New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 758848 link

Starred by 2 users

Issue metadata

Status: Fixed
Closed: Jan 2018
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security

Sign in to add a comment

Security: Use after free vulnerability about psdk in the latest version

Reported by, Aug 25 2017

Issue description

This is a UAF vulnerability about psdk.

pepflashplayer32_26_0_0_151 windows 7 x86
(ther operating systems may also crash,but not test)

Type of crash:
5a6311a0 83c104          add     ecx,4
5a6311a3 8b01            mov     eax,dword ptr [ecx]
5a6311a5 ff10            call    dword ptr [eax]      ds:0023:feeefeee=????????

Crash State:
4:054> dd ecx
00d231c4  feeefeee feeefeee feeefeee feeefeee
00d231d4  feeefeee feeefeee feeefeee feeefeee
00d231e4  feeefeee feeefeee feeefeee feeefeee
00d231f4  feeefeee feeefeee feeefeee feeefeee

2.3 KB Download
Please tell Adobe I do not want to put this poc file in MAPP when report to Adobe.
Thank you!
 Issue 758840  has been merged into this issue.
Components: Internals>Plugins>Flash

Comment 4 by, Aug 28 2017

Labels: Security_Severity-High Security_Impact-Stable OS-Windows
Status: Assigned (was: Unconfirmed)
natashenka@, would you be the right person to look at this?
Project Member

Comment 5 by, Aug 29 2017

Labels: M-60
Project Member

Comment 6 by, Aug 29 2017

Labels: Pri-1
I'm sorry I forgot something shown below.

Credit is to "JieZeng of Tencent Zhanlu Lab".

Please report it as soon as possible.
Project Member

Comment 8 by, Sep 6 2017

Labels: -M-60 M-61
Project Member

Comment 9 by, Sep 8 2017

natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit - Your friendly Sheriffbot
Status: ExternalDependency (was: Assigned)
Thanks, I've reported this to Adobe
Project Member

Comment 11 by, Oct 18 2017

Labels: -M-61 M-62
Project Member

Comment 12 by, Dec 7 2017

Labels: -M-62 M-63
Project Member

Comment 13 by, Jan 25 2018

Labels: -M-63 M-64
Status: Fixed (was: ExternalDependency)
This is PSIRT-7239 and has been fixed
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-5000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
And $5,000 for this one :-)
Labels: -reward-unpaid reward-inprocess
OK,I will do not publicly disclose details with others.
Project Member

Comment 20 by, Feb 8 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 21 by, Feb 8 2018

Labels: Merge-Request-65
Project Member

Comment 22 by, Feb 9 2018

Labels: -Merge-Request-65 Merge-Review-65 Hotlist-Merge-Review
This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit - Your friendly Sheriffbot
[Bulk Edit]

+awhalley@ (Security TPM) for M65 merge review
Labels: -Merge-Review-65 Merge-Rejected-65
No merge needed
Labels: Release-0-M65

Comment 26 Deleted

Labels: -CVE-2018-6058 CVE-2017-11215
Labels: CVE_description-submitted
Project Member

Comment 29 by, May 4 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment