Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 259992 (CVE-2009-0658)

Summary: <app-text/acroread-8.1.4 remote code execution (CVE-2009-{0193,0658,0927,0928,1061,1062})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: andrea.rizzolo, jdaluz, matsuu, phceac, printing
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.adobe.com/support/security/advisories/apsa09-01.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 11:34:01 UTC
CVE-2009-0658 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0658):
  Buffer overflow in Adobe Reader 9.0 and earlier and Acrobat 9.0 and
  earlier allows remote attackers to execute arbitrary code via a
  crafted PDF document, related to a non-JavaScript function call, as
  exploited in the wild in February 2009 by Trojan.Pidief.E.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 11:35:15 UTC
NOTE: The vendor is in the process of fixing this issue and will release first fixes by March 11, 2009.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-21 22:31:12 UTC
updates are available for windows now:
http://www.adobe.com/support/security/bulletins/apsb09-04.html

"Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24."
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-03-21 22:32:43 UTC
CVE-2009-0927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0927):
  Unspecified vulnerability in Adobe Reader and Adobe Acrobat 9.1 and
  7.1.1 allows remote attackers to execute arbitrary code via unknown
  vectors related to a JavaScript method and input validation, a
  different vulnerability than CVE-2009-0658.

Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-25 10:36:06 UTC
CVE-2009-0193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0193):
  Unspecified vulnerability in Adobe Acrobat Reader 9 before 9.1, 8
  before 8.1.4, and 7 before 7.1.1 might allow remote attackers to
  execute arbitrary code via unknown attack vectors related to JBIG2
  and "input validation," a different vulnerability than CVE-2009-1061
  and CVE-2009-1062.

CVE-2009-0928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0928):
  Heap-based buffer overflow in Adobe Acrobat Reader and Acrobat
  Professional 7.1.0, 8.1.3, 9.0.0, and other versions allows remote
  attackers to execute arbitrary code via a PDF file containing a JBIG2
  stream with a size inconsistency related to an unspecified table.

CVE-2009-1061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1061):
  Unspecified vulnerability in Adobe Acrobat Reader 9 before 9.1, 8
  before 8.1.4, and 7 before 7.1.1 might allow remote attackers to
  execute arbitrary code via unknown attack vectors related to JBIG2
  and "input validation," a different vulnerability than CVE-2009-0193
  and CVE-2009-1062.

CVE-2009-1062 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1062):
  Unspecified vulnerability in Adobe Acrobat Reader 9 before 9.1, 8
  before 8.1.4, and 7 before 7.1.1 might allow remote attackers to
  execute arbitrary code via unknown attack vectors related to JBIG2
  and "input validation," a different vulnerability than CVE-2009-0193
  and CVE-2009-1061.

Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-25 10:39:53 UTC
Updates are released:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix
Comment 6 Timo Gurr (RETIRED) gentoo-dev 2009-04-06 22:27:22 UTC
app-text/acroread-{8.1.4, 9.1} are in CVS now. I'd suggest to stabilize 8.1.4 first since Adobe didn't release 9.1 for all languages yet.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-04-06 23:04:37 UTC
Arches, please test and mark stable:
=app-text/acroread-8.1.4
Target keywords : "amd64 x86"
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-08 19:15:22 UTC
amd64 stable
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-04-12 17:33:56 UTC
x86, ping
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-04-14 10:25:13 UTC
pong, x86 stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-14 12:26:07 UTC
GLSA request filed.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-04-18 11:12:22 UTC
GLSA 200904-17.