Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: acroread (200306-12)
Date: Wed, 25 Jun 2003 22:09:48
Message-Id: 20030625215433.B77413375F@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200306-12
6 - - - ---------------------------------------------------------------------
7
8           PACKAGE : acroread
9           SUMMARY : arbitrary code execution
10              DATE : 2003-06-25 21:54 UTC
11           EXPLOIT : remote
12 VERSIONS AFFECTED : <acroread-5.07
13     FIXED VERSION : >=acroread-5.07
14               CVE : CAN-2003-0434
15
16 - - - ---------------------------------------------------------------------
17
18 from advisory:
19 "Valid PDF files can contain malicious external-type hyperlinks that can
20 execute arbitrary shell commands underneath Unix with various PDF
21 viewers/readers.
22
23 The hyperlinks must be activated or followed for the malicious script
24 to run. The obvious case is for a user to click on one. "
25
26 Read the full advisory at
27 http://marc.theaimsgroup.com/?l=full-disclosure&m=105555332025253&w=2
28
29 SOLUTION
30
31 It is recommended that all Gentoo Linux users who are running
32 app-text/acroread upgrade to acroread-5.07 as follows
33
34 emerge sync
35 emerge acroread
36 emerge clean
37
38 - - - ---------------------------------------------------------------------
39 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
40 - - - ---------------------------------------------------------------------
41 -----BEGIN PGP SIGNATURE-----
42 Version: GnuPG v1.2.2 (GNU/Linux)
43
44 iD8DBQE++hoZfT7nyhUpoZMRAmcMAJ9Tc4AtufMn0c9qxgu0HAK2gC1+GACfYetQ
45 cyhhhtoepcFopVJndMoyd8E=
46 =fYT9
47 -----END PGP SIGNATURE-----