Gentoo Archives: gentoo-announce

From: Seemant Kulleen <seemant@g.o>
To: gentoo-announce@g.o, gentoo-users@g.o, gentoo-dev@g.o, gentoo-core@g.o, lwn@×××.net, gentoo-newbies@g.o, gentoo-security@g.o, gentoo-desktop@g.o, gentoo-user-es@g.o
Subject: [gentoo-announce] GLSA: acroread
Date: Sun, 07 Jul 2002 18:02:29
Message-Id: 20020707160218.6ebe5851.seemant@gentoo.org
1 - -----------------------------------------------------------------------
2 GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT
3 - -----------------------------------------------------------------------
4 PACKAGE : acroread -- Adobe Acrobat Reader
5 SUMMARY : security vulnerability in acroread
6 DATE : Sun Jul 7 23:02:04 UTC 2002
7 - -----------------------------------------------------------------------
8
9 OVERVIEW
10
11 There is a temp file vulnerability that can be used to access user
12 accounts, and possibly gain system priveleges.
13
14 DETAIL
15
16
17 Acroread creates or overwrites the file /tmp/AdobeFnt06.lst.UID, and
18 changes its permissions to wide open (mode 666); it also follows
19 symlinks.
20
21 http://bugs.gentoo.org/show_bug.cgi?id=4657
22 http://online.securityfocus.com/archive/1/278984
23
24 SOLUTION
25
26 It is recommended that all Gentoo Linux users who are running acroread
27 update their systems as follows.
28
29 emerge --clean rsync
30 emerge unmerge acroread
31 emerge xpdf
32
33 For now, the acroread ebuild will issue a warning to users to unmerge the
34 package, and will proceed to emerge xpdf, for use as a pdf document
35 viewer.
36
37 - ------------------------------------------------------------------------
38 jago@×××××××××××.com
39 seemant@g.o
40 drobbins@g.o
41 - ------------------------------------------------------------------------
42
43 --
44 Seemant Kulleen
45 Developer and Project Co-ordinator,
46 Gentoo Linux http://www.gentoo.org/~seemant