Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 354211 - <app-text/acroread-9.4.2: multiple vulnerabilities (CVE-2010-4091,CVE-2011-{0562,0563,0565,0566,0567,0570,0585,0586,0587,0588,0589,0590,0591,0592,0593,0594,0595,0596,0598,0599,0600,0602,0603,0604,0605,0606})
Summary: <app-text/acroread-9.4.2: multiple vulnerabilities (CVE-2010-4091,CVE-2011-{0...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-09 08:50 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2012-01-30 12:46 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-09 08:50:44 UTC
Critical vulnerabilities have been identified in Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-09 08:51:30 UTC
Adobe recommends users of Adobe Reader 9.4.1 for UNIX update to Adobe Reader 9.4.2, expected to be available by the week of February 28, 2011.
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-24 18:58:24 UTC
Upstream release is available. Mainatiners, please bump acroread:
ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.2/enu/
Comment 3 Timo Gurr (RETIRED) gentoo-dev 2011-02-25 21:06:03 UTC
Thanks, in CVS.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 00:53:55 UTC
(In reply to comment #3)
> Thanks, in CVS.
> 

Great, thank you.

Arches, please test and mark stable:
=app-text/acroread-9.4.2
Target keywords : "amd64 x86"

Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-02-26 09:36:36 UTC
amd64 done
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-26 11:45:17 UTC
x86 stable, last arch done
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 14:47:07 UTC
Thanks, folks. GLSA request filed.
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2011-06-05 18:48:11 UTC
9.4.1 as last vulnerable version removed from the tree
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 17:06:23 UTC
CVE-2011-0606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606):
  Stack-based buffer overflow in rt3d.dll in Adobe Reader and Acrobat 10.x
  before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS
  X allow remote attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors related to a crafted
  length value, a different vulnerability than CVE-2011-0563 and
  CVE-2011-0589.

CVE-2011-0605 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Mac OS X allow attackers to execute arbitrary code or cause
  a denial of service (memory corruption) via unspecified vectors.

CVE-2011-0604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604):
  Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x
  before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS
  X allows remote attackers to inject arbitrary web script or HTML via
  unspecified vectors, a different vulnerability than CVE-2011-0587.

CVE-2011-0603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via a
  crafted image, a different vulnerability than CVE-2011-0566 and
  CVE-2011-0567.

CVE-2011-0602 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow remote attackers to execute
  arbitrary code via crafted JP2K record types in a JPEG2000 image in a PDF
  file, which causes heap corruption, a different vulnerability than
  CVE-2011-0596, CVE-2011-0598, and CVE-2011-0599.

CVE-2011-0600 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600):
  The U3D component in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before
  9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers
  to execute arbitrary code via a 3D file with an invalid Parent Node count
  that triggers an incorrect size calculation and memory corruption, a
  different vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0592,
  CVE-2011-0593, and CVE-2011-0595.

CVE-2011-0599 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599):
  The Bitmap parsing component in rt3d.dll in Adobe Reader and Acrobat 10.x
  before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS
  X allow remote attackers to execute arbitrary code via a crafted image that
  causes an invalid pointer calculation related to 4/8-bit RLE compression, a
  different vulnerability than CVE-2011-0596, CVE-2011-0598, and
  CVE-2011-0602.

CVE-2011-0598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598):
  Integer overflow in ACE.dll in Adobe Reader and Acrobat 10.x before 10.0.1,
  9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote
  attackers to execute arbitrary code via crafted ICC data, a different
  vulnerability than CVE-2011-0596, CVE-2011-0599, and CVE-2011-0602.

CVE-2011-0596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596):
  The Bitmap parsing component in 2d.dll in Adobe Reader and Acrobat 10.x
  before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS
  X allow remote attackers to execute arbitrary code via an image with crafted
  (1) height and (2) width values for an RLE_8 compressed bitmap, which
  triggers a heap-based buffer overflow, a different vulnerability than
  CVE-2011-0598, CVE-2011-0599, and CVE-2011-0602.

