Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 170177 (CVE-2007-1199) - app-text/acroread < 8.1.2 Multiple vulnerabilities (CVE-2007-{1199,5659,5663,5666},CVE-2008-{0726,0655,0667})
Summary: app-text/acroread < 8.1.2 Multiple vulnerabilities (CVE-2007-{1199,5659,5663,...
Status: RESOLVED FIXED
Alias: CVE-2007-1199
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/24408/
Whiteboard: B2 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-09 21:00 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2008-03-03 00:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-09 21:00:52 UTC
Hello,

That's a weak vulnerability but that's a security issue.

quoting Secunia:
"The problem is that it is possible to launch "file://" URLs from within PDF files. This can be exploited to e.g. read arbitrary files on the system and send them to the attacker."

Credits: pdp

There is no known fixed version yet
Comment 1 Kevin F. Quinn (RETIRED) gentoo-dev 2007-03-27 12:56:05 UTC
Since this is a binary-only package, there's nothing we can do until Adobe release a new version.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-24 11:54:31 UTC
upstream takes way too long... printing/security, since we can't fix this and we can't let a vulnerable package in the tree, what do you think of pmasking, at least until this is fixed, or even for removal? please comment.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-09-14 10:26:28 UTC
acroread 8.1.1 for linux is out. I don't know if it fixes this.
Comment 4 Kevin F. Quinn (RETIRED) gentoo-dev 2007-09-27 22:26:01 UTC
8.1.1 issues a pop-up warning box using the PoCs I could find, asking the user to confirm the access request - so I guess that sorts ths issue out.

However 8.1.1 is only available in English; I'm reluctant to remove the old version until Adobe have released all the language variants (doesn't usually take them too long, once they've released the US English version).  I don't think the issue is critical enough to remove stuff before replacements are available.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-17 18:37:24 UTC
Any news on this one?
Comment 6 Kevin F. Quinn (RETIRED) gentoo-dev 2007-10-21 15:47:15 UTC
Sorry, none yet.  Still waiting for Adobe to release it in other languages.

I presume they've gotten delayed, having to deal with http://www.adobe.com/support/security/advisories/apsa07-04.html
which looks like a Windows-only issue, to do with the way mailto: URIs are handled by IE 7.  A PoC available here: 

http://security.fedora-hosting.com/0day/pdf/pdf_poc.txt

discussion here:

http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

It does trigger Firefox on Gentoo, although it doesn't achieve anything here (not least because my FireFox isn't configured to handle mailto: URLs).
Either way it doesn't change the situation for us - we're still waiting for the translated 8.1.1 to appear (perhaps it'll be an 8.1.2 when the new issue is dealt with).
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 01:17:51 UTC
printing, please bump.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-30 10:53:58 UTC
(In reply to comment #9)
> printing, please bump.
> 

*ping*
Comment 11 Timo Gurr (RETIRED) gentoo-dev 2008-01-30 20:52:44 UTC
Sorry for the huge delay, an updated version of the ebuild is in CVS now:
acroread-8.1.1-r2.ebuild

It should also work on 64bit, by depending on seamonkey-bin to provide a working gtkembedmoz.so. That is not optimal but currently there's no other way since firefox-bin doesn't ship with a gtkembedmoz.so anymore. Though the mozilla herd is so kind and considers putting a xulrunner-bin into the tree for us.

Language support is again as complete as it was in acroread7.

The only known remaining problem so far are a few
scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.'
warnings while emerging the ebuild. If that doesn't hurt, I'd like to unmask acroread asap to get some further testing and finally getting it stable if no serious problems arise.
Comment 12 Timo Gurr (RETIRED) gentoo-dev 2008-02-07 21:53:14 UTC
acroread-8.1.2 is in the tree and unmasked now, should be fine to go stable in a few days.
Comment 13 Carsten Lohrke (RETIRED) gentoo-dev 2008-02-09 15:58:18 UTC
...] the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable. [...

http://www.adobe.com/support/security/advisories/apsa08-01.html


I'd say 8.1.2 should go stable asap.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-10 14:38:00 UTC
amd64 and x86 please test and mark stable.
Comment 15 Olivier Crete (RETIRED) gentoo-dev 2008-02-10 22:30:34 UTC
amd64 done
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-10 22:37:42 UTC
...
Comment 17 Dawid Węgliński (RETIRED) gentoo-dev 2008-02-10 23:06:29 UTC
x86 stable
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-11 20:49:13 UTC
This one is ready for GLSA vote. I vote YES.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 00:02:31 UTC
Rerating B2, filed.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 17:49:25 UTC
See also http://secunia.com/advisories/28802

Comment 21 Lars Hartmann 2008-02-16 15:55:43 UTC
please add CVE-2008-0726 - i could not add it cause i dont have the propper permissions
Comment 22 Peter Volkov (RETIRED) gentoo-dev 2008-02-23 18:43:45 UTC
Fixed in release snapshot.
Comment 23 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 00:11:17 UTC
GLSA 200803-01