Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 289016 - <app-text/acroread-9.2: Multiple vulnerabilities (APSB09-15) (CVE-2009-{2979,2980,2981,2982,2983,2985,2986,2988,2990,2991,2993,2994,2996,2997,2998,3431,3458,3459,3462})
Summary: <app-text/acroread-9.2: Multiple vulnerabilities (APSB09-15) (CVE-2009-{2979,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.adobe.com/support/security...
Whiteboard: B2 [glsa]
Keywords:
: 290230 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-10-14 08:19 UTC by Martin von Gagern
Modified: 2009-10-25 18:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin von Gagern 2009-10-14 08:19:07 UTC
According to http://www.adobe.com/support/security/bulletins/apsb09-15.html there are multiple vulnerabilities in acroread, and there are updates to address them:
9.1.3 -> 9.2
8.1.6 -> 8.1.7
7.1.3 -> 7.1.4

Therefore Gentoo should have ebuilds for acroread-9.2 and acroread-8.1.7 in tree, to allow for updates to those ebuilds already in tree right now.

Simply renaming the 9.1.3 ebuild to 9.2 should do the trick for 9.x versions. At least it did emerge for me, and can be executed successfully. Some security warnings from rpath_security_checks remain, but that's bug #283095.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-14 13:05:17 UTC
Maintainers, please bump.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-16 20:42:24 UTC
CVE-2009-3459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3459):
  Unspecified vulnerability in Adobe Reader and Acrobat 9.1.3 and
  earlier, and possibly 7.1.3 and 8.1.6, allows remote attackers to
  execute arbitrary code via a crafted PDF file that triggers memory
  corruption, as exploited in the wild in October 2009.  NOTE: some of
  these details are obtained from third party information.

Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-20 22:04:07 UTC
CVE-2009-2979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2979):
  Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and
  possibly 7.x through 7.1.4 do not properly perform XMP-XML entity
  expansion, which allows remote attackers to cause a denial of service
  via a crafted document.

CVE-2009-2980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2980):
  Integer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x
  before 8.1.7, and 9.x before 9.2 allows attackers to cause a denial
  of service or possibly execute arbitrary code via unspecified vectors.

CVE-2009-2981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2981):
  Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x
  before 9.2 do not properly validate input, which might allow
  attackers to bypass intended Trust Manager restrictions via
  unspecified vectors.

CVE-2009-2982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2982):
  An unspecified certificate in Adobe Reader and Acrobat 9.x before
  9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow
  remote attackers to conduct a "social engineering attack" via unknown
  vectors.

CVE-2009-2983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2983):
  Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and
  possibly 7.x through 7.1.4 allow attackers to cause a denial of
  service (memory corruption) or possibly execute arbitrary code via
  unspecified vectors.

CVE-2009-2984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2984):
  Unspecified vulnerability in the image decoder in Adobe Acrobat 9.x
  before 9.2, and possibly 7.x through 7.1.4 and 8.x through 8.1.7,
  allows attackers to cause a denial of service or possibly execute
  arbitrary code via unknown vectors.

CVE-2009-2985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2985):
  Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x
  before 9.2 allow attackers to cause a denial of service (memory
  corruption) or possibly execute arbitrary code via unspecified
  vectors, a different vulnerability than CVE-2009-2996.

CVE-2009-2986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2986):
  Multiple heap-based buffer overflows in Adobe Reader and Acrobat 7.x
  before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow
  attackers to execute arbitrary code via unspecified vectors.

CVE-2009-2988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2988):
  Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x
  before 9.2 do not properly validate input, which allows attackers to
  cause a denial of service via unspecified vectors.

CVE-2009-2989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2989):
  Integer overflow in Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7,
  and possibly 7.x through 7.1.4 might allow attackers to execute
  arbitrary code via unspecified vectors.

CVE-2009-2990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2990):
  Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x
  before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to
  execute arbitrary code via unspecified vectors.

CVE-2009-2991 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2991):
  Unspecified vulnerability in the Mozilla plug-in in Adobe Reader and
  Acrobat 8.x before 8.1.7, and possibly 7.x before 7.1.4 and 9.x
  before 9.2, might allow remote attackers to execute arbitrary code
  via unknown vectors.

