Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 431732

Summary: <app-text/acroread-9.5.4: Multiple vulnerabilities (CVE-2012-{1525,2049,2050,2051,4147,4148,4149,4150,4151,4152,4153,4154,4155,4156,4157,4158,4159,4160,4363})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-08-17 11:47:04 UTC 
CVE-2012-4160 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4160):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153,
  CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158,
  and CVE-2012-4159.

CVE-2012-4159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4159):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153,
  CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158,
  and CVE-2012-4160.

CVE-2012-4158 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4158):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153,
  CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4157):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153,
  CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4156 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4156):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153,
  CVE-2012-4154, CVE-2012-4155, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4155):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153,
  CVE-2012-4154, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4154 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4154):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153,
  CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4153):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4154,
  CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4152 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4152):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4153, CVE-2012-4154,
  CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4151 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4151):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4150, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154,
  CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4150):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4149, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154,
  CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4149 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4149):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4148,
  CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154,
  CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4148):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4147, CVE-2012-4149,
  CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154,
  CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-4147 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4147):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-2051, CVE-2012-4148, CVE-2012-4149,
  CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154,
  CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-2051 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2051):
  Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Windows
  and Mac OS X allow attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via unspecified vectors, a different
  vulnerability than CVE-2012-4147, CVE-2012-4148, CVE-2012-4149,
  CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154,
  CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159,
  and CVE-2012-4160.

CVE-2012-2050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2050):
  Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before
  10.1.4 on Windows and Mac OS X allows attackers to execute arbitrary code
  via unspecified vectors.

CVE-2012-2049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2049):
  Stack-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.2 and
  10.x before 10.1.4 on Windows and Mac OS X allows attackers to execute
  arbitrary code via unspecified vectors.

CVE-2012-1525 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1525):
  Heap-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.2 and
  10.x before 10.1.4 on Windows and Mac OS X allows attackers to execute
  arbitrary code via unspecified vectors.


An important blog post from the folks at Google regarding these issues:
http://gynvael.coldwind.pl/?id=483
Comment 1 Agostino Sarubbo gentoo-dev 2012-08-17 12:18:37 UTC 
Upstream in its advisory ( https://www.adobe.com/support/security/bulletins/apsb12-16.html ) does not mention Linux. Are you sure it is affected?
Comment 2 taaroa 2012-08-18 07:22:13 UTC 
Today, on 14th of August 2012, Adobe has released a new version of Reader for Windows and Mac OS X platforms, addressing around 25 of the reported critical crashes, see the APSB12-16 security bulletin. 

To summarize:

Adobe Reader for Linux users are exposed to all critical vulnerabilities discussed here, until the patched Linux version is released.

Adobe Reader for Windows are currently vulnerable to up to 6 unpatched issues.

Adobe Reader for Mac OS X are currently vulnerable to up to 10 unpatched issues.

http://j00ru.vexillium.org/?p=1175
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-08-24 21:48:22 UTC 
CVE-2012-4363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4363):
  Multiple unspecified vulnerabilities in Adobe Reader through 10.1.4 allow
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted PDF document, related to
  "sixteen more crashes affecting Windows, OS X, or both systems."
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2013-07-13 13:50:16 UTC 
all versions <9.5.5 removed from the tree
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-08-22 22:48:47 UTC 
This issue was resolved and addressed in
 GLSA 201308-03 at http://security.gentoo.org/glsa/glsa-201308-03.xml
by GLSA coordinator Chris Reffett (creffett).