Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 273908 (CVE-2009-0198) - <app-text/acroread-8.1.6 Heap-based buffer overflow in JBIG2 filter (CVE-2009-{0198,0509,0510,0511,0512,0888,0889,1855,1856,1857,1858,1859,1861,2028})
Summary: <app-text/acroread-8.1.6 Heap-based buffer overflow in JBIG2 filter (CVE-2009...
Status: RESOLVED FIXED
Alias: CVE-2009-0198
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2009-1492
  Show dependency tree
 
Reported: 2009-06-12 19:55 UTC by Stefan Behte (RETIRED)
Modified: 2009-07-12 17:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 19:55:28 UTC
CVE-2009-0198 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0198):
  Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and
  Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6,
  and Adobe Reader 9 and Acrobat 9 before 9.1.2 allows remote attackers
  to cause a denial of service (memory corruption) or possibly execute
  arbitrary code via a crafted PDF file that contains JBIG2 text region
  segments with Huffman encoding.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 21:15:26 UTC
CVE-2009-1855 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1855):
  Stack-based buffer overflow in Adobe Reader 7 and Acrobat 7 before
  7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6, and Adobe Reader 9
  and Acrobat 9 before 9.1.2 might allow attackers to execute arbitrary
  code via unspecified vectors.

CVE-2009-1856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1856):
  Integer overflow in Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe
  Reader 8 and Acrobat 8 before 8.1.6, and Adobe Reader 9 and Acrobat 9
  before 9.1.2 allows attackers to cause a denial of service or
  possibly execute arbitrary code via unspecified vectors.

CVE-2009-1857 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1857):
  Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat
  8 before 8.1.6, and Adobe Reader 9 and Acrobat 9 before 9.1.2 allow
  attackers to cause a denial of service (memory corruption) or
  possibly execute arbitrary code via unspecified vectors.

CVE-2009-1858 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1858):
  The JBIG2 filter in Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe
  Reader 8 and Acrobat 8 before 8.1.6, and Adobe Reader 9 and Acrobat 9
  before 9.1.2 might allow remote attackers to execute arbitrary code
  via unspecified vectors that trigger memory corruption.

CVE-2009-1859 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1859):
  Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat
  8 before 8.1.6, and Adobe Reader 9 and Acrobat 9 before 9.1.2 might
  allow attackers to execute arbitrary code via unspecified vectors
  that trigger memory corruption.

CVE-2009-1861 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1861):
  Multiple heap-based buffer overflows in Adobe Reader 7 and Acrobat 7
  before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6, and Adobe
  Reader 9 and Acrobat 9 before 9.1.2 might allow remote attackers to
  execute arbitrary code or cause a denial of service (application
  crash) via a crafted PDF file with a JPX (aka JPEG2000) stream that
  triggers heap memory corruption.

CVE-2009-2028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2028):
  Multiple unspecified vulnerabilities in Adobe Reader 7 and Acrobat 7
  before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6, and Adobe
  Reader 9 and Acrobat 9 before 9.1.2 have unknown impact and attack
  vectors, related to "Adobe internally discovered issues."

Comment 2 Timo Gurr (RETIRED) gentoo-dev 2009-06-17 23:45:24 UTC
Tarballs are available on the Adobe mirrors now, I've committed updated ebuilds (8.1.6/9.1.2).
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-18 10:50:23 UTC
Arches, please test and mark stable:
=app-text/acroread-9.1.2
=app-text/acroread-8.1.6
Target keywords : "amd64 x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-18 11:22:53 UTC
(In reply to comment #3)
> Arches, please test and mark stable:
> =app-text/acroread-9.1.2
> =app-text/acroread-8.1.6
> Target keywords : "amd64 x86"

 Are you sure we should go for the 9 series of Acroread?
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-18 14:23:00 UTC
Oh no, 9.1.x wasn't stable yet, so I should've asked printing@g.o., of course. Printing, is it ok to go stable With 9.1.2?

So please only stabilize yet:
=app-text/acroread-8.1.6



Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-18 14:54:09 UTC
(In reply to comment #5)
> Oh no, 9.1.x wasn't stable yet, so I should've asked printing@g.o., of course.
> Printing, is it ok to go stable With 9.1.2?
> 
> So please only stabilize yet:
> =app-text/acroread-8.1.6

 Done on x86.

Comment 7 Timo Gurr (RETIRED) gentoo-dev 2009-06-18 15:03:13 UTC
(In reply to comment #5)
> Oh no, 9.1.x wasn't stable yet, so I should've asked printing@g.o., of course.
> Printing, is it ok to go stable With 9.1.2?

I'm still a bit unsure about this, but on the other hand, we can't stay forever
with Adobe Reader 8.x. The "problem" is Adobe still fails to provide more
localized versions of 9.x besides english, german, french and japanese. But
then again we can't do anything about it so I'd say lets stabilize 9.1.2 too,
but keep 8.x in tree and tell users to either complain upstream and/or
downgrade to 8.x if they're missing a localized version for their language and
can't live with the english one.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-18 17:36:47 UTC
x86 stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-21 19:10:30 UTC
amd64 stable
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-21 19:11:10 UTC
GLSA request filed.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 17:34:41 UTC
CVE-2009-0509 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0509):
  Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and
  Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6,
  and Adobe Reader 9 and Acrobat 9 before 9.1.2 allows remote attackers
  to execute arbitrary code via a crafted file that triggers memory
  corruption.
CVE-2009-0510 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0510):
  Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and
  Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6,
  and Adobe Reader 9 and Acrobat 9 before 9.1.2 might allow remote
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2009-0511, CVE-2009-0512,
  CVE-2009-0888, and CVE-2009-0889.
CVE-2009-0511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0511):
  Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and
  Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6,
  and Adobe Reader 9 and Acrobat 9 before 9.1.2 might allow remote
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2009-0510, CVE-2009-0512,
  CVE-2009-0888, and CVE-2009-0889.
CVE-2009-0512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0512):
  Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and
  Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6,
  and Adobe Reader 9 and Acrobat 9 before 9.1.2 might allow remote
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2009-0510, CVE-2009-0511,
  CVE-2009-0888, and CVE-2009-0889.
CVE-2009-0888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0888):
  Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and
  Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6,
  and Adobe Reader 9 and Acrobat 9 before 9.1.2 might allow remote
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2009-0510, CVE-2009-0511,
  CVE-2009-0512, and CVE-2009-0889.
CVE-2009-0889 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0889):
  Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and
  Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6,
  and Adobe Reader 9 and Acrobat 9 before 9.1.2 might allow remote
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2009-0510, CVE-2009-0511,
  CVE-2009-0512, and CVE-2009-0888.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-07-12 17:49:04 UTC
GLSA 200907-06