CVE-2009-2992 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2992):
  An unspecified ActiveX control in Adobe Reader and Acrobat 9.x before
  9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 does not
  properly validate input, which allows attackers to cause a denial of
  service via unknown vectors.

CVE-2009-2993 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2993):
  The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before
  7.1.4, 8.x before 8.1.7, and 9.x before 9.2 does not properly
  implement the (1) Privileged Context and (2) Safe Path restrictions
  for unspecified JavaScript methods, which allows remote attackers to
  create arbitrary files, and possibly execute arbitrary code, via the
  cPath parameter in a crafted PDF file.  NOTE: some of these details
  are obtained from third party information.

CVE-2009-2994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2994):
  Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x
  before 8.1.7, and 9.x before 9.2 might allow attackers to execute
  arbitrary code via unspecified vectors.

CVE-2009-2995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2995):
  Integer overflow in Adobe Acrobat 7.x before 7.1.4, 8.x before 8.1.7,
  and 9.x before 9.2 allows attackers to cause a denial of service via
  unspecified vectors.

CVE-2009-2996 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2996):
  Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x
  before 9.2 allow attackers to cause a denial of service (memory
  corruption) or possibly execute arbitrary code via unspecified
  vectors, a different vulnerability than CVE-2009-2985.

CVE-2009-2997 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2997):
  Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before
  7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to
  execute arbitrary code via unspecified vectors.

CVE-2009-2998 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2998):
  Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x
  before 9.2 do not properly validate input, which might allow
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2009-3458.

CVE-2009-3431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3431):
  Stack consumption vulnerability in Adobe Reader and Acrobat 9.1.3,
  9.1.2, 9.1.1, and earlier 9.x versions; 8.1.6 and earlier 8.x
  versions; and possibly 7.1.4 and earlier 7.x versions allows remote
  attackers to cause a denial of service (application crash) via a PDF
  file with a large number of [ (open square bracket) characters in the
  argument to the alert method. NOTE: some of these details are
  obtained from third party information.

CVE-2009-3458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3458):
  Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x
  before 9.2 do not properly validate input, which might allow
  attackers to execute arbitrary code via unspecified vectors, a
  different vulnerability than CVE-2009-2998.

CVE-2009-3460 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3460):
  Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x
  through 7.1.4 allows attackers to cause a denial of service (memory
  corruption) or possibly execute arbitrary code via unspecified
  vectors.

CVE-2009-3461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3461):
  Unspecified vulnerability in Adobe Acrobat 9.x before 9.2 allows
  attackers to bypass intended file-extension restrictions via unknown
  vectors.

CVE-2009-3462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3462):
  Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x
  before 9.2 on Unix, when Debug mode is enabled, allow attackers to
  execute arbitrary code via unspecified vectors, related to a "format
  bug."

Comment 4 Timo Gurr (RETIRED) gentoo-dev 2009-10-21 22:40:27 UTC
I've committed Adobe Reader 9.2 to CVS.
Comment 5 Greg Hasseler 2009-10-23 11:04:22 UTC
*** Bug 290230 has been marked as a duplicate of this bug. ***
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-23 16:52:28 UTC
Thanks.

Arches, please test and mark stable:
=app-text/acroread-9.2
Target keywords : "amd64 x86"
Comment 7 Romain Perier (RETIRED) gentoo-dev 2009-10-24 10:16:24 UTC
amd64 done
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-24 15:23:56 UTC
x86 stable, last arch.  Vote for GLSA, please.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-24 18:48:49 UTC
B2 doesn't require a vote, request filed.
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-24 22:46:40 UTC
The following CVEs referenced in the upstream advisory do /not/ affect us:

Acrobat only:
CVE-2009-2984, CVE-2009-2989, CVE-2009-2995, CVE-2009-3460, CVE-2009-3461

Windows only:
CVE-2009-2564, CVE-2009-2987, CVE-2009-2992
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-25 18:57:25 UTC
GLSA 200910-03