Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 411499 (CVE-2012-0774) - <app-text/acroread-9.5.1 : Multiple vulnerabilities (CVE-2012-{0774,0775,0776,0777})
Summary: <app-text/acroread-9.5.1 : Multiple vulnerabilities (CVE-2012-{0774,0775,0776...
Status: RESOLVED FIXED
Alias: CVE-2012-0774
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.adobe.com/support/securit...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2011-4370
  Show dependency tree
 
Reported: 2012-04-10 18:25 UTC by Agostino Sarubbo
Modified: 2012-06-22 11:04 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-10 18:25:24 UTC
From upstream advisory at $URL:


SUMMARY

Adobe released security updates for Adobe Reader X (10.1.2) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Linux, and Adobe Acrobat X (10.1.2) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader X (10.1.2) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.3). For users of Adobe Reader 9.5 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.3), Adobe has made available the update Adobe Reader 9.5.1. Adobe recommends users of Adobe Reader 9.4.6 and earlier versions for Linux update to Adobe Reader 9.5.1. Adobe recommends users of Adobe Acrobat X (10.1.2) for Windows and Macintosh update to Adobe Acrobat X (10.1.3). Adobe recommends users of Adobe Acrobat 9.5 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.5.1.
Comment 1 Agostino Sarubbo gentoo-dev 2012-04-10 18:28:56 UTC
@printing:

the advisory says 9.4.6 and earlier for linux but is 9.4.7 not affected or you will bump 9.5.1? can you check please?
Comment 2 Andreas K. Hüttel gentoo-dev 2012-04-10 18:42:51 UTC
(In reply to comment #1)
> @printing:
> 
> the advisory says 9.4.6 and earlier for linux but is 9.4.7 not affected or
> you will bump 9.5.1? can you check please?

It's pretty much unclear from the advisory. Anyway, I've bumped to 9.5.1, and recommend you test and stabilize. Seems to work fine here.
Comment 3 Agostino Sarubbo gentoo-dev 2012-04-10 18:54:40 UTC
Ok, in any cases 9.5.1 is unaffected and as upstream recommends I'd say to stabilize it.

@security: are you ok with this choise?
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-04-10 18:56:26 UTC
Yeah...

Arches, please test and mark stable:
=app-text/acroread-9.5.1
Target keywords : "amd64 x86"
Comment 5 Andreas Schürch gentoo-dev 2012-04-11 05:37:40 UTC
x86 stable, thanks!
Comment 6 Maurizio Camisaschi (amd64 AT) 2012-04-11 12:06:39 UTC
amd64 ok
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-04-12 11:38:59 UTC
CVE-2012-0777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0777):
  The JavaScript API in Adobe Reader and Acrobat 9.x before 9.5.1 and 10.x
  before 10.1.3 on Mac OS X and Linux allows attackers to execute arbitrary
  code or cause a denial of service (memory corruption) via unspecified
  vectors.

CVE-2012-0776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0776):
  The installer in Adobe Reader 9.x before 9.5.1 and 10.x before 10.1.3 allows
  attackers to bypass intended access restrictions and execute arbitrary code
  via unspecified vectors.

CVE-2012-0775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0775):
  The JavaScript implementation in Adobe Reader and Acrobat 9.x before 9.5.1
  and 10.x before 10.1.3 allows attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via unspecified vectors.

CVE-2012-0774 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0774):
  Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.1 and 10.x
  before 10.1.3 allows attackers to execute arbitrary code via a crafted
  TrueType font.
Comment 8 Agostino Sarubbo gentoo-dev 2012-04-13 09:09:41 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-04-13 09:12:41 UTC
glsa request filed
Comment 10 Andreas K. Hüttel gentoo-dev 2012-04-14 01:04:24 UTC
Vulnerable version removed from the tree. Thanks everyone!
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-06-22 11:04:04 UTC
This issue was resolved and addressed in
 GLSA 201206-14 at http://security.gentoo.org/glsa/glsa-201206-14.xml
by GLSA coordinator Sean Amoss (ackle).