+++ This bug was initially created as a clone of Bug #322855 +++ Quoting $URL: A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix.
From http://blogs.adobe.com/asset/2010/06/background_on_apsa10-01_patch.html: The security update for Flash Player will be available by June 10, 2010. The security update for Adobe Reader and Acrobat will be available by June 29, 2010.
I've committed acroread-9.3.3 to CVS.
Arches, please test and mark stable: =app-text/acroread-9.3.3 Target keywords : "amd64 x86"
x86 stable.
amd64 done
glsa request filed.
printing: please remove the vulnerable version in the tree
CVE-2010-1285 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1285): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via unspecified manipulations involving the newclass (0x58) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-2168 and CVE-2010-2201. CVE-2010-1295 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1295): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2202, CVE-2010-2207, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211, and CVE-2010-2212.
CVE-2010-2168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2168): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content, involving the newfunction (0x44) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2201. CVE-2010-2201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2201): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content involving the (1) pushstring (0x2C) operator, (2) debugfile (0xF1) operator, and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2168. CVE-2010-2202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2202): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-1295, CVE-2010-2207, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211, and CVE-2010-2212. CVE-2010-2203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2203): Adobe Reader and Acrobat 9.x before 9.3.3 on UNIX allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. CVE-2010-2204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2204): Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors. CVE-2010-2205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2205): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, access uninitialized memory, which allows attackers to execute arbitrary code via unspecified vectors. CVE-2010-2206 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2206): Array index error in AcroForm.api in Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted GIF image in a PDF file, which bypasses a size check and triggers a heap-based buffer overflow. CVE-2010-2207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2207): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-1295, CVE-2010-2202, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211, and CVE-2010-2212. CVE-2010-2208 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2208): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, dereference a heap object after this object's deletion, which allows attackers to execute arbitrary code via unspecified vectors. CVE-2010-2209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2209): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-1295, CVE-2010-2202, CVE-2010-2207, CVE-2010-2210, CVE-2010-2211, and CVE-2010-2212. CVE-2010-2210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2210): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-1295, CVE-2010-2202, CVE-2010-2207, CVE-2010-2209, CVE-2010-2211, and CVE-2010-2212. CVE-2010-2211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2211): Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-1295, CVE-2010-2202, CVE-2010-2207, CVE-2010-2209, CVE-2010-2210, and CVE-2010-2212. CVE-2010-2212 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2212): Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a PDF file containing Flash content with a crafted #1023 (3FFh) tag, a different vulnerability than CVE-2010-1295, CVE-2010-2202, CVE-2010-2207, CVE-2010-2209, CVE-2010-2210, and CVE-2010-2211.
Sorry for the delay, vulnerable version removed (and also bumped acroread to 9.3.4 to fix CVE-2010-2862 & CVE-2010-1240).
Arches, please test and mark stable: =app-text/acroread-9.3.4 Target keywords : "amd64 x86"
On x86 I get this: scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/app-text/acroread-9.3.4/image/opt/Adobe/Reader9/Reader/intellinux/lib/libextendscript.so scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/app-text/acroread-9.3.4/image/opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/app-text/acroread-9.3.4/image/opt/Adobe/Reader9/Reader/intellinux/lib/libextendscript.so scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/app-text/acroread-9.3.4/image/opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so
stable x86, those warnings exist since the beginning of time
glsa together with all the other acroread stuff
GLSA 201009-05, thanks everyone.