Bug 60205

Summary:	app-text/acroread vulnerability in acroread
Product:	Gentoo Security	Reporter:	bin-doph <bauer>
Component:	GLSA Errors	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	schaedpq
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://idefense.com/application/poi/display?id=125&type=vulnerabilities&flashstatus=true
Whiteboard:	B2 [glsa] jaervosz
Package list:		Runtime testing required:	---

Description bin-doph 2004-08-13 03:09:45 UTC

Hi,

acroread seems vulnerable to this security-issue. The current version in portage (5.08) is not confirmed as vulnerable, but it says 

"While it is not clear exactly when the vulnerability was patched, iDEFENSE has tested Adobe Acrobat Reader (UNIX) 5.0.9, which appears to be patched against this vulnerability."

http://idefense.com/application/poi/display?id=125&type=vulnerabilities&flashstatus=true

Comment 1 Tim Yamin (RETIRED) gentoo-dev

2004-08-13 03:23:30 UTC

I've now marked 5.09 stable on x86, security team: please vote on a GLSA.

Comment 2 Tim Yamin (RETIRED) gentoo-dev

2004-08-13 03:33:58 UTC

The README has this to say:

==
New for Acrobat Reader 5.0.9

A security patch was applied that solves a couple of problems
reported with malformed uuencoded pdf files.
==

So < 5.09 should be vulnerable.

Comment 3 schaedpq 2004-08-13 07:19:14 UTC

One of the bugs fixed in 5.09 seems to be this one: 
Shell Metacharacter Code Execution Vulnerability <http://idefense.com/application/poi/display?id=124&type=vulnerabilities>
Might be a good idea to include that vulnerability in the GLSA.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-14 00:57:49 UTC

I vote for a GLSA on this one and have drafted one already.

Security please review or vote nay to GLSA.

Thx Dominik

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-15 07:58:52 UTC

GLSA 200408-14