Bug 170177 - app-text/acroread < 8.1.2 Multiple vulnerabilities (CVE-2007-{1199,5659,5663,5666},CVE-2008-{0726,0655,0667})
|
Bug#:
170177
(CVE-2007-1199)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: falco@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://secunia.com/advisories/24408/
|
|
Summary: app-text/acroread < 8.1.2 Multiple vulnerabilities (CVE-2007-{1199,5659,5663,5666},CVE-2008-{0726,0655,0667})
|
|
Keywords:
|
|
Status Whiteboard: B2 [glsa] Falco
|
|
Opened: 2007-03-09 21:00 0000
|
Hello,
That's a weak vulnerability but that's a security issue.
quoting Secunia:
"The problem is that it is possible to launch "file://" URLs from within PDF
files. This can be exploited to e.g. read arbitrary files on the system and
send them to the attacker."
Credits: pdp
There is no known fixed version yet
Since this is a binary-only package, there's nothing we can do until Adobe
release a new version.
upstream takes way too long... printing/security, since we can't fix this and
we can't let a vulnerable package in the tree, what do you think of pmasking,
at least until this is fixed, or even for removal? please comment.
acroread 8.1.1 for linux is out. I don't know if it fixes this.
8.1.1 issues a pop-up warning box using the PoCs I could find, asking the user
to confirm the access request - so I guess that sorts ths issue out.
However 8.1.1 is only available in English; I'm reluctant to remove the old
version until Adobe have released all the language variants (doesn't usually
take them too long, once they've released the US English version). I don't
think the issue is critical enough to remove stuff before replacements are
available.
(In reply to comment #9)
> printing, please bump.
>
*ping*
Sorry for the huge delay, an updated version of the ebuild is in CVS now:
acroread-8.1.1-r2.ebuild
It should also work on 64bit, by depending on seamonkey-bin to provide a
working gtkembedmoz.so. That is not optimal but currently there's no other way
since firefox-bin doesn't ship with a gtkembedmoz.so anymore. Though the
mozilla herd is so kind and considers putting a xulrunner-bin into the tree for
us.
Language support is again as complete as it was in acroread7.
The only known remaining problem so far are a few
scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.'
warnings while emerging the ebuild. If that doesn't hurt, I'd like to unmask
acroread asap to get some further testing and finally getting it stable if no
serious problems arise.
acroread-8.1.2 is in the tree and unmasked now, should be fine to go stable in
a few days.
amd64 and x86 please test and mark stable.
This one is ready for GLSA vote. I vote YES.
please add CVE-2008-0726 - i could not add it cause i dont have the propper
permissions
Fixed in release snapshot.
