Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200803-01 ] Adobe Acrobat Reader: Multiple vulnerabilities
Date: Sun, 02 Mar 2008 23:27:49
Message-Id: 47CB3FC3.9000602@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200803-01:04
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: Adobe Acrobat Reader: Multiple vulnerabilities
12 Date: March 02, 2008
13 Updated: March 02, 2008
14 Bugs: #170177
15 ID: 200803-01:04
16
17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18
19 Synopsis
20 ========
21
22 Adobe Acrobat Reader is vulnerable to remote code execution, Denial of
23 Service, and cross-site request forgery attacks.
24
25 Background
26 ==========
27
28 Adobe Acrobat Reader is a PDF reader released by Adobe.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 app-text/acroread < 8.1.2 >= 8.1.2
37
38 Description
39 ===========
40
41 Multiple vulnerabilities have been discovered in Adobe Acrobat Reader,
42 including:
43
44 * A file disclosure when using file:// in PDF documents
45 (CVE-2007-1199)
46
47 * Multiple buffer overflows in unspecified Javascript methods
48 (CVE-2007-5609)
49
50 * An unspecified vulnerability in the Escript.api plugin
51 (CVE-2007-5663)
52
53 * Incorrect handling of printers (CVE-2008-0667)
54
55 * An integer overflow when passing incorrect arguments to
56 "printSepsWithParams" (CVE-2008-0726)
57
58 Impact
59 ======
60
61 A remote attacker could entice a user to open a specially crafted
62 document, possibly resulting in the remote execution of arbitrary code
63 with the privileges of the user running the application. A remote
64 attacker could also perform cross-site request forgery attacks, or
65 cause a Denial of Service.
66
67 Workaround
68 ==========
69
70 There is no known workaround at this time.
71
72 Resolution
73 ==========
74
75 All Adobe Acrobat Reader users should upgrade to the latest version:
76
77 # emerge --sync
78 # emerge --ask --oneshot --verbose ">=app-text/acroread-8.1.2"
79
80 References
81 ==========
82
83 [ 1 ] CVE-2007-1199
84 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1199
85 [ 2 ] CVE-2007-5659
86 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659
87 [ 3 ] CVE-2007-5663
88 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5663
89 [ 4 ] CVE-2007-5666
90 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5666
91 [ 5 ] CVE-2008-0655
92 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0655
93 [ 6 ] CVE-2008-0667
94 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0667
95 [ 7 ] CVE-2008-0726
96 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0726
97
98 Availability
99 ============
100
101 This GLSA and any updates to it are available for viewing at
102 the Gentoo Security Website:
103
104 http://security.gentoo.org/glsa/glsa-200803-01.xml
105
106 Concerns?
107 =========
108
109 Security is a primary focus of Gentoo Linux and ensuring the
110 confidentiality and security of our users machines is of utmost
111 importance to us. Any security concerns should be addressed to
112 security@g.o or alternatively, you may file a bug at
113 http://bugs.gentoo.org.
114
115 License
116 =======
117
118 Copyright 2008 Gentoo Foundation, Inc; referenced text
119 belongs to its owner(s).
120
121 The contents of this document are licensed under the
122 Creative Commons - Attribution / Share Alike license.
123
124 http://creativecommons.org/licenses/by-sa/2.5
125 -----BEGIN PGP SIGNATURE-----
126 Version: GnuPG v2.0.7 (GNU/Linux)
127 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
128
129 iD8DBQFHyz/DuhJ+ozIKI5gRAqdDAJ9qQ1nTjVNSIAE9nl72BK6encvr8wCff7g7
130 Dyk4SPbdcGg9xD5qADtVEkQ=
131 =Ju/e
132 -----END PGP SIGNATURE-----
133 --
134 gentoo-announce@l.g.o mailing list