Comment 1 Robert Buchholz (RETIRED) 2008-06-08 23:26:02 UTC

I could not reproduce the issue with 
http://milw0rm.com/sploits/2008-HI2.pdf

Anyone else?

Comment 2 Timo Gurr (RETIRED) 2008-06-30 12:43:58 UTC

Not able to produce a crash on Linux, too. On Windows however it really crashes Adobe Reader as well as the full Acrobat.


There also popped up another CVE which got addressed by the "Security Update 1" published by Adobe on http://www.adobe.com/support/security/bulletins/apsb08-15.html. But afaik the update is only available for Mac and Windows.

CVE-2008-2641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2641):
Unspecified vulnerability in Adobe Reader and Acrobat 7.0.9 and earlier, and 8.0 through 8.1.2, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors, related to an "input validation issue in a JavaScript method."

I guess this is worth another bug but I don't have any further information if it's perhaps related to this one, feel free to open another bug and assign it to us though.

P.S.: Adobe site also reads: "Adobe Reader 9 and Acrobat 9, expected to be available by July 2008, are also not vulnerable to this issue." regarding CVE-2008-2641. Not sure if we can do anything about this until then.

Comment 3 Stefan Behte (RETIRED) 2008-11-04 23:08:35 UTC

*** Bug 245599 has been marked as a duplicate of this bug. ***

Comment 4 Stefan Behte (RETIRED) 2008-11-04 23:21:10 UTC

It seems I'm a bit blind this night, Bug 245599 was NOT the same advisory (which I misread), but I guess we'll be handling everything here now. Sorry for my bugspam. :/

CVE-2008-0883: fixed #212367
CVE-2008-2641: fixed #233383
CVE-2008-2549: this bug, does not seem to be fixed.

Other CVEs: New.

Can we get Adobe Reader 9 in the tree?

Comment 5 Timo Gurr (RETIRED) 2008-11-05 08:47:30 UTC

(In reply to comment #4)
> Can we get Adobe Reader 9 in the tree?

Well afaik it still has to be released for linux:
ftp://ftp.adobe.com/pub/adobe/reader/unix/

But I'll put 8.1.3 in the tree today, according to 
http://www.adobe.com/support/security/bulletins/apsb08-19.html
it fixes the remaining CVE-2008-{2549,2992,4812,4813,4817,4816,4814,4815}.

Comment 6 Timo Gurr (RETIRED) 2008-11-06 01:29:50 UTC

acroread-8.1.3 is in the tree now.

Comment 7 Christian Hoffmann (RETIRED) 2008-11-06 09:16:13 UTC

Thanks.

Arches, please test and mark stable
  =app-text/acroread-8.1.3

Target keywords: amd64 x86

Comment 8 Tobias Heinlein (RETIRED) 2008-11-06 16:03:32 UTC

amd64 stable

Comment 9 Markus Meier 2008-11-08 13:36:57 UTC

x86 stable, all arches done.

Comment 10 Stefan Behte (RETIRED) 2008-11-08 14:56:37 UTC

Ready for voting, if allowed, I vote yes.

Comment 11 Robert Buchholz (RETIRED) 2008-11-26 18:53:33 UTC

B2 does not need a vote, filing request.

Comment 12 Robert Buchholz (RETIRED) 2008-11-26 20:47:38 UTC

CVE-2008-4816 is windows-only

Comment 13 Robert Buchholz (RETIRED) 2009-01-13 12:19:27 UTC

GLSA 200901-09, thanks