From secunia security advisor at $URL: Description: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system. 1) An unspecified error can be exploited to gain escalated privileges. This vulnerability affects Adobe Reader X for Windows only. 2) An unspecified error can be exploited to bypass certain security restrictions. 3) An unspecified error related to a U3D TIFF Resource can be exploited to cause a buffer overflow. 4) An unspecified error can be exploited to cause a heap-based buffer overflow. 5) An unspecified error can be exploited to cause a heap-based buffer overflow. 6) An unspecified error can be exploited to cause a buffer overflow. 7) An unspecified error in the image parsing library can be exploited to cause a heap-based buffer overflow. 8) An unspecified error can be exploited to cause a heap-based buffer overflow. 9) Three unspecified errors in the image parsing library can be exploited to cause stack-based buffer overflows. 10) An unspecified error can be exploited to disclose the contents of memory. 11) A user-after-free error can be exploited to dereference already freed memory. 12) Two unspecified errors in the CoolType.dll library can be exploited to cause stack-based buffer overflows. 13) A logic error can be exploited to corrupt memory. 14) The application bundles a vulnerable version of Adobe Flash Player. The vulnerabilities are reported in: * Adobe Reader 9.4.5 and earlier for Windows, Macintosh, and UNIX.
Note: Adobe Reader 9.4.6 for UNIX is currently scheduled to be released on November 7, 2011.
CVE-2011-2442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442): Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allow attackers to execute arbitrary code via unspecified vectors, related to a "logic error vulnerability." CVE-2011-2441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441): Multiple stack-based buffer overflows in CoolType.dll in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allow attackers to execute arbitrary code via unspecified vectors. CVE-2011-2440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440): Use-after-free vulnerability in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary code via unspecified vectors. CVE-2011-2439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439): Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allow attackers to execute arbitrary code via unspecified vectors, related to a "memory leakage condition vulnerability." CVE-2011-2438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438): Multiple stack-based buffer overflows in the image-parsing library in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allow attackers to execute arbitrary code via unspecified vectors. CVE-2011-2437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437): Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2433 and CVE-2011-2434. CVE-2011-2436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436): Heap-based buffer overflow in the image-parsing library in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary code via unspecified vectors. CVE-2011-2435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435): Buffer overflow in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary code via unspecified vectors. CVE-2011-2434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434): Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2433 and CVE-2011-2437. CVE-2011-2433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433): Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2434 and CVE-2011-2437. CVE-2011-2432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432): Buffer overflow in the U3D TIFF Resource in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary code via unspecified vectors. CVE-2011-2431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431): Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allow attackers to execute arbitrary code via unspecified vectors, related to a "security bypass vulnerability."
-1353 is Windows only
Adobe has released 9.4.6 for UNIX. ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/ Please bump. Thanks!
For anyone interested, I put a 9.4.6 ebuild in the dberkholz overlay. Looks like they've only released English for now.
Just bumped to app-text/acroread-9.4.7 (english only, same as 9.4.6). It might be a good idea to fast-stabilize that (missing localization does not really count with that list of CVE's). Please ignore the repoman warning (there is no src_prepare, and just starting one for the sed call does not make sense).
Thank you. We will do stabilization in 393481.
added to existing glsa request
Thanks everyone. Vulnerable version has been removed from the tree.
This issue was resolved and addressed in GLSA 201201-19 at http://security.gentoo.org/glsa/glsa-201201-19.xml by GLSA coordinator Alex Legler (a3li).
CVE-2011-4374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4374): Integer overflow in Adobe Reader 9.x before 9.4.6 on Linux allows attackers to execute arbitrary code via unspecified vectors.
