Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 393481 (CVE-2011-2462) - <app-text/acroread-9.4.7: Multiple vulnerabilities (CVE-2011-{2462,4369})
Summary: <app-text/acroread-9.4.7: Multiple vulnerabilities (CVE-2011-{2462,4369})
Status: RESOLVED FIXED
Alias: CVE-2011-2462
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47133/
Whiteboard: B2 [glsa]
Keywords:
: 398303 (view as bug list)
Depends on:
Blocks: CVE-2011-1353
  Show dependency tree
 
Reported: 2011-12-07 08:47 UTC by Agostino Sarubbo
Modified: 2012-02-20 05:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-12-07 08:47:44 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to an unspecified error when handling U3D data. No further information is currently available.

The vulnerability is reported in:
* Adobe Reader versions 9.4.6 and prior for Windows, Macintosh, and UNIX.

Solution:
Do not open untrusted PDF files. A fix is scheduled to be released for Adobe Reader and Acrobat 9.x for Windows in the week of December 12, 2011.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-12-13 00:39:58 UTC
CVE-2011-2462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462):
  Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat
  10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through
  9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unknown vectors, as exploited in
  the wild in December 2011.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-01-11 06:23:18 UTC
https://www.adobe.com/support/security/bulletins/apsb11-30.html

Adobe has released reader 9.4.7 for linux.
ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/

Please bump; thanks!
Comment 3 Agostino Sarubbo gentoo-dev 2012-01-11 15:41:46 UTC
*** Bug 398303 has been marked as a duplicate of this bug. ***
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2012-01-28 21:00:48 UTC
Just bumped to app-text/acroread-9.4.7 (english only, same as 9.4.6).

It might be a good idea to fast-stabilize that (missing localization does not
really count with that list of CVE's).

Please ignore the repoman warning (there is no src_prepare, and just starting
one for the sed call does not make sense).
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-01-28 23:10:09 UTC
Thank you.

Arches, please test and mark stable:
=app-text/acroread-9.4.7
Target keywords : "amd64 x86"
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-01-29 08:25:59 UTC
x86: is ok
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-29 12:22:23 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-01-29 14:35:45 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-01-29 14:38:11 UTC
added to existing glsa request
Comment 10 Andreas K. Hüttel archtester gentoo-dev 2012-01-29 15:13:36 UTC
Thanks everyone. Vulnerable version has been removed from the tree.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-01-30 12:46:30 UTC
This issue was resolved and addressed in
 GLSA 201201-19 at http://security.gentoo.org/glsa/glsa-201201-19.xml
by GLSA coordinator Alex Legler (a3li).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:19:49 UTC
CVE-2011-4369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369):
  Unspecified vulnerability in the PRC component in Adobe Reader and Acrobat
  9.x before 9.4.7 on Windows, Adobe Reader and Acrobat 9.x through 9.4.6 on
  Mac OS X, Adobe Reader and Acrobat 10.x through 10.1.1 on Windows and Mac OS
  X, and Adobe Reader 9.x through 9.4.6 on UNIX allows remote attackers to
  execute arbitrary code or cause a denial of service (memory corruption) via
  unknown vectors, as exploited in the wild in December 2011.