Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 87445 - acroread-7.0: unallowed remote communication
Summary: acroread-7.0: unallowed remote communication
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Printing Team
: 89782 (view as bug list)
Depends on:
Reported: 2005-03-31 10:58 UTC by Ruben Jenster
Modified: 2005-05-14 12:59 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

acroread-7.0.ebuild (acroread-7.0.ebuild,2.69 KB, text/plain)
2005-03-31 10:59 UTC, Ruben Jenster

Note You need to log in before you can comment on or make changes to this bug.
Description Ruben Jenster 2005-03-31 10:58:33 UTC
I just read a article at that acroread-7 
can develop a remote connection without your knowing to spy you out. 
I recommend to rename the plugin folder as mentioned in the article, to cut off this behaviour.  


Comment 1 Ruben Jenster 2005-03-31 10:59:48 UTC
Created attachment 54949 [details]

Updated ebuild that renames the plug_ins folder to plug_ins.disabled and
informs the user about the behaviour of acroread.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2005-03-31 11:31:16 UTC
I don't think this is critical. Whatever you do, please don't add a negating ("no*") use flag. We have enough of them and they need all to be changed.
Comment 3 Stefan Schweizer (RETIRED) gentoo-dev 2005-03-31 12:32:40 UTC
I dont consider this as a security issue as it is just the javascript in the document that does it, so it really depends on the document you are using.
For now you can just disable it in the preferences if you are concerned that documents you are using might "phone back", I think disabli.
However I would like to disable only the plugins causing it conditionally. Maybe we should utilize the javascript-use-flag?

I am not quite sure which plugin is causing it:

ECMAScript, Escript.api: "The Adobe EScript Plug-In allows PDF documents to take advantage of JavaScript. See the Acrobat JavaScript Object Specification (AcroJS.pdf) for more details. This document can be accessed through Adobe's web site."

Internet Access Plug-in, EFS.api: "This plug-ins provides Internet Access for Acrobat."


ruben: please use diff -u old.ebuild new.ebuild for attachments
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-04-01 03:46:55 UTC
This is a "feature", not a vulnerability. A warning would be nice, and maybe this should be disabled by default... but it's really the printing team choice.
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-20 03:37:44 UTC
*** Bug 89782 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Schweizer (RETIRED) gentoo-dev 2005-05-14 12:59:29 UTC
Anyone interested in "fixing" this, please provide a patch and reopen