Suse: http://support.novell.com/techcenter/psdb/d8c48c63359fc807624182696d3d149c.html Adobe Acrobat Reader 8.1.2 contained a /tmp race in its "acroread" wrapper script in the SSL certificate handling. (CVE-2008-0883) Furthermore it contained several duplicated copies of system libraries, which have been removed for this update to make sure they are up-to-date security wise by using the system provided ones.
Created attachment 145339 [details, diff] acroread-CVE-2008-0883.patch
This patch only applies to the "en" variant of the script, depending on linguas, other files might need to be patched. Printing, can you please also advise on the library situation?
(In reply to comment #2) > This patch only applies to the "en" variant of the script, depending on > linguas, other files might need to be patched. Fixed this in acroread-8.1.2-r1 via sed command in the ebuild. > Printing, can you please also advise on the library situation? Not fixed yet, I will open a new bug about this.
Unfortunately, that sed call will not fail unless the referenced file is missing, which should not happen. But Adobe will probably fix this in their next release anyway. What's your ETA on the libraries, i.e. call arches now or after a fix?
(In reply to comment #4) > Unfortunately, that sed call will not fail unless the referenced file is > missing, which should not happen. But Adobe will probably fix this in their > next release anyway. > > What's your ETA on the libraries, i.e. call arches now or after a fix? > No ETA yet since not all libraries are available on amd64 in 32bit anyway, I'd say call the arches now to get the actual security bug fixed version stable so we have some time to look into the library situation.
Thanks, when you open a new bug for the lib situation, please cc security@ Arches, please test and mark stable: =app-text/acroread-8.1.2-r1 Target keywords : "amd64 release x86"
x86 stable
amd64 stable (last arch)
Fixed in release snapshot.
time for glsa decision. I vote YES.
I vote YES, also.
GLSA 200803-26
