Summary: | acroread-7.0: unallowed remote communication | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Ruben Jenster <rjenster> |
Component: | Current packages | Assignee: | Printing Team <printing> |
Status: | RESOLVED NEEDINFO | ||
Severity: | normal | CC: | genstef, jakub, security |
Priority: | High | ||
Version: | 2004.3 | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | acroread-7.0.ebuild |
Description
Ruben Jenster
2005-03-31 10:58:33 UTC
Created attachment 54949 [details]
acroread-7.0.ebuild
Updated ebuild that renames the plug_ins folder to plug_ins.disabled and
informs the user about the behaviour of acroread.
I don't think this is critical. Whatever you do, please don't add a negating ("no*") use flag. We have enough of them and they need all to be changed. I dont consider this as a security issue as it is just the javascript in the document that does it, so it really depends on the document you are using. For now you can just disable it in the preferences if you are concerned that documents you are using might "phone back", I think disabli. However I would like to disable only the plugins causing it conditionally. Maybe we should utilize the javascript-use-flag? I am not quite sure which plugin is causing it: ECMAScript, Escript.api: "The Adobe EScript Plug-In allows PDF documents to take advantage of JavaScript. See the Acrobat JavaScript Object Specification (AcroJS.pdf) for more details. This document can be accessed through Adobe's web site." Internet Access Plug-in, EFS.api: "This plug-ins provides Internet Access for Acrobat." Ideas? PS ruben: please use diff -u old.ebuild new.ebuild for attachments This is a "feature", not a vulnerability. A warning would be nice, and maybe this should be disabled by default... but it's really the printing team choice. *** Bug 89782 has been marked as a duplicate of this bug. *** Anyone interested in "fixing" this, please provide a patch and reopen |