Flash plugin 0-day vulnerability in the wild

Andrew Lutomirski luto at mit.edu
Fri Jan 23 15:59:27 UTC 2015


On Jan 23, 2015 7:47 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>
>
> On 01/23/2015 10:25 AM, poma wrote:
> > On 23.01.2015 15:12, Kevin Fenzi wrote:
> >> On Fri, 23 Jan 2015 12:44:23 +0100
> >> poma <pomidorabelisima at gmail.com> wrote:
> >>
> >>> On 23.01.2015 10:51, Martin Stransky wrote:
> >>>> Folk,
> >>>>
> >>>> There's a live 0-day flash vulnerability which is not fixed yet
> >>>> [1][2]. If you use flash plugin I recommend you to enable the
> >>>> click-to-play mode for it.
> >>> Are we covered with
> >>> $ rpm -q flash-plugin
> >>> flash-plugin-11.2.202.438-release.x86_64
> >>> ?
> >>>
> >>> Ref.
> >>> http://helpx.adobe.com/security.html
> >> No.
> >>
> >> http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
> >>
> >> kevin
> >>
> >>
> >>
> > Thanks for reference.
> >
> > Until this is resolved, is this a valid way:
> > $ sandbox -X -T tmp -t sandbox_web_t firefox
> > to cover this security issue, or can we isolate only libflashplayer.so,
> > not the entire browser.
> >
> > Daniel, can you comment.
> >
> >
> libflashplayer.so runs within the Mozilla-plugin I believe. If so it
> would be confined
> if you have not turned on the unconfined_mozilla_plugin_transition
boolean.
>
> If this is the case we are somewhat protected, and of course  you run
> with setenforce 1.
>
> sandbox -X will also add more protection.

Unless I'm mistaken, sandbox -X hasn't worked in almost a year.

--Andy

> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150123/42617f03/attachment.html>


More information about the devel mailing list