First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 212367
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
acroread-CVE-2008-0883.patch acroread-CVE-2008-0883.patch patch Robert Buchholz 2008-03-05 11:07 0000 1.11 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 212367 depends on: Show dependency tree
Show dependency graph
Bug 212367 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-05 11:06 0000 
Suse:
http://support.novell.com/techcenter/psdb/d8c48c63359fc807624182696d3d149c.html

Adobe Acrobat Reader 8.1.2 contained a /tmp race in its "acroread" wrapper
script in the SSL certificate handling. (CVE-2008-0883)
Furthermore it contained several duplicated copies of system libraries, which
have been removed for this update to make sure they are up-to-date security
wise by using the system provided ones.

------- Comment #1 From Robert Buchholz 2008-03-05 11:07:07 0000 ------- 
Created an attachment (id=145339) [edit]
acroread-CVE-2008-0883.patch

------- Comment #2 From Robert Buchholz 2008-03-05 11:08:16 0000 ------- 
This patch only applies to the "en" variant of the script, depending on
linguas, other files might need to be patched.

Printing, can you please also advise on the library situation?

------- Comment #3 From Timo Gurr 2008-03-07 21:02:19 0000 ------- 
(In reply to comment #2)
> This patch only applies to the "en" variant of the script, depending on
> linguas, other files might need to be patched.

Fixed this in acroread-8.1.2-r1 via sed command in the ebuild.

> Printing, can you please also advise on the library situation?

Not fixed yet, I will open a new bug about this.

------- Comment #4 From Robert Buchholz 2008-03-08 17:23:01 0000 ------- 
Unfortunately, that sed call will not fail unless the referenced file is
missing, which should not happen. But Adobe will probably fix this in their
next release anyway.

What's your ETA on the libraries, i.e. call arches now or after a fix?

------- Comment #5 From Timo Gurr 2008-03-08 21:30:27 0000 ------- 
(In reply to comment #4)
> Unfortunately, that sed call will not fail unless the referenced file is
> missing, which should not happen. But Adobe will probably fix this in their
> next release anyway.
> 
> What's your ETA on the libraries, i.e. call arches now or after a fix?
> 

No ETA yet since not all libraries are available on amd64 in 32bit anyway, I'd
say call the arches now to get the actual security bug fixed version stable so
we have some time to look into the library situation.

------- Comment #6 From Robert Buchholz 2008-03-09 01:42:14 0000 ------- 
Thanks, when you open a new bug for the lib situation, please cc security@

Arches, please test and mark stable:
=app-text/acroread-8.1.2-r1
Target keywords : "amd64 release x86"

------- Comment #7 From Markus Meier 2008-03-09 12:28:00 0000 ------- 
x86 stable

------- Comment #8 From Markus Meier 2008-03-16 01:11:06 0000 ------- 
amd64 stable (last arch)

------- Comment #9 From Peter Volkov 2008-03-16 08:16:27 0000 ------- 
Fixed in release snapshot.

------- Comment #10 From Pierre-Yves Rofes 2008-03-16 12:26:50 0000 ------- 
time for glsa decision. I vote YES.

------- Comment #11 From Matt Fleming 2008-03-16 12:30:02 0000 ------- 
I vote YES, also.

------- Comment #12 From Robert Buchholz 2008-03-18 18:18:00 0000 ------- 
GLSA 200803-26
First Last Prev Next    No search results available      Search page      Enter new bug