Please tell Adobe I do not want to put this poc file in MAPP when report to Adobe.
Thank you!

natashenka@, would you be the right person to look at this?

I'm sorry I forgot something shown below.

Credit is to "JieZeng of Tencent Zhanlu Lab".

Please report it as soon as possible.

natashenka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Thanks, I've reported this to Adobe.

ihf: do we typically mark these as externaldependency once they have been reported? 

Yes, ExternalDependency is correct here. Normally I would also CC/assign Adobe the bug, but it sounds like in this case this is different?

Yeah, for security bugs, we send them to the Adobe Security Team. So just cc me on these bugs and I can send them in.

@natashenka hi!
This bug has been fixed, but I have questions.
Why the acknowledgments is "Jie Zeng of Tencent Zhanlu Lab" instead of "JieZeng of Tencent Zhanlu Lab working with the Chromium Vulnerability Rewards Program" on this page: https://helpx.adobe.com/security/products/flash-player/apsb17-33.html?

@natashenka hi!
Can anyone answer my question here?

I reported 3 bugs,they are  issue 758848 ,   768762  ,758863. And there are only 2 CVEs credit to me on the November's Adobe Security Bulletins and Advisories page: https://helpx.adobe.com/security/products/flash-player/apsb17-33.html . And all of 3 bugs are fixed.

Thanks!

 Issue 758848  is still open with Adobe, I'll check what's going on with it. 

According to Adobe: We found that PSIRT-7347 was a dupe of PSIRT-7239 (CVE-2017-11215). So one issue was a duplicate. 

Hi!
I do not know how Adobe definition repeated submission,but I know they may be wrong.

If there are duplicate pocs, they should be  issue 768762  and  issue 758863 .But their trigger path is different.

Thanks.

Anyone there? Why two months have passed without any new progress?

Sorry, can you provide a quick explanation of why you think they are different bugs, and I'll provide it to Adobe?

Hi natashenka!
I was wrong in comment 19 and we start from here.

First: I want to know PSIRT-7347 is which one issue in comment 22 ?
I assume PSIRT-7347 is   issue 768762   ,because   Issue 758848   and  Issue 758863  were fixed in the November patch(I saw pocs form November mapp). And I also know the PSIRT-7239 (CVE-2017-11215) is  Issue 758848 .

So I will explanation   Issue 768762  is different from  Issue 758848  or  Issue 758863 .

Second: The reason is as follows:
The key point is to register the event handler in   Issue 768762  ,and free the problem object in the event handler.The source code is as follows:

public function main(){
    //some code
    try{ mediaPlayer = PSDK.pSDK.createMediaPlayer(eventDisp); } catch(e:Error){}
    //...
    try{ mediaPlayer.addEventListener(118,Listen); } catch(e:Error){}
}
public funciton Listen(e:PSDKEvent){
    //free internally
    try{ audSetting.getObject.call(contentResolver,ob_toStr); } catch(e:Error){}
    try{ tempVar3 = psdk.createMediaPlayer(eventDisp); } catch(e:Error){}
    try{ audSetting.setObject(ob_toStr,tempVar3); } catch(e:Error){}
    try{ tempVar3 = psdk.createDispatcher(); } catch(e:Error){}
    return;
}

However in  Issue 758848  or  Issue 758863  do not have the register the event handler code. So their trigger path are different.

Last: Please contact me if have any other questions!

PSIRT-7347 is 768762. I'll send this info to Adobe and see what they say.

PSIRT-7347 is 768762 and PSIRT-7239 is 758863. I'll give Adobe your explanation and let you know what I hear.

Thanks!

Adobe doesn't have any response?

From Adobe:

Apologies for the delayed reply.  While we agree that the two submissions are not exactly the same, they are nevertheless related, and were resolved with the same code change.  

This is the dev's comment:

I can see that this is a problem revolving around the MediaPlayer object being released similarly to how the QOSProvider object was mistakenly released in PSIRT-7239.

The fix for PSIRT-7239 was a very general fix and repairs issues with QOSProvider, MediaPlayer and MediaPlayerItemLoader.

Ok, I understand.

I agree.

 Issue 768762  has been merged into this issue.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Hi jiezengoftencentzhanlulab@! The VRP decided to award $5,000 for this report. Many thanks!

OK,I will do not publicly disclose details with others,but until when?

This bug has been fixed two months ago.

This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Bulk Edit]

+awhalley@ (Security TPM) for M65 merge review

No merge needed.

Apologies, you're OK to disclose this and 758848 now. We push flash updates out of band of the main release cycle so this didn't get picked up for release notes until now.

The CVE number may not be correct, and the correct CVE should be CVE-2017-11215 or CVE-2017-11225?

Thanks for flagging! Fixing here and on the release blog.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot