New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 664395 link

Starred by 1 user
Status: Duplicate
Merged: issue 668830
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: [FG-VD-16-077] Adobe Flash Player Handling MP4 Heap Overflow Vulnerability

Reported by kevinlu0...@gmail.com, Nov 11 2016 
VULNERABILITY DETAILS
It is a Heap Overflow vulnerability in MP4 processing.

VERSION
Adobe Flash Player  23.0.0.207
Other versions may be affected too

REPRODUCTION CASE
put LoadMP42.swf and FG-VD-16-077_PoC.mp4 on a server and load http://127.0.0.1:8080/LoadMP42.swf?file=FG-VD-16-077_PoC.mp4
run the following command line.
flashplayer_23_sa_207.exe http://127.0.0.1:8080/LoadMP42.swf?file=FG-VD-16-077_PoC.mp4

Credits:
  This vulnerability was discovered by Kai Lu of Fortinet's FortiGuard Labs.
LoadMP42.swf
1.0 KB Download
FG-VD-16-077_PoC.mp4
1.1 MB View Download
crashlog.txt
2.7 KB View Download

Comment 1 by rickyz@chromium.org, Nov 11 2016

Components: Internals>Plugins>Flash
Labels: Security_Severity-High
Owner: natashenka@google.com
Status: Assigned (was: Unconfirmed)
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 11 2016

Labels: Pri-1

Comment 3 by kerrnel@chromium.org, Nov 18 2016 

Any update on triaging this? Thanks.

Comment 4 by natashenka@google.com, Nov 18 2016 

Hi, like the other issues, I can't reproduce these on Chrome, but I've forwarded it to Adobe. It would help for rewards purposes if you could provide a case that crashes on Chrome.

Comment 5 by mea...@chromium.org, Nov 21 2016

Labels: Needs-Feedback

Comment 6 by dominickn@chromium.org, Nov 29 2016

Labels: OS-Windows

Comment 7 by dominickn@chromium.org, Nov 29 2016

Status: WontFix (was: Assigned)
WontFixing for now - please re-open if you have a test case which crashes in Chrome. :)

Comment 8 by natashenka@google.com, Nov 29 2016

Status: Un (was: WontFix)

Comment 9 by natashenka@google.com, Nov 29 2016

Status: Unconfirmed (was: Un)
Moving to unconfirmed, as I still need to track this until we hear back from Adobe.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 29 2016

Status: Assigned (was: Unconfirmed)

Comment 11 by och...@chromium.org, Nov 29 2016

Status: ExternalDependency (was: Assigned)

Comment 12 by natashenka@google.com, Nov 30 2016 

Adobe assigned this PSIRT-6030.

Comment 13 by natashenka@google.com, Dec 6 2016 

Kai, is it okay if I give Adobe your email address, so they can ask you questions about this and another bug directly?

Comment 14 by kevinlu0...@gmail.com, Dec 6 2016 

natashenka, are they repro issues?  It's OK, please also add my working email kailu@fortinet.com in the thread, thanks

Comment 15 by kevinlu0...@gmail.com, Dec 6 2016 

Please also keep you in that email thread to trace updates of these cases. Thanks!

Comment 16 by natashenka@google.com, Feb 13 2017 

This was fixed as CVE-2017-2984.

Comment 17 by awhalley@chromium.org, Feb 13 2017

Labels: reward-topanel

Comment 18 by infe...@chromium.org, Feb 15 2017

Mergedinto: 668830
Status: Duplicate (was: ExternalDependency)
Project Member

Comment 19 by sheriffbot@chromium.org, Feb 16 2017

Labels: -reward-topanel reward-ineligible
Project Member

Comment 20 by sheriffbot@chromium.org, May 25 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment