Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 313343 (CVE-2010-1241)

Summary: <app-text/acroread-9.3.2 arbitrary code execution (CVE-2010-{0190,0191,0192,0193,0194,0195,0196,0197,0198,0199,0201,0202,0203,0204,1241})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: printing
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.adobe.com/support/security/bulletins/apsb10-09.html
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 04:04:03 UTC
CVE-2010-1241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1241):
  The custom heap management system in Adobe Reader 9.3.1 allows remote
  attackers to execute arbitrary code or cause a denial of service
  (heap memory corruption) via a crafted PDF document, aka FG-VD-10-005.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-09 16:53:27 UTC
Adobe expects to make these quarterly updates available on April 13, 2010.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 14:03:08 UTC
CVE-2010-1241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1241):
  The custom heap management system in Adobe Reader 9.3.1 allows remote
  attackers to execute arbitrary code or cause a denial of service
  (heap memory corruption) via a crafted PDF document, aka FG-VD-10-005.

Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-14 08:31:42 UTC
The new version is available, please bump ASAP!
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-19 13:34:07 UTC
Printing, when do you plan to add an ebuild for this?
Comment 5 Timo Gurr (RETIRED) gentoo-dev 2010-04-19 14:07:33 UTC
I'm going to add it later today.
Comment 6 Timo Gurr (RETIRED) gentoo-dev 2010-04-19 20:51:48 UTC
acroread-9.3.2 in CVS now, thanks.
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-21 15:43:32 UTC
rerating
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-21 17:00:30 UTC
CVE-2010-0190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0190):
  Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat
  9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X,
  allows remote attackers to inject arbitrary web script or HTML via
  unspecified vectors.

CVE-2010-0191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0191):
  Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on
  Windows and Mac OS X, allow attackers to execute arbitrary code via
  unspecified vectors, related to a "prefix protocol handler
  vulnerability."

CVE-2010-0192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0192):
  Unspecified vulnerability in Adobe Reader and Acrobat 9.x before
  9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers
  to cause a denial of service or possibly execute arbitrary code via
  unknown vectors, a different vulnerability than CVE-2010-0193 and
  CVE-2010-0196.

CVE-2010-0193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0193):
  Unspecified vulnerability in Adobe Reader and Acrobat 9.x before
  9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers
  to cause a denial of service or possibly execute arbitrary code via
  unknown vectors, a different vulnerability than CVE-2010-0192 and
  CVE-2010-0196.

CVE-2010-0194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0194):
  Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on
  Windows and Mac OS X, allow attackers to cause a denial of service
  (memory corruption) or execute arbitrary code via unspecified
  vectors, a different vulnerability than CVE-2010-0197, CVE-2010-0201,
  and CVE-2010-0204.

CVE-2010-0195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0195):
  Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on
  Windows and Mac OS X, do not properly handle fonts, which allows
  attackers to execute arbitrary code via unspecified vectors.

CVE-2010-0196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0196):
  Unspecified vulnerability in Adobe Reader and Acrobat 9.x before
  9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers
  to cause a denial of service or possibly execute arbitrary code via
  unknown vectors, a different vulnerability than CVE-2010-0192 and
  CVE-2010-0193.

CVE-2010-0197 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0197):
  Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on
  Windows and Mac OS X, allow attackers to cause a denial of service
  (memory corruption) or execute arbitrary code via unspecified
  vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0201,
  and CVE-2010-0204.

CVE-2010-0198 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0198):
  Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x
  before 8.2.2 on Windows and Mac OS X, allows attackers to execute
  arbitrary code via unspecified vectors, a different vulnerability
  than CVE-2010-0199, CVE-2010-0202, and CVE-2010-0203.

CVE-2010-0199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0199):
  Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x
  before 8.2.2 on Windows and Mac OS X, allows attackers to execute
  arbitrary code via unspecified vectors, a different vulnerability
  than CVE-2010-0198, CVE-2010-0202, and CVE-2010-0203.

CVE-2010-0201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0201):
  Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on
  Windows and Mac OS X, allow attackers to cause a denial of service
  (memory corruption) or execute arbitrary code via unspecified
  vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0197,
  and CVE-2010-0204.

CVE-2010-0202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0202):
  Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x
  before 8.2.2 on Windows and Mac OS X, allows attackers to execute
  arbitrary code via unspecified vectors, a different vulnerability
  than CVE-2010-0198, CVE-2010-0199, and CVE-2010-0203.

CVE-2010-0203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0203):
  Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x
  before 8.2.2 on Windows and Mac OS X, allows attackers to execute
  arbitrary code via unspecified vectors, a different vulnerability
  than CVE-2010-0198, CVE-2010-0199, and CVE-2010-0202.

CVE-2010-0204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0204):
  Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on
  Windows and Mac OS X, allow attackers to cause a denial of service
  (memory corruption) or execute arbitrary code via unspecified
  vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0197,
  and CVE-2010-0201.

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2010-05-31 11:03:55 UTC
Arches, please test and mark stable:
=app-text/acroread-9.3.2
Target keywords : "amd64 x86"
Comment 10 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2010-05-31 13:44:27 UTC
x86 stable
Comment 11 Markus Meier gentoo-dev 2010-05-31 19:46:06 UTC
amd64 stable, all arches done.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-01 21:58:34 UTC
Thanks everyone, GLSA request filed.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-15 16:27:35 UTC
This was GLSA 201009-05.