From: | Pierre-Yves Rofes <py@g.o> |
---|---|
To: | gentoo-announce@l.g.o |
Cc: | full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com |
Subject: | [gentoo-announce] [ GLSA 200803-01 ] Adobe Acrobat Reader: Multiple vulnerabilities |
Date: | Sun, 02 Mar 2008 23:27:49 |
Message-Id: | 47CB3FC3.9000602@gentoo.org |
1 | -----BEGIN PGP SIGNED MESSAGE----- |
2 | Hash: SHA1 |
3 | |
4 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 | Gentoo Linux Security Advisory GLSA 200803-01:04 |
6 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 | http://security.gentoo.org/ |
8 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 | |
10 | Severity: Normal |
11 | Title: Adobe Acrobat Reader: Multiple vulnerabilities |
12 | Date: March 02, 2008 |
13 | Updated: March 02, 2008 |
14 | Bugs: #170177 |
15 | ID: 200803-01:04 |
16 | |
17 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
18 | |
19 | Synopsis |
20 | ======== |
21 | |
22 | Adobe Acrobat Reader is vulnerable to remote code execution, Denial of |
23 | Service, and cross-site request forgery attacks. |
24 | |
25 | Background |
26 | ========== |
27 | |
28 | Adobe Acrobat Reader is a PDF reader released by Adobe. |
29 | |
30 | Affected packages |
31 | ================= |
32 | |
33 | ------------------------------------------------------------------- |
34 | Package / Vulnerable / Unaffected |
35 | ------------------------------------------------------------------- |
36 | 1 app-text/acroread < 8.1.2 >= 8.1.2 |
37 | |
38 | Description |
39 | =========== |
40 | |
41 | Multiple vulnerabilities have been discovered in Adobe Acrobat Reader, |
42 | including: |
43 | |
44 | * A file disclosure when using file:// in PDF documents |
45 | (CVE-2007-1199) |
46 | |
47 | * Multiple buffer overflows in unspecified Javascript methods |
48 | (CVE-2007-5609) |
49 | |
50 | * An unspecified vulnerability in the Escript.api plugin |
51 | (CVE-2007-5663) |
52 | |
53 | * Incorrect handling of printers (CVE-2008-0667) |
54 | |
55 | * An integer overflow when passing incorrect arguments to |
56 | "printSepsWithParams" (CVE-2008-0726) |
57 | |
58 | Impact |
59 | ====== |
60 | |
61 | A remote attacker could entice a user to open a specially crafted |
62 | document, possibly resulting in the remote execution of arbitrary code |
63 | with the privileges of the user running the application. A remote |
64 | attacker could also perform cross-site request forgery attacks, or |
65 | cause a Denial of Service. |
66 | |
67 | Workaround |
68 | ========== |
69 | |
70 | There is no known workaround at this time. |
71 | |
72 | Resolution |
73 | ========== |
74 | |
75 | All Adobe Acrobat Reader users should upgrade to the latest version: |
76 | |
77 | # emerge --sync |
78 | # emerge --ask --oneshot --verbose ">=app-text/acroread-8.1.2" |
79 | |
80 | References |
81 | ========== |
82 | |
83 | [ 1 ] CVE-2007-1199 |
84 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1199 |
85 | [ 2 ] CVE-2007-5659 |
86 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659 |
87 | [ 3 ] CVE-2007-5663 |
88 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5663 |
89 | [ 4 ] CVE-2007-5666 |
90 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5666 |
91 | [ 5 ] CVE-2008-0655 |
92 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0655 |
93 | [ 6 ] CVE-2008-0667 |
94 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0667 |
95 | [ 7 ] CVE-2008-0726 |
96 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0726 |
97 | |
98 | Availability |
99 | ============ |
100 | |
101 | This GLSA and any updates to it are available for viewing at |
102 | the Gentoo Security Website: |
103 | |
104 | http://security.gentoo.org/glsa/glsa-200803-01.xml |
105 | |
106 | Concerns? |
107 | ========= |
108 | |
109 | Security is a primary focus of Gentoo Linux and ensuring the |
110 | confidentiality and security of our users machines is of utmost |
111 | importance to us. Any security concerns should be addressed to |
112 | security@g.o or alternatively, you may file a bug at |
113 | http://bugs.gentoo.org. |
114 | |
115 | License |
116 | ======= |
117 | |
118 | Copyright 2008 Gentoo Foundation, Inc; referenced text |
119 | belongs to its owner(s). |
120 | |
121 | The contents of this document are licensed under the |
122 | Creative Commons - Attribution / Share Alike license. |
123 | |
124 | http://creativecommons.org/licenses/by-sa/2.5 |
125 | -----BEGIN PGP SIGNATURE----- |
126 | Version: GnuPG v2.0.7 (GNU/Linux) |
127 | Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
128 | |
129 | iD8DBQFHyz/DuhJ+ozIKI5gRAqdDAJ9qQ1nTjVNSIAE9nl72BK6encvr8wCff7g7 |
130 | Dyk4SPbdcGg9xD5qADtVEkQ= |
131 | =Ju/e |
132 | -----END PGP SIGNATURE----- |
133 | -- |
134 | gentoo-announce@l.g.o mailing list |