170177 CVE-2007-1199 2007-03-09 21:00 0000 app-text/acroread < 8.1.2 Multiple vulnerabilities (CVE-2007-{1199,5659,5663,5666},CVE-2008-{0726,0655,0667}) 2008-03-03 00:11:17 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/24408/ B2 [glsa] Falco P2 normal --- 1 falco@gentoo.org security@gentoo.org kevquinn@gentoo.org printing@gentoo.org falco@gentoo.org 2007-03-09 21:00:52 0000 Hello, That's a weak vulnerability but that's a security issue. quoting Secunia: "The problem is that it is possible to launch "file://" URLs from within PDF files. This can be exploited to e.g. read arbitrary files on the system and send them to the attacker." Credits: pdp There is no known fixed version yet kevquinn@gentoo.org 2007-03-27 12:56:05 0000 Since this is a binary-only package, there's nothing we can do until Adobe release a new version. py@gentoo.org 2007-08-24 11:54:31 0000 upstream takes way too long... printing/security, since we can't fix this and we can't let a vulnerable package in the tree, what do you think of pmasking, at least until this is fixed, or even for removal? please comment. rbu@gentoo.org 2007-09-14 10:26:28 0000 acroread 8.1.1 for linux is out. I don't know if it fixes this. kevquinn@gentoo.org 2007-09-27 22:26:01 0000 8.1.1 issues a pop-up warning box using the PoCs I could find, asking the user to confirm the access request - so I guess that sorts ths issue out. However 8.1.1 is only available in English; I'm reluctant to remove the old version until Adobe have released all the language variants (doesn't usually take them too long, once they've released the US English version). I don't think the issue is critical enough to remove stuff before replacements are available. jaervosz@gentoo.org 2007-10-17 18:37:24 0000 Any news on this one? kevquinn@gentoo.org 2007-10-21 15:47:15 0000 Sorry, none yet. Still waiting for Adobe to release it in other languages. I presume they've gotten delayed, having to deal with http://www.adobe.com/support/security/advisories/apsa07-04.html which looks like a Windows-only issue, to do with the way mailto: URIs are handled by IE 7. A PoC available here: http://security.fedora-hosting.com/0day/pdf/pdf_poc.txt discussion here: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows It does trigger Firefox on Gentoo, although it doesn't achieve anything here (not least because my FireFox isn't configured to handle mailto: URLs). Either way it doesn't change the situation for us - we're still waiting for the translated 8.1.1 to appear (perhaps it'll be an 8.1.2 when the new issue is dealt with). martin@pcalpha.com 2007-12-12 07:32:09 0000 Seems like the multilingual versions of the next acroread are out so this package could be updated. http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/enu/AdobeReader_enu-8.1.1-1.i486.tar.gz http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/fra/AdobeReader_fra-8.1.1-1.i486.tar.gz http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/deu/AdobeReader_deu-8.1.1-1.i486.tar.gz http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/esp/AdobeReader_esp-8.1.1-1.i486.tar.gz [...] http://www.adobe.com/products/acrobat/readstep2_allversions.html py@gentoo.org 2007-12-14 15:32:51 0000 (In reply to comment #7) > Seems like the multilingual versions of the next acroread are out so this > package could be updated. > > http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/enu/AdobeReader_enu-8.1.1-1.i486.tar.gz > http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/fra/AdobeReader_fra-8.1.1-1.i486.tar.gz > http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/deu/AdobeReader_deu-8.1.1-1.i486.tar.gz > http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/esp/AdobeReader_esp-8.1.1-1.i486.tar.gz > [...] > http://www.adobe.com/products/acrobat/readstep2_allversions.html > Thanks for the notification. printing, please provide updated ebuilds. rbu@gentoo.org 2008-01-08 01:17:51 0000 printing, please bump. py@gentoo.org 2008-01-30 10:53:58 0000 (In reply to comment #9) > printing, please bump. > *ping* tgurr@gentoo.org 2008-01-30 20:52:44 0000 Sorry for the huge delay, an updated version of the ebuild is in CVS now: acroread-8.1.1-r2.ebuild It should also work on 64bit, by depending on seamonkey-bin to provide a working gtkembedmoz.so. That is not optimal but currently there's no other way since firefox-bin doesn't ship with a gtkembedmoz.so anymore. Though the mozilla herd is so kind and considers putting a xulrunner-bin into the tree for us. Language support is again as complete as it was in acroread7. The only known remaining problem so far are a few scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' warnings while emerging the ebuild. If that doesn't hurt, I'd like to unmask acroread asap to get some further testing and finally getting it stable if no serious problems arise. tgurr@gentoo.org 2008-02-07 21:53:14 0000 acroread-8.1.2 is in the tree and unmasked now, should be fine to go stable in a few days. carlo@gentoo.org 2008-02-09 15:58:18 0000 ...] the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable. [... http://www.adobe.com/support/security/advisories/apsa08-01.html I'd say 8.1.2 should go stable asap. jaervosz@gentoo.org 2008-02-10 14:38:00 0000 amd64 and x86 please test and mark stable. tester@gentoo.org 2008-02-10 22:30:34 0000 amd64 done py@gentoo.org 2008-02-10 22:37:42 0000 ... cla@gentoo.org 2008-02-10 23:06:29 0000 x86 stable jaervosz@gentoo.org 2008-02-11 20:49:13 0000 This one is ready for GLSA vote. I vote YES. rbu@gentoo.org 2008-02-12 00:02:31 0000 Rerating B2, filed. rbu@gentoo.org 2008-02-12 17:49:25 0000 See also http://secunia.com/advisories/28802 lars@chaotika.org 2008-02-16 15:55:43 0000 please add CVE-2008-0726 - i could not add it cause i dont have the propper permissions pva@gentoo.org 2008-02-23 18:43:45 0000 Fixed in release snapshot. rbu@gentoo.org 2008-03-03 00:11:17 0000 GLSA 200803-01