Summary: | app-text/acroread < 8.1.3: Buffer Overflows (CVE-2008-{0883,2549,2641,2992,4812,4813,4817,4814,4815}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | printing |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.milw0rm.com/exploits/5687 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2008-06-08 23:24:40 UTC
I could not reproduce the issue with http://milw0rm.com/sploits/2008-HI2.pdf Anyone else? Not able to produce a crash on Linux, too. On Windows however it really crashes Adobe Reader as well as the full Acrobat. There also popped up another CVE which got addressed by the "Security Update 1" published by Adobe on http://www.adobe.com/support/security/bulletins/apsb08-15.html. But afaik the update is only available for Mac and Windows. CVE-2008-2641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2641): Unspecified vulnerability in Adobe Reader and Acrobat 7.0.9 and earlier, and 8.0 through 8.1.2, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors, related to an "input validation issue in a JavaScript method." I guess this is worth another bug but I don't have any further information if it's perhaps related to this one, feel free to open another bug and assign it to us though. P.S.: Adobe site also reads: "Adobe Reader 9 and Acrobat 9, expected to be available by July 2008, are also not vulnerable to this issue." regarding CVE-2008-2641. Not sure if we can do anything about this until then. *** Bug 245599 has been marked as a duplicate of this bug. *** It seems I'm a bit blind this night, Bug 245599 was NOT the same advisory (which I misread), but I guess we'll be handling everything here now. Sorry for my bugspam. :/ CVE-2008-0883: fixed #212367 CVE-2008-2641: fixed #233383 CVE-2008-2549: this bug, does not seem to be fixed. Other CVEs: New. Can we get Adobe Reader 9 in the tree? (In reply to comment #4) > Can we get Adobe Reader 9 in the tree? Well afaik it still has to be released for linux: ftp://ftp.adobe.com/pub/adobe/reader/unix/ But I'll put 8.1.3 in the tree today, according to http://www.adobe.com/support/security/bulletins/apsb08-19.html it fixes the remaining CVE-2008-{2549,2992,4812,4813,4817,4816,4814,4815}. acroread-8.1.3 is in the tree now. Thanks. Arches, please test and mark stable =app-text/acroread-8.1.3 Target keywords: amd64 x86 amd64 stable x86 stable, all arches done. Ready for voting, if allowed, I vote yes. B2 does not need a vote, filing request. CVE-2008-4816 is windows-only GLSA 200901-09, thanks |