Critical vulnerabilities have been identified in Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader 9.4.1 for UNIX update to Adobe Reader 9.4.2, expected to be available by the week of February 28, 2011.
Upstream release is available. Mainatiners, please bump acroread: ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.2/enu/
Thanks, in CVS.
(In reply to comment #3) > Thanks, in CVS. > Great, thank you. Arches, please test and mark stable: =app-text/acroread-9.4.2 Target keywords : "amd64 x86"
amd64 done
x86 stable, last arch done
Thanks, folks. GLSA request filed.
9.4.1 as last vulnerable version removed from the tree
CVE-2011-0606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606): Stack-based buffer overflow in rt3d.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors related to a crafted length value, a different vulnerability than CVE-2011-0563 and CVE-2011-0589. CVE-2011-0605 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. CVE-2011-0604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604): Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-0587. CVE-2011-0603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image, a different vulnerability than CVE-2011-0566 and CVE-2011-0567. CVE-2011-0602 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via crafted JP2K record types in a JPEG2000 image in a PDF file, which causes heap corruption, a different vulnerability than CVE-2011-0596, CVE-2011-0598, and CVE-2011-0599. CVE-2011-0600 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600): The U3D component in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a 3D file with an invalid Parent Node count that triggers an incorrect size calculation and memory corruption, a different vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, and CVE-2011-0595. CVE-2011-0599 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599): The Bitmap parsing component in rt3d.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted image that causes an invalid pointer calculation related to 4/8-bit RLE compression, a different vulnerability than CVE-2011-0596, CVE-2011-0598, and CVE-2011-0602. CVE-2011-0598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598): Integer overflow in ACE.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to execute arbitrary code via crafted ICC data, a different vulnerability than CVE-2011-0596, CVE-2011-0599, and CVE-2011-0602. CVE-2011-0596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596): The Bitmap parsing component in 2d.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via an image with crafted (1) height and (2) width values for an RLE_8 compressed bitmap, which triggers a heap-based buffer overflow, a different vulnerability than CVE-2011-0598, CVE-2011-0599, and CVE-2011-0602. CVE-2011-0595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer overflow during decompression, a different vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, and CVE-2011-0600. CVE-2011-0594 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a font. CVE-2011-0593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer overflow during decompression, a different vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0595, and CVE-2011-0600. CVE-2011-0592 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer overflow during decompression, related to "Texture bmp," a different vulnerability than CVE-2011-0590, CVE-2011-0591, CVE-2011-0593, CVE-2011-0595, and CVE-2011-0600. CVE-2011-0591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer overflow during decompression, related to Texture and rgba, a different vulnerability than CVE-2011-0590, CVE-2011-0592, CVE-2011-0593, CVE-2011-0595, and CVE-2011-0600. CVE-2011-0590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a 3D file, a different vulnerability than CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, CVE-2011-0595, and CVE-2011-0600. CVE-2011-0589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0563 and CVE-2011-0606. CVE-2011-0588 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588): Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2011-0562 and CVE-2011-0570. CVE-2011-0587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587): Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-0604. CVE-2011-0586 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X do not properly validate unspecified input data, which allows attackers to execute arbitrary code via unknown vectors. CVE-2011-0585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585): Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0565. CVE-2011-0570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570): Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2011-0562 and CVE-2011-0588. CVE-2011-0567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567): AcroRd32.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image that triggers an incorrect pointer calculation, leading to heap memory corruption, a different vulnerability than CVE-2011-0566 and CVE-2011-0603. CVE-2011-0566 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image, a different vulnerability than CVE-2011-0567 and CVE-2011-0603. CVE-2011-0565 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565): Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0585. CVE-2011-0563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563): Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0589 and CVE-2011-0606. CVE-2011-0562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562): Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2011-0570 and CVE-2011-0588.
CVE-2010-4091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091): The EScript.api plugin in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.1, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document that triggers memory corruption, involving the printSeps function. NOTE: some of these details are obtained from third party information.
Nothing to do for printing anymore.
This issue was resolved and addressed in GLSA 201201-19 at http://security.gentoo.org/glsa/glsa-201201-19.xml by GLSA coordinator Alex Legler (a3li).