Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 98101 - app-text/acroread-5.10 - UnixAppOpenFilePerform() Buffer Overflow
Summary: app-text/acroread-5.10 - UnixAppOpenFilePerform() Buffer Overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-06 03:31 UTC by Carsten Lohrke (RETIRED)
Modified: 2005-07-11 06:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2005-07-06 03:31:34 UTC
CVE ID: CAN-2005-1625



Remote exploitation of a buffer overflow in Adobe Acrobat Reader for
Unix could allow an attacker to execute arbitrary code.

The vulnerability specifically exists in the function
UnixAppOpenFilePerform(). This routine is called by Acrobat Reader while
opening a document containing a /Filespec tag. Within this routine,
sprintf is used to copy user-supplied data into a fixed-sized stack
buffer. This leads to a stack based overflow and the execution of
arbitrary code. The following demonstrates what the overflow looks like
in a debugger:

#0  0x41414141 in ?? ()
(gdb) i r ebx
ebx            0xbfffef54       -1073746092
(gdb) x/x 0xbfffef54
0xbfffef54:     0x40404040
(gdb) 

As shown, EIP is easily controllable; ebx also points to the 4 bytes
before the EIP overwrite in a controlled buffer. This allows remote
exploitation without having to know stack addresses, as an attacker can
craft an exploit to return to a jmp ebx or call ebx instruction.


Successful exploitation allows an attacker to execute arbitrary code
under the privileges of the local user. Remote exploitation is possible
via e-mail attachment or link to the maliciously crafted PDF document.
The impact of this vulnerability is lessened by the fact that two error
messages appear before exploitation is successful; however, closing
these windows does not prevent exploitation from occurring.

http://www.idefense.com/application/poi/display?id=279&type=vulnerabilities&flashstatus=true



Recommendations:

Do one of the following:

-- If you use Adobe Reader 5.0.9 or 5.0.10 on Linux or Solaris, download Adobe Reader 7.0 at www.adobe.com/products/acrobat/readstep2.html.

-- If you use Adobe Reader 5.0.9 or 5.0.10 on IBM-AIX or HP-UX, download Adobe Reader 5.0.11 at www.adobe.com/products/acrobat/readstep2.html

http://www.adobe.com/support/techdocs/329083.html
Comment 1 Heinrich Wendel (RETIRED) gentoo-dev 2005-07-06 04:44:28 UTC
seems that we have to dropped acroread 5 then since there is no 5.11 for linux 
Comment 2 Stefan Schweizer (RETIRED) gentoo-dev 2005-07-06 05:23:45 UTC
(In reply to comment #1)
> seems that we have to dropped acroread 5 then since there is no 5.11 for linux 

Some people need acroread-5 because it can show colors correctly, I dont know if
these will be happy with dropping the ebuild ..
Acroread7 is already stable, so I guess not many gentooers use acroread-5 at the
moment.
Comment 3 Carsten Lohrke (RETIRED) gentoo-dev 2005-07-06 06:43:01 UTC
>Some people need acroread-5 because it can show colors correctly, I dont know if
these will be happy with dropping the ebuild ..

So what? I don't like Acroread 7 either and had it masked, but that's not a
reason to keep vulnerable software.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-07-08 01:38:26 UTC
Yes, it's not like we have much choice here, since Adobe won't release 5.11 on
Linux.

I think we should mask the old Acrobat and issue a GLSA for this.
Comment 5 Stefan Schweizer (RETIRED) gentoo-dev 2005-07-08 05:01:58 UTC
I masked it, now waiting for GLSA.
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-11 06:44:14 UTC
GLSA 200507-09

thanks everyone