_ShutdownBroker+0x28e5a9 (623bf79c) 623bf799 89462c mov dword ptr [esi+2Ch],eax 623bf79c 8b4610 mov eax,dword ptr [esi+10h] 623bf79f 8b0c90 mov ecx,dword ptr [eax+edx*4] ds:0023:aa38b6dc=???????? 3:038> r eax=039fce40 ebx=001ec3c0 ecx=1ffffffc edx=69a63a27 esi=001ec3c0 edi=028fa080 eip=623bf79f esp=001ebc20 ebp=00000002 iopl=0 nv up ei ng nz na po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283 pepflashplayer!PPP_ShutdownBroker+0x28e5ac: 623bf79f 8b0c90 mov ecx,dword ptr [eax+edx*4] ds:0023:aa38b6dc=????????
,
Aug 23 2016
,
Aug 23 2016
Tested this out, it is a crash in rastering. Reporting to Adobe.
,
Aug 23 2016
This is PSIRT-5761.
,
Aug 24 2016
Thanks!
,
Aug 24 2016
,
Sep 1 2016
,
Sep 7 2016
natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 21 2016
natashenka: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 11 2016
Just to clarify: we wait until Adobe fixes this, right?
,
Oct 11 2016
Correct.
,
Oct 13 2016
,
Oct 22 2016
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 28 2016
This has been fixed!
,
Nov 2 2016
Natalie, sounds like we can close this bug now?
,
Nov 2 2016
Yep, it still needs to go through the rewards panel though.
,
Nov 2 2016
,
Nov 2 2016
It can start that journey now it's been marked as fixed. Keyword added.
,
Nov 3 2016
,
Nov 5 2016
,
Nov 6 2016
Your change meets the bar and is auto-approved for M55 (branch: 2883)
,
Nov 8 2016
Nothing to merge here
,
Nov 14 2016
,
Nov 14 2016
Thanks, the panel awarded $3,000 for this report!
,
Nov 18 2016
,
Feb 9 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Aug 23 2016Labels: Security_Severity-High Security_Impact-Stable Pri-1
Owner: natashenka@google.com
Status: Assigned (was: Unconfirmed)