CVE-2011-0595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow remote attackers to execute
  arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer
  overflow during decompression, a different vulnerability than CVE-2011-0590,
  CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, and CVE-2011-0600.

CVE-2011-0594 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow remote attackers to execute
  arbitrary code via a font.

CVE-2011-0593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow remote attackers to execute
  arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer
  overflow during decompression, a different vulnerability than CVE-2011-0590,
  CVE-2011-0591, CVE-2011-0592, CVE-2011-0595, and CVE-2011-0600.

CVE-2011-0592 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow remote attackers to execute
  arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer
  overflow during decompression, related to "Texture bmp," a different
  vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0593,
  CVE-2011-0595, and CVE-2011-0600.

CVE-2011-0591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow remote attackers to execute
  arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer
  overflow during decompression, related to Texture and rgba, a different
  vulnerability than CVE-2011-0590, CVE-2011-0592, CVE-2011-0593,
  CVE-2011-0595, and CVE-2011-0600.

CVE-2011-0590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow remote attackers to execute
  arbitrary code via a 3D file, a different vulnerability than CVE-2011-0591,
  CVE-2011-0592, CVE-2011-0593, CVE-2011-0595, and CVE-2011-0600.

CVE-2011-0589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow attackers to execute arbitrary
  code or cause a denial of service (memory corruption) via unspecified
  vectors, a different vulnerability than CVE-2011-0563 and CVE-2011-0606.

CVE-2011-0588 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588):
  Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before
  10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users
  to gain privileges via a Trojan horse DLL in the current working directory,
  a different vulnerability than CVE-2011-0562 and CVE-2011-0570.

CVE-2011-0587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587):
  Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x
  before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS
  X allows remote attackers to inject arbitrary web script or HTML via
  unspecified vectors, a different vulnerability than CVE-2011-0604.

CVE-2011-0586 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X do not properly validate unspecified
  input data, which allows attackers to execute arbitrary code via unknown
  vectors.

CVE-2011-0585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585):
  Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1,
  9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows
  attackers to cause a denial of service or possibly execute arbitrary code
  via unknown vectors, a different vulnerability than CVE-2011-0565.

CVE-2011-0570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570):
  Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before
  10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users
  to gain privileges via a Trojan horse DLL in the current working directory,
  a different vulnerability than CVE-2011-0562 and CVE-2011-0588.

CVE-2011-0567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567):
  AcroRd32.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before
  9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via a crafted image that triggers an incorrect pointer calculation, leading
  to heap memory corruption, a different vulnerability than CVE-2011-0566 and
  CVE-2011-0603.

CVE-2011-0566 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption) via a
  crafted image, a different vulnerability than CVE-2011-0567 and
  CVE-2011-0603.

CVE-2011-0565 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565):
  Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1,
  9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows
  attackers to cause a denial of service or possibly execute arbitrary code
  via unknown vectors, a different vulnerability than CVE-2011-0585.

CVE-2011-0563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563):
  Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x
  before 8.2.6 on Windows and Mac OS X allow attackers to execute arbitrary
  code or cause a denial of service (memory corruption) via unspecified
  vectors, a different vulnerability than CVE-2011-0589 and CVE-2011-0606.

CVE-2011-0562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562):
  Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before
  10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users
  to gain privileges via a Trojan horse DLL in the current working directory,
  a different vulnerability than CVE-2011-0570 and CVE-2011-0588.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:00:23 UTC
CVE-2010-4091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091):
  The EScript.api plugin in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x
  before 9.4.1, and 8.x before 8.2.6 on Windows and Mac OS X allows remote
  attackers to execute arbitrary code or cause a denial of service
  (application crash) via a crafted PDF document that triggers memory
  corruption, involving the printSeps function. NOTE: some of these details
  are obtained from third party information.
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2011-06-24 20:06:12 UTC
Nothing to do for printing anymore.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-01-30 12:46:19 UTC
This issue was resolved and addressed in
 GLSA 201201-19 at http://security.gentoo.org/glsa/glsa-201201-19.xml
by GLSA coordinator Alex Legler (a3li).