Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 382969 (CVE-2011-1353) - <app-text/acroread-9.4.7 : Multiple Vulnerabilities (CVE-2011-{2130,2134,2135,2136,2137,2138,2139,2140,2414,2415,2416,2417,2424,2425,2431,2432,2433,2434,2435,2436,2437,2438,2439,2440,2441,2442})
Summary: <app-text/acroread-9.4.7 : Multiple Vulnerabilities (CVE-2011-{2130,2134,2135...
Status: RESOLVED FIXED
Alias: CVE-2011-1353
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2011-2462
Blocks:
  Show dependency tree
 
Reported: 2011-09-14 15:50 UTC by Agostino Sarubbo
Modified: 2012-02-20 05:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-09-14 15:50:16 UTC
From secunia security advisor at $URL:

Description:
Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system.

1) An unspecified error can be exploited to gain escalated privileges.

This vulnerability affects Adobe Reader X for Windows only.

2) An unspecified error can be exploited to bypass certain security restrictions.

3) An unspecified error related to a U3D TIFF Resource can be exploited to cause a buffer overflow.

4) An unspecified error can be exploited to cause a heap-based buffer overflow.

5) An unspecified error can be exploited to cause a heap-based buffer overflow.

6) An unspecified error can be exploited to cause a buffer overflow.

7) An unspecified error in the image parsing library can be exploited to cause a heap-based buffer overflow.

8) An unspecified error can be exploited to cause a heap-based buffer overflow.

9) Three unspecified errors in the image parsing library can be exploited to cause stack-based buffer overflows.

10) An unspecified error can be exploited to disclose the contents of memory.

11) A user-after-free error can be exploited to dereference already freed memory.

12) Two unspecified errors in the CoolType.dll library can be exploited to cause stack-based buffer overflows.

13) A logic error can be exploited to corrupt memory.

14) The application bundles a vulnerable version of Adobe Flash Player.


The vulnerabilities are reported in:
* Adobe Reader 9.4.5 and earlier for Windows, Macintosh, and UNIX.
Comment 1 Agostino Sarubbo gentoo-dev 2011-09-14 15:54:57 UTC
Note:

Adobe Reader 9.4.6 for UNIX is currently scheduled to be released on November 7, 2011.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 00:50:58 UTC
CVE-2011-2442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442):
  Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before
  10.1.1 allow attackers to execute arbitrary code via unspecified vectors,
  related to a "logic error vulnerability."

CVE-2011-2441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441):
  Multiple stack-based buffer overflows in CoolType.dll in Adobe Reader and
  Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allow
  attackers to execute arbitrary code via unspecified vectors.

CVE-2011-2440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440):
  Use-after-free vulnerability in Adobe Reader and Acrobat 8.x before 8.3.1,
  9.x before 9.4.6, and 10.x before 10.1.1 allows attackers to execute
  arbitrary code via unspecified vectors.

CVE-2011-2439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439):
  Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before
  10.1.1 allow attackers to execute arbitrary code via unspecified vectors,
  related to a "memory leakage condition vulnerability."

CVE-2011-2438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438):
  Multiple stack-based buffer overflows in the image-parsing library in Adobe
  Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before
  10.1.1 allow attackers to execute arbitrary code via unspecified vectors.

CVE-2011-2437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437):
  Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x
  before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary
  code via unspecified vectors, a different vulnerability than CVE-2011-2433
  and CVE-2011-2434.

CVE-2011-2436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436):
  Heap-based buffer overflow in the image-parsing library in Adobe Reader and
  Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allows
  attackers to execute arbitrary code via unspecified vectors.

CVE-2011-2435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435):
  Buffer overflow in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before
  9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary code via
  unspecified vectors.

CVE-2011-2434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434):
  Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x
  before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary
  code via unspecified vectors, a different vulnerability than CVE-2011-2433
  and CVE-2011-2437.

CVE-2011-2433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433):
  Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x
  before 9.4.6, and 10.x before 10.1.1 allows attackers to execute arbitrary
  code via unspecified vectors, a different vulnerability than CVE-2011-2434
  and CVE-2011-2437.

CVE-2011-2432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432):
  Buffer overflow in the U3D TIFF Resource in Adobe Reader and Acrobat 8.x
  before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allows attackers to
  execute arbitrary code via unspecified vectors.

CVE-2011-2431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431):
  Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before
  10.1.1 allow attackers to execute arbitrary code via unspecified vectors,
  related to a "security bypass vulnerability."
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-26 22:00:23 UTC
-1353 is Windows only
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-11-07 20:30:13 UTC
Adobe has released 9.4.6 for UNIX.

ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/ 

Please bump. Thanks!
Comment 5 Donnie Berkholz (RETIRED) gentoo-dev 2011-11-14 19:43:23 UTC
For anyone interested, I put a 9.4.6 ebuild in the dberkholz overlay. Looks like they've only released English for now.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2012-01-28 20:09:48 UTC
Just bumped to app-text/acroread-9.4.7 (english only, same as 9.4.6).

It might be a good idea to fast-stabilize that (missing localization does not really count with that list of CVE's).

Please ignore the repoman warning (there is no src_prepare, and just starting one for the sed call does not make sense).
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-01-28 23:11:05 UTC
Thank you. We will do stabilization in 393481.
Comment 8 Agostino Sarubbo gentoo-dev 2012-01-29 14:39:35 UTC
added to existing glsa request
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2012-01-29 15:12:54 UTC
Thanks everyone. Vulnerable version has been removed from the tree.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-01-30 12:46:25 UTC
This issue was resolved and addressed in
 GLSA 201201-19 at http://security.gentoo.org/glsa/glsa-201201-19.xml
by GLSA coordinator Alex Legler (a3li).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:21:25 UTC
CVE-2011-4374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4374):
  Integer overflow in Adobe Reader 9.x before 9.4.6 on Linux allows attackers
  to execute arbitrary code via unspecified vectors.