According to http://www.adobe.com/support/security/bulletins/apsb09-15.html there are multiple vulnerabilities in acroread, and there are updates to address them: 9.1.3 -> 9.2 8.1.6 -> 8.1.7 7.1.3 -> 7.1.4 Therefore Gentoo should have ebuilds for acroread-9.2 and acroread-8.1.7 in tree, to allow for updates to those ebuilds already in tree right now. Simply renaming the 9.1.3 ebuild to 9.2 should do the trick for 9.x versions. At least it did emerge for me, and can be executed successfully. Some security warnings from rpath_security_checks remain, but that's bug #283095.
Maintainers, please bump.
CVE-2009-3459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3459): Unspecified vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier, and possibly 7.1.3 and 8.1.6, allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.
CVE-2009-2979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2979): Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 do not properly perform XMP-XML entity expansion, which allows remote attackers to cause a denial of service via a crafted document. CVE-2009-2980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2980): Integer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors. CVE-2009-2981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2981): Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to bypass intended Trust Manager restrictions via unspecified vectors. CVE-2009-2982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2982): An unspecified certificate in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow remote attackers to conduct a "social engineering attack" via unknown vectors. CVE-2009-2983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2983): Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. CVE-2009-2984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2984): Unspecified vulnerability in the image decoder in Adobe Acrobat 9.x before 9.2, and possibly 7.x through 7.1.4 and 8.x through 8.1.7, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors. CVE-2009-2985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2985): Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2996. CVE-2009-2986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2986): Multiple heap-based buffer overflows in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. CVE-2009-2988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2988): Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which allows attackers to cause a denial of service via unspecified vectors. CVE-2009-2989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2989): Integer overflow in Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors. CVE-2009-2990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2990): Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors. CVE-2009-2991 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2991): Unspecified vulnerability in the Mozilla plug-in in Adobe Reader and Acrobat 8.x before 8.1.7, and possibly 7.x before 7.1.4 and 9.x before 9.2, might allow remote attackers to execute arbitrary code via unknown vectors. CVE-2009-2992 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2992): An unspecified ActiveX control in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 does not properly validate input, which allows attackers to cause a denial of service via unknown vectors. CVE-2009-2993 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2993): The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 does not properly implement the (1) Privileged Context and (2) Safe Path restrictions for unspecified JavaScript methods, which allows remote attackers to create arbitrary files, and possibly execute arbitrary code, via the cPath parameter in a crafted PDF file. NOTE: some of these details are obtained from third party information. CVE-2009-2994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2994): Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. CVE-2009-2995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2995): Integer overflow in Adobe Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows attackers to cause a denial of service via unspecified vectors. CVE-2009-2996 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2996): Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2985. CVE-2009-2997 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2997): Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. CVE-2009-2998 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2998): Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-3458. CVE-2009-3431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3431): Stack consumption vulnerability in Adobe Reader and Acrobat 9.1.3, 9.1.2, 9.1.1, and earlier 9.x versions; 8.1.6 and earlier 8.x versions; and possibly 7.1.4 and earlier 7.x versions allows remote attackers to cause a denial of service (application crash) via a PDF file with a large number of [ (open square bracket) characters in the argument to the alert method. NOTE: some of these details are obtained from third party information. CVE-2009-3458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3458): Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2998. CVE-2009-3460 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3460): Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. CVE-2009-3461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3461): Unspecified vulnerability in Adobe Acrobat 9.x before 9.2 allows attackers to bypass intended file-extension restrictions via unknown vectors. CVE-2009-3462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3462): Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 on Unix, when Debug mode is enabled, allow attackers to execute arbitrary code via unspecified vectors, related to a "format bug."
I've committed Adobe Reader 9.2 to CVS.
*** Bug 290230 has been marked as a duplicate of this bug. ***
Thanks. Arches, please test and mark stable: =app-text/acroread-9.2 Target keywords : "amd64 x86"
amd64 done
x86 stable, last arch. Vote for GLSA, please.
B2 doesn't require a vote, request filed.
The following CVEs referenced in the upstream advisory do /not/ affect us: Acrobat only: CVE-2009-2984, CVE-2009-2989, CVE-2009-2995, CVE-2009-3460, CVE-2009-3461 Windows only: CVE-2009-2564, CVE-2009-2987, CVE-2009-2992
GLSA 200910-03