Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 212367 (CVE-2008-0883)

Summary: app-text/acroread <8.1.2-r1 Tempfile race condition (CVE-2008-0883)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: printing
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://thread.gmane.org/gmane.comp.security.oss.general/61
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
acroread-CVE-2008-0883.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 11:06:34 UTC 
Suse: http://support.novell.com/techcenter/psdb/d8c48c63359fc807624182696d3d149c.html

Adobe Acrobat Reader 8.1.2 contained a /tmp race in its "acroread" wrapper script in the SSL certificate handling. (CVE-2008-0883)
Furthermore it contained several duplicated copies of system libraries, which have been removed for this update to make sure they are up-to-date security wise by using the system provided ones.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 11:07:07 UTC 
Created attachment 145339 [details, diff]
acroread-CVE-2008-0883.patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 11:08:16 UTC 
This patch only applies to the "en" variant of the script, depending on linguas, other files might need to be patched.

Printing, can you please also advise on the library situation?
Comment 3 Timo Gurr (RETIRED) gentoo-dev 2008-03-07 21:02:19 UTC 
(In reply to comment #2)
> This patch only applies to the "en" variant of the script, depending on
> linguas, other files might need to be patched.

Fixed this in acroread-8.1.2-r1 via sed command in the ebuild.

> Printing, can you please also advise on the library situation?

Not fixed yet, I will open a new bug about this.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-08 17:23:01 UTC 
Unfortunately, that sed call will not fail unless the referenced file is missing, which should not happen. But Adobe will probably fix this in their next release anyway.

What's your ETA on the libraries, i.e. call arches now or after a fix?
Comment 5 Timo Gurr (RETIRED) gentoo-dev 2008-03-08 21:30:27 UTC 
(In reply to comment #4)
> Unfortunately, that sed call will not fail unless the referenced file is
> missing, which should not happen. But Adobe will probably fix this in their
> next release anyway.
> 
> What's your ETA on the libraries, i.e. call arches now or after a fix?
> 

No ETA yet since not all libraries are available on amd64 in 32bit anyway, I'd say call the arches now to get the actual security bug fixed version stable so we have some time to look into the library situation.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-09 01:42:14 UTC 
Thanks, when you open a new bug for the lib situation, please cc security@

Arches, please test and mark stable:
=app-text/acroread-8.1.2-r1
Target keywords : "amd64 release x86"
Comment 7 Markus Meier gentoo-dev 2008-03-09 12:28:00 UTC 
x86 stable
Comment 8 Markus Meier gentoo-dev 2008-03-16 01:11:06 UTC 
amd64 stable (last arch)
Comment 9 Peter Volkov (RETIRED) gentoo-dev 2008-03-16 08:16:27 UTC 
Fixed in release snapshot.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-16 12:26:50 UTC 
time for glsa decision. I vote YES.
Comment 11 Matt Fleming (RETIRED) gentoo-dev 2008-03-16 12:30:02 UTC 
I vote YES, also.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 18:18:00 UTC 
GLSA 200803-26