Gentoo Archives: gentoo-announce

From: Seemant Kulleen <seemant@g.o>
To: gentoo-announce@g.o, gentoo-users@g.o, gentoo-dev@g.o, gentoo-core@g.o, lwn@×××.net, gentoo-newbies@g.o, gentoo-security@g.o, gentoo-desktop@g.o, gentoo-user-es@g.o
Subject: [gentoo-announce] GLSA: acroread
Date: Sun, 07 Jul 2002 18:02:29
Message-Id: 20020707160218.6ebe5851.seemant@gentoo.org
- -----------------------------------------------------------------------
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT
- -----------------------------------------------------------------------
PACKAGE         : acroread  -- Adobe Acrobat Reader
SUMMARY         : security vulnerability in acroread
DATE            : Sun Jul  7 23:02:04 UTC 2002
- -----------------------------------------------------------------------

OVERVIEW

There is a temp file vulnerability that can be used to access user
accounts, and possibly gain system priveleges.

DETAIL


Acroread creates or overwrites the file /tmp/AdobeFnt06.lst.UID, and
changes its permissions to wide open (mode 666); it also follows
symlinks.

http://bugs.gentoo.org/show_bug.cgi?id=4657
http://online.securityfocus.com/archive/1/278984

SOLUTION

It is recommended that all Gentoo Linux users who are running acroread
update their systems as follows.

emerge --clean rsync
emerge unmerge acroread
emerge xpdf

For now, the acroread ebuild will issue a warning to users to unmerge the
package, and will proceed to emerge xpdf, for use as a pdf document
viewer.

- ------------------------------------------------------------------------
jago@×××××××××××.com
seemant@g.o
drobbins@g.o
- ------------------------------------------------------------------------

-- 
Seemant Kulleen
Developer and Project Co-ordinator,
Gentoo Linux					http://www.gentoo.org/~seemant