Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 87445

Summary: acroread-7.0: unallowed remote communication
Product: Gentoo Linux Reporter: Ruben Jenster <rjenster>
Component: Current packagesAssignee: Printing Team <printing>
Status: RESOLVED NEEDINFO    
Severity: normal CC: genstef, jakub, security
Priority: High    
Version: 2004.3   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: acroread-7.0.ebuild

Description Ruben Jenster 2005-03-31 10:58:33 UTC 
I just read a article at pro-linux.de http://www.pro-linux.de/news/2005/7974.html that acroread-7 
can develop a remote connection without your knowing to spy you out. 
I recommend to rename the plugin folder as mentioned in the article, to cut off this behaviour.  

Regards 

Ruben
Comment 1 Ruben Jenster 2005-03-31 10:59:48 UTC 
Created attachment 54949 [details]
acroread-7.0.ebuild

Updated ebuild that renames the plug_ins folder to plug_ins.disabled and
informs the user about the behaviour of acroread.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2005-03-31 11:31:16 UTC 
I don't think this is critical. Whatever you do, please don't add a negating ("no*") use flag. We have enough of them and they need all to be changed.
Comment 3 Stefan Schweizer (RETIRED) gentoo-dev 2005-03-31 12:32:40 UTC 
I dont consider this as a security issue as it is just the javascript in the document that does it, so it really depends on the document you are using.
For now you can just disable it in the preferences if you are concerned that documents you are using might "phone back", I think disabli.
However I would like to disable only the plugins causing it conditionally. Maybe we should utilize the javascript-use-flag?

I am not quite sure which plugin is causing it:

ECMAScript, Escript.api: "The Adobe EScript Plug-In allows PDF documents to take advantage of JavaScript. See the Acrobat JavaScript Object Specification (AcroJS.pdf) for more details. This document can be accessed through Adobe's web site."

Internet Access Plug-in, EFS.api: "This plug-ins provides Internet Access for Acrobat."


Ideas?

PS
ruben: please use diff -u old.ebuild new.ebuild for attachments
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-04-01 03:46:55 UTC 
This is a "feature", not a vulnerability. A warning would be nice, and maybe this should be disabled by default... but it's really the printing team choice.
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-20 03:37:44 UTC 
*** Bug 89782 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Schweizer (RETIRED) gentoo-dev 2005-05-14 12:59:29 UTC 
Anyone interested in "fixing" this, please provide a patch and reopen