New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 663551 link

Starred by 2 users
Status: Fixed
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Jan 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
M-X



Sign in to add a comment

Security: [FG-VD-16-076] Adobe Flash Player Handling ATF Heap Overflow Vulnerability

Reported by kevinlu0...@gmail.com, Nov 8 2016 
VULNERABILITY DETAILS
It is a heap overflow vulnerability in ATF processing.

VERSION
Adobe Flash Player  23.0.0.207
Other versions may be affected too

REPRODUCTION CASE
To reproduce the issue, put LoadImage.swf and FG-VD-16-076_PoC.atf on a server and load http://127.0.0.1:8080/LoadImage.swf?img=FG-VD-16-076_PoC.atf.
run the following command line in cmd.
flashplayer_23_sa_207.exe http://127.0.0.1:8080/LoadImage.swf?img=FG-VD-16-076_PoC.atf

Credits:
  This vulnerability was discovered by Kai Lu of Fortinet's FortiGuard Labs.
LoadImage.swf
1.2 KB Download
FG-VD-16-076_PoC.atf
21.4 KB Download
crashlog.txt
1.6 KB View Download

Comment 1 by rickyz@chromium.org, Nov 9 2016

Components: Internals>Plugins>Flash
Labels: Security_Severity-High
Owner: natashenka@google.com
Status: Assigned (was: Unconfirmed)
Assigning flash bugs to natashenka@. Mind updating these with whether they affect Chrome stable? Thanks.
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 9 2016

Labels: Pri-1

Comment 3 by natashenka@google.com, Nov 9 2016 

Sorry, I'm having trouble getting this to crash. What browser and OS do these work on?

Comment 4 by kevinlu0...@gmail.com, Nov 10 2016 

I tested it with flash player standalone in windows 7,10.(enable page heap)
and also tested it in IE11 in Windows 7(enable page heap). They works.

Comment 5 by kevinlu0...@gmail.com, Nov 10 2016 

still not test it in Chrome yet, I will test it right now.

Comment 6 by kevinlu0...@gmail.com, Nov 10 2016 

Attached is the crash log in IE 11.
IECrashlog1.txt
8.7 KB View Download

Comment 7 by natashenka@google.com, Nov 12 2016 

I'm still having trouble reproducing these, but I'm going to pass them to Adobe so they can investigate further. In the meantime, can you submit a sample that crashes in Chrome, as this is a Chrome rewards program?

Comment 8 by kevinlu0...@gmail.com, Nov 15 2016 

Ok,thanks. There are many crash samples for this case. I will try to find a sample that crashes in Chrome.

Comment 9 by kerrnel@chromium.org, Nov 18 2016 

Any update on triaging this? Thanks.

Comment 10 by natashenka@google.com, Nov 18 2016 

Sorry, there isn't. I've reported it to Adobe, I'll let you know when I hear back.

Comment 11 Deleted

Comment 12 by natashenka@google.com, Nov 30 2016 

Adobe assigned this PSIRT-6013.

Comment 13 by natashenka@google.com, Jan 10 2017

Status: Fixed (was: ExternalDependency)
This was fixed this update as CVE-2017-2927. It is ready for the Rewards Panel.

Comment 14 by wfh@chromium.org, Jan 10 2017

Labels: reward-topanel
Project Member

Comment 15 by sheriffbot@chromium.org, Jan 11 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 16 by awhalley@chromium.org, Feb 18 2017

Labels: -reward-topanel reward-unpaid reward-500

Comment 17 by awhalley@chromium.org, Feb 18 2017 

The panel decided to award $500 for this report.

Comment 18 by awhalley@chromium.org, Feb 18 2017

Labels: -reward-unpaid reward-inprocess

Comment 19 by awhalley@chromium.org, Feb 20 2017

Labels: Security_Impact-Stable

Comment 20 by awhalley@google.com, Mar 31 2017

Labels: M-X
Project Member

Comment 21 by sheriffbot@chromium.org, Apr 19 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment