Summary: | <app-text/acroread-8.1.5 Multiple code execution vulnerabilities (CVE-2009-{1492,1493}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | printing |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/34924/2/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 273908 | ||
Bug Blocks: |
Description
Alex Legler (RETIRED)
2009-04-29 08:33:26 UTC
CVE-2009-1492 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1492): The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. CVE-2009-1493 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1493): The customDictionaryOpen spell method in the JavaScript API in Adobe Reader 8.1.4 and 9.1 on Linux allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that triggers a call to this method with a long string in the second argument. "We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009." (http://blogs.adobe.com/psirt/2009/05/adobe_reader_issue_update.html) They have been released: http://www.adobe.com/support/security/bulletins/apsb09-06.html Please bump There are several new security issues: http://www.adobe.com/support/security/bulletins/apsb09-07.html Adobe states that updates for Linux will be available on 16th June, I'll take care of the bumps then (8.1.6/9.1.2). Tarballs are available on the Adobe mirrors now, I've committed updated ebuilds (8.1.6/9.1.2). GLSA 200907-06 |