Re: Arcoread7 secutiry vulnerability

From: Simon L. Nielsen (simon_at_FreeBSD.org)
Date: 08/28/05

  • Next message: Boris Samorodov: "Re: Arcoread7 secutiry vulnerability" 
    Date: Sun, 28 Aug 2005 13:13:18 +0200
To: Boris Samorodov <bsam@ipt.ru>

    On 2005.08.28 14:56:11 +0400, Boris Samorodov wrote:

    > On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote:
    >
    > > I've just updated my acroread port to 7.0.1 & was surprised when portaudit
    > > still listed it as a vulnerability.

    It is, at least based on the information we (Security Team) have.

    > I think it is portaudit problem.
    >
    > > According to http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/85093, the
    > > upgrade to 7.0.1 is suppoed to fix the problem, but according to
    > > http://www.freebsd.org/ports/portaudit/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html
    > > and Adobe's web site at http://www.adobe.com/support/techdocs/331710.html,
    > > the problem exists in 7.0.1 as well, but is fixed in 7.0.2.
    >
    > > I'm just wondering who is right here, or am I missing something?
    >
    > It looks like you missed the platfom to pay attention to. For Linux
    > and Solaris "users should upgrade to Adobe Reader 7.0.1"...

    You are mixing up two different vulnerabilities [1]. The vulnerability
    fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow
    vulnerability" [2]. The vulnerability portaudit is warning you about
    is "acroread -- XML External Entity vulnerability" [3]. As far as I
    know Adobe has not released any fix for the Linux version of Adobe
    Reader for [3].

    [1] http://www.vuxml.org/freebsd/pkg-acroread7.html
    [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html
    [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html 

    -- 
Simon L. Nielsen
FreeBSD Security Team

  • Next message: Boris Samorodov: "Re: Arcoread7 secutiry vulnerability"

    Relevant Pages