Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 340527 - <app-text/acroread-9.4.7 ships bundled (and vulnerable) copies of lib{crypto,ssl}.so.0.9.8
Summary: <app-text/acroread-9.4.7 ships bundled (and vulnerable) copies of lib{crypto,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-10-11 13:25 UTC by Mark Davies
Modified: 2012-02-19 23:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Davies 2010-10-11 13:25:56 UTC
app-text/acroread had a dependancy on dev-libs/openssl-0.9.8* but as far as I can see in the case of my currently installed acroread-9.3.4 it uses it own version

> ps -fe | grep acroread
mark     17861 12372  2 14:08 ?        00:00:01 /opt/Adobe/Reader9/Reader/intellinux/bin/acroread
mark     17914 12397  0 14:08 pts/0    00:00:00 grep --colour=auto acroread
> grep -P "libssl|libcrypto" /proc/17861/maps
b6682000-b6796000 r-xp 00000000 08:06 492243     /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
b6796000-b67ac000 rw-p 00114000 08:06 492243     /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
b67af000-b67ea000 r-xp 00000000 08:06 492244     /opt/Adobe/Reader9/Reader/intellinux/lib/libssl.so.0.9.8
b67ea000-b67ee000 rw-p 0003a000 08:06 492244     /opt/Adobe/Reader9/Reader/intellinux/lib/libssl.so.0.9.8

Of course if you use ldd as I assume the output in bug 331753 does, it will show it using the system libs

> ldd /opt/Adobe/Reader9/Reader/intellinux/bin/acroread | grep -P "libssl|libcrypto"
        libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb772b000)
        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb75df000)

Reproducible: Always
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2010-10-11 13:38:09 UTC
sounds like those versions that came in bundled, should be removed from the package... propably vulnerable to several bugs.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2012-01-22 22:18:42 UTC
(In reply to comment #1)
> sounds like those versions that came in bundled, should be removed from the
> package... propably vulnerable to several bugs.

Right. Libraries are removed in acroread-9.4.2-r1. 

Please however give this a good testing before marking it stable, because I don't really know yet how well our system libraries act as replacement. 

(Acroread starts up normally and loads them. I'm hoping there won't be any mystery crashes.)
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2012-02-19 23:11:27 UTC
Is fixed in stable acroread 9.4.7 (only version in tree). 

@security: imho this can be resolved.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-02-19 23:48:16 UTC
(In reply to comment #3)
> Is fixed in stable acroread 9.4.7 (only version in tree). 
> 
> @security: imho this can be resolved.

Thanks; I agree. @security, feel free to reopen if you disagree.