Flash plugin 0-day vulnerability in the wild
Antonio Trande
anto.trande at gmail.com
Fri Jan 23 16:01:02 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/23/2015 04:29 PM, Daniel J Walsh wrote:
>
> On 01/23/2015 10:25 AM, poma wrote:
>> On 23.01.2015 15:12, Kevin Fenzi wrote:
>>> On Fri, 23 Jan 2015 12:44:23 +0100 poma
>>> <pomidorabelisima at gmail.com> wrote:
>>>
>>>> On 23.01.2015 10:51, Martin Stransky wrote:
>>>>> Folk,
>>>>>
>>>>> There's a live 0-day flash vulnerability which is not fixed
>>>>> yet [1][2]. If you use flash plugin I recommend you to
>>>>> enable the click-to-play mode for it.
>>>> Are we covered with $ rpm -q flash-plugin
>>>> flash-plugin-11.2.202.438-release.x86_64 ?
>>>>
>>>> Ref. http://helpx.adobe.com/security.html
>>> No.
>>>
>>> http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
>>>
>>>
>>>
kevin
>>>
>>>
>>>
>> Thanks for reference.
>>
>> Until this is resolved, is this a valid way: $ sandbox -X -T tmp
>> -t sandbox_web_t firefox to cover this security issue, or can we
>> isolate only libflashplayer.so, not the entire browser.
>>
>> Daniel, can you comment.
>>
>>
> libflashplayer.so runs within the Mozilla-plugin I believe. If so
> it would be confined if you have not turned on the
> unconfined_mozilla_plugin_transition boolean.
Therefore unconfined_mozilla_plugin_transition boolean must be 'off'.
>
> If this is the case we are somewhat protected, and of course you
> run with setenforce 1.
>
> sandbox -X will also add more protection.
>
- --
Antonio Trande
mailto: sagitter 'at' fedoraproject 'dot' org
http://fedoraos.wordpress.com/
https://fedoraproject.org/wiki/User:Sagitter
GPG Key: 0x66E15D00
Check on https://keys.fedoraproject.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUwnA6AAoJEFyovWBm4V0A5dIQAJyiby8TeGwU/dcJtmeklbYB
Rh/YM0tScPAUovYyBu1EqncVtCLh2QaHwUNCiEl8+KglTXwV3ckkAT3ywq6oO5eA
d/6fzS5+vO5TD9USwlc8jArQlF3kHc2sxCLBFCGE4ersqKrhn1VmwOV58XYGMwh/
/apwfS+R6IdPYoDthPBfzBVJicQJknbWH9djsUEejPeuXHKfZbSk2iaLlsJt7Qc5
HDeWyZB7W72/TVaawjl5HwDeMQt4185qXGRM6CN/FZDHfUNkmTU8aaGGMfjTZFD+
JQphaGy34CVf9GZ6/pTrTBBMRwCfSKyIMyAFjpOzOePdRbjYW72wol+RzFr8SfcV
Wg6O6bRm4Yq18FiapSvVRYATUnd+lBfB+LlbQXb2COJVbNh1QJ9h+0AgyPvF6kGI
1OObbIgdpAQTqPI6vADB3ChSMiqqzMVvExpXJQ64pe70zHddQoh9yy7rF1jC9+pi
wLbQPDsmnzixso46u3xy6z06qOrCu6yBnPaH8TqKry3JWPIbxNXKy5W6M11XYgwr
FI7R5Jhe5DKS3WshSwQRGhvRTN2CyerValwPKAkXzR1QdnHmqcK0dzvOwDJN0zjm
lzofy1f0q2cOs/+qmVUuBMQ3vq6gnXaTCdKJCeS6F2bTlcIyLSEA1R6XpAmnOjEN
WBabI9nhJzkvrm7nZHqY
=Roc2
-----END PGP SIGNATURE-----
More information about the devel
mailing list