Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Hi, As discovered during the 23th Chaos Communication Congress, http://www.ccc.de/congress/2006/ , the "Netscape plugin" from Adobe Reader (nppdf.so) used by firefox and other netscape-compatible browsers contains a vulnerability which brings an "universal" XSS-vulnerability on every website where there is a PDF document. ( http://www.server.com/path/pdf.pdf#blah=javascript:yourcodehere() ) Adobe Reader 8.0 is said to fix the vulnerability. Printing team, please provide an updated ebuild is possible. The "nsplugin" USE flag has to be enabled in order to trigger the vulnerability. This flag is disabled by default AFAIK. --> Status=B4 and severity=minor
Hi, some other news concerning Acrobat Reader (standalone), and the Acrobat Reader NS Plugin (USE=nsplugin) with USE=nsplugin: (CVE-2007-0048: DoS by long URL) CVE-2007-0046: Remote code exec by error in the JavaScript document.write call CVE-2007-0045: Multiple XSS CVE-2007-0044: "universal" CSRF (SA 23483) Stand-alone Acroread: CVE-2006-5857: Remote code exec, heap corruption vulnerability (SA 23666)
just FYI, Adobe Reader 7.0.9 is already out, so perhaps some of these flaws are already fixed ?
indeed 7.0.9 fixes (at least) the most severe vulnerability. Printing team, please advise
Created an attachment (id=106484) [edit] acroread-7.0.9.ebuild Updated ebuild for 7.0.9, had to make some minor changes and fixed the unpack. Needs testing for other arches and LINGUAS other than en.
Created an attachment (id=106492) [edit] acroread-7.0.9.ebuild Fixed test statement was real problem and reason original fix for unpack... According to docs no quotes are supposed to go around substring test. I have bash 3.2. Re-tested works better now. :)
is acroread-7.0.9 still called 7.0.8 in the about-dialog or is this new ebuild failing for me ? thanks in advance
I did notice that, but if you look at: $ acroread -version 7.0.9 and $ cat /opt/Acrobat7/Reader/AcroVersion 7.0.9 So I assumed adobe maybe didn't bump it in about? The file it downloads is 7.0.9.
the acroread -version 7.0.9 doesn't work for me, it always just launches; cat /opt/Acrobat7/Reader/AcroVersion 7.0.9 says the same for me, so it seems to be version 7.0.9 ;) there's one additional problem, however: the firefox plugins-part doesn't work, it always says something about: that it's not available in the PATH ... after that it launches 2 instances of acroread (not in the browser window / tab)
CCing genstef and kevquinn: could you do something for us?
*** Bug 161322 has been marked as a duplicate of this bug. ***
Will do. Takes a while to fetch the distfiles - I'll report back when it's in. Of the issues mentioned, CVE-2007-0046, CVE-2007-0045 (maybe windows-only), CVE-2007-0044 and CVE-2006-5857 are reported as being present priot to 8.0, so presumably these aren't fixed in 7.0.9. Obviously, since this is a binary-only package, we can't fix anything that isn't fixed upstream. There does not appear to be an 8.0 for Linux. If any of these issues are significant, the only route available to us is to permanently disable the plugin. We'll take the advice of the security team on that.
now it works, I found the "bad guy": I had emerge acroread with LINGUAS="de en"; after having emerged it with LINGUAS="en" it now shows correctly $ acroread -version 7.0.9 and $ cat /opt/Acrobat7/Reader/AcroVersion 7.0.9 it also works fine in the browser-tab/-window (firefox on ~x86)
ok; 7.0.9 is in CVS. Security - please advise if you think this should be fast-tracked to stable, so that the the older versions should be removed promptly. Greg Watson - I did the test thing slightly differently; put the lhs in quotes as well as rhs instead of removing the quotes on rhs - could you check that's ok on bash-3.2?
(In reply to comment #13) > ok; 7.0.9 is in CVS. Thanks Kevin, > > Security - please advise if you think this should be fast-tracked to stable, so > that the the older versions should be removed promptly. X86 and amd64 teams will handle the stabilization tests as usual. The target ebuild is acroread-7.0.9
amd64 done.
I changed QA_TEXTRELS_x86 to QA_TEXTRELS (they are also there on amd64 since its the same binaries..).
