CVE-2008-2549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2549): Adobe Acrobat Reader 8.1.2 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a malformed PDF document, as demonstrated by 2008-HI2.pdf.
I could not reproduce the issue with http://milw0rm.com/sploits/2008-HI2.pdf Anyone else?
Not able to produce a crash on Linux, too. On Windows however it really crashes Adobe Reader as well as the full Acrobat. There also popped up another CVE which got addressed by the "Security Update 1" published by Adobe on http://www.adobe.com/support/security/bulletins/apsb08-15.html. But afaik the update is only available for Mac and Windows. CVE-2008-2641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2641): Unspecified vulnerability in Adobe Reader and Acrobat 7.0.9 and earlier, and 8.0 through 8.1.2, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors, related to an "input validation issue in a JavaScript method." I guess this is worth another bug but I don't have any further information if it's perhaps related to this one, feel free to open another bug and assign it to us though. P.S.: Adobe site also reads: "Adobe Reader 9 and Acrobat 9, expected to be available by July 2008, are also not vulnerable to this issue." regarding CVE-2008-2641. Not sure if we can do anything about this until then.
*** Bug 245599 has been marked as a duplicate of this bug. ***
It seems I'm a bit blind this night, Bug 245599 was NOT the same advisory (which I misread), but I guess we'll be handling everything here now. Sorry for my bugspam. :/ CVE-2008-0883: fixed #212367 CVE-2008-2641: fixed #233383 CVE-2008-2549: this bug, does not seem to be fixed. Other CVEs: New. Can we get Adobe Reader 9 in the tree?
(In reply to comment #4) > Can we get Adobe Reader 9 in the tree? Well afaik it still has to be released for linux: ftp://ftp.adobe.com/pub/adobe/reader/unix/ But I'll put 8.1.3 in the tree today, according to http://www.adobe.com/support/security/bulletins/apsb08-19.html it fixes the remaining CVE-2008-{2549,2992,4812,4813,4817,4816,4814,4815}.
acroread-8.1.3 is in the tree now.
Thanks. Arches, please test and mark stable =app-text/acroread-8.1.3 Target keywords: amd64 x86
amd64 stable
x86 stable, all arches done.
Ready for voting, if allowed, I vote yes.
B2 does not need a vote, filing request.
CVE-2008-4816 is windows-only
GLSA 200901-09, thanks