Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 340527

Summary: <app-text/acroread-9.4.7 ships bundled (and vulnerable) copies of lib{crypto,ssl}.so.0.9.8
Product: Gentoo Security Reporter: Mark Davies <mark>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: b.brachaczek, printing
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Mark Davies 2010-10-11 13:25:56 UTC 
app-text/acroread had a dependancy on dev-libs/openssl-0.9.8* but as far as I can see in the case of my currently installed acroread-9.3.4 it uses it own version

> ps -fe | grep acroread
mark     17861 12372  2 14:08 ?        00:00:01 /opt/Adobe/Reader9/Reader/intellinux/bin/acroread
mark     17914 12397  0 14:08 pts/0    00:00:00 grep --colour=auto acroread
> grep -P "libssl|libcrypto" /proc/17861/maps
b6682000-b6796000 r-xp 00000000 08:06 492243     /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
b6796000-b67ac000 rw-p 00114000 08:06 492243     /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
b67af000-b67ea000 r-xp 00000000 08:06 492244     /opt/Adobe/Reader9/Reader/intellinux/lib/libssl.so.0.9.8
b67ea000-b67ee000 rw-p 0003a000 08:06 492244     /opt/Adobe/Reader9/Reader/intellinux/lib/libssl.so.0.9.8

Of course if you use ldd as I assume the output in bug 331753 does, it will show it using the system libs

> ldd /opt/Adobe/Reader9/Reader/intellinux/bin/acroread | grep -P "libssl|libcrypto"
        libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb772b000)
        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb75df000)

Reproducible: Always
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2010-10-11 13:38:09 UTC 
sounds like those versions that came in bundled, should be removed from the package... propably vulnerable to several bugs.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2012-01-22 22:18:42 UTC 
(In reply to comment #1)
> sounds like those versions that came in bundled, should be removed from the
> package... propably vulnerable to several bugs.

Right. Libraries are removed in acroread-9.4.2-r1. 

Please however give this a good testing before marking it stable, because I don't really know yet how well our system libraries act as replacement. 

(Acroread starts up normally and loads them. I'm hoping there won't be any mystery crashes.)
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2012-02-19 23:11:27 UTC 
Is fixed in stable acroread 9.4.7 (only version in tree). 

@security: imho this can be resolved.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-02-19 23:48:16 UTC 
(In reply to comment #3)
> Is fixed in stable acroread 9.4.7 (only version in tree). 
> 
> @security: imho this can be resolved.

Thanks; I agree. @security, feel free to reopen if you disagree.