app-text/acroread-7.0.9 USE="cups ldap -nsplugin" 1. emerges on x86 2. passes collision test 3. works Gentoo Base System version 1.12.6 Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.5 i686) ================================================================= System uname: 2.6.18.5 i686 AMD Athlon(TM) XP1800+ Last Sync: Sun, 14 Jan 2007 19:00:01 +0000 ccache version 2.4 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LANG="en_GB.utf8" LINGUAS="en de en_GB" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/pack ages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/normal" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_en s1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_ cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plug ins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_ pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_ pcm_plugins_shm alsa_pcm_plugins_softvol apache2 berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups dbus divx4linux dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss exif fam ffmpeg firefox fortran gdbm gif gnome gphoto2 gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_en linguas_en_GB mad mikmod mmx mmxext mono mp3 mpeg ncurses network nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
When trying to emerge 7.0.9, I keep getting an error unpacking it. >>> Unpacking source... >>> Unpacking AdobeReader_enu-7.0.9-1.i386.tar.gz to /var/tmp/portage/app-text/acroread-7.0.9/work mv: cannot stat `/var/tmp/portage/app-text/acroread-7.0.9/work/AdobeReader/bin/acroread.': No such file or directory !!! ERROR: app-text/acroread-7.0.9 failed. Call stack: ebuild.sh, line 1611: Called dyn_unpack ebuild.sh, line 751: Called qa_call 'src_unpack' environment, line 2973: Called src_unpack acroread-7.0.9.ebuild, line 126: Called die !!! Failed to put acroread. back to acroread; please report !!! If you need support, post the topmost build error, and the call stack if relevant. !!! A complete build log is located at '/var/log/portage/app-text:acroread-7.0.9:20070115-004111.log'. emerge --info: Portage 2.1.2_rc4-r9 (default-linux/x86/2006.0, gcc-4.1.1, glibc-2.5-r0, 2.6.19-gentoo-r3 i686) ================================================================= System uname: 2.6.19-gentoo-r3 i686 AMD Athlon(tm) XP 2800+ Gentoo Base System version 1.12.8 Timestamp of tree: Sun, 14 Jan 2007 21:30:03 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31-r2 dev-lang/python: 2.3.6, 2.4.4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.19.2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo ftp://lug.mtu.edu/gentoo" LANG="en_US.UTF-8" LINGUAS="en en_US" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/xeffects /usr/portage/local/layman/xeffects-experimental" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dfx X Xaw3d a52 aac aalib acl alsa aoss apache2 apm asf audiofile automount avahi avi bcmath berkdb bidi bitmap-fonts branding bzip2 cairo cdda cddb cdparanoia cdr chardet cjk cli corba cracklib crypt cscope ctype cups curl daap dba dbus devil dga directfb divx djvu dlloader doc dri dts dvb dvd dvi eds emacs emboss encode esd ethereal exif expat extras fam fastbuild fat fbcon filepicker firebird firefox flac flash foomaticdb force-cgi-redirect fortran ftp fuse gd gdbm ggi gif glitz glut gmedia gmp gnome gnutls gpm grammar graphviz gs gstreamer gtk gtk2 gtkhtml guile gzip hal hddtemp iconv idn imagemagick imap imlib iodbc ipod ipv6 isdnlog java javascript jikes joystick jpeg kerberos keyring lcms ldap libcaca libedit libg++ libgda libnotify libwww live logitech-mouse lua lzo mad mailwrapper math matroska mcve md5sum memlimit mhash mikmod ming mmx mng mod modplug mono motif mozbranding mozcalendar mozdevelop mp3 mpeg mplayer msn mssql musicbrainz mysql mysqli nas ncurses new-login nls nptl nptlonly nsplugin ntfs numeric nvidia ocaml odbc offensive ogg openal opengl optimisememory oss pam paste64 pcre pdf pdflib perl pertty php png posix postgres pppd printer python qt qt3 qt4 quicktime readline real realmedia reflection ruby samba sasl sdl seamonkey session shout simplexml skins slang sndfile soap sockets sound source speex spell spl sqlite sqlite3 ssl startup-notification stream subversion svg svga swat syslog t1lib tcl tcltk tcpd tetex theora thesaurus tidy tiff timidity tk tokenizer toolbar truetype truetype-fonts type1-fonts udev unicode upnp urandom v4l v4l2 vcd vim vim-pager vim-with-x visualization vorbis wifi win32codecs wmf wmp wordperfect wxwindows x86 xanim xforms xine xinerama xml xml2 xmlreader xmlrpc xmlwriter xmp xorg xosd xprint xscreensaver xsl xv xvid xvmc zip zlib" ALSA_CARDS="ca0106" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="joystick keyboard mouse ps2mouse" KERNEL="linux" LINGUAS="en en_US" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS Could this be caused by me having both en and en-US in LINGUAS?
Why does acroread-7.0.9 (which is currently stable on amd64 in portage) depend on libstdc++-v3 !? AFAIK, sys-libs/libstdc++-v3 will install a 64-bit library while acroread is a 32-bit application. Is that really correct?
(In reply to comment #18) > When trying to emerge 7.0.9, I keep getting an error unpacking it. > > >>> Unpacking source... > >>> Unpacking AdobeReader_enu-7.0.9-1.i386.tar.gz to /var/tmp/portage/app-text/acroread-7.0.9/work > mv: cannot stat > `/var/tmp/portage/app-text/acroread-7.0.9/work/AdobeReader/bin/acroread.': No > such file or directory > > !!! ERROR: app-text/acroread-7.0.9 failed. > Call stack: > ebuild.sh, line 1611: Called dyn_unpack > ebuild.sh, line 751: Called qa_call 'src_unpack' > environment, line 2973: Called src_unpack > acroread-7.0.9.ebuild, line 126: Called die Maintainers, what about this one? Looks like something linguas-related is not working right in certain cases. I wasn't able to reproduce it, though.
(In reply to comment #20) > Maintainers, what about this one? Looks like something linguas-related is not > working right in certain cases. I wasn't able to reproduce it, though. Already fixed in v1.4. It occurred with bash-3.2, which has changed the semantics of '=~' (see bug #162018).
Am stabling for x86, but the binary for LINGUAS en and de show me that they are version 7.0.8...the tarball is correct, but could maintainers investigate if that version is really fixed?
(In reply to comment #22) > Am stabling for x86, but the binary for LINGUAS en and de show me that they are > version 7.0.8...the tarball is correct, It appears the help->about is incorrect; see also comment #7 > but could maintainers investigate if that version is really fixed? If someone can point me to a PoC exploit I'll test.
(In reply to comment #23) > (In reply to comment #22) > > Am stabling for x86, but the binary for LINGUAS en and de show me that they are > > version 7.0.8...the tarball is correct, > > It appears the help->about is incorrect; see also comment #7 Gnargl...I thought I read it all. Should be ok then.
GLSA 200601-16, thanks everybody.
