Re: Arcoread7 secutiry vulnerability

From: Boris Samorodov (bsam_at_ipt.ru)
Date: 08/28/05

  • Next message: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability" 
    To: "Simon L. Nielsen" <simon@FreeBSD.org>
Date: Sun, 28 Aug 2005 15:25:25 +0400

    On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote:

    > On 2005.08.28 14:56:11 +0400, Boris Samorodov wrote:

    > > On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote:
    > >
    > > > I've just updated my acroread port to 7.0.1 & was surprised when portaudit
    > > > still listed it as a vulnerability.

    > It is, at least based on the information we (Security Team) have.

    > > I think it is portaudit problem.
    > >
    > > > According to http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/85093, the
    > > > upgrade to 7.0.1 is suppoed to fix the problem, but according to
    > > > http://www.freebsd.org/ports/portaudit/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html
    > > > and Adobe's web site at http://www.adobe.com/support/techdocs/331710.html,
    > > > the problem exists in 7.0.1 as well, but is fixed in 7.0.2.
    > >
    > > > I'm just wondering who is right here, or am I missing something?
    > >
    > > It looks like you missed the platfom to pay attention to. For Linux
    > > and Solaris "users should upgrade to Adobe Reader 7.0.1"...

    > You are mixing up two different vulnerabilities [1]. The vulnerability
    > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow
    > vulnerability" [2]. The vulnerability portaudit is warning you about
    > is "acroread -- XML External Entity vulnerability" [3]. As far as I
    > know Adobe has not released any fix for the Linux version of Adobe
    > Reader for [3].

    > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html
    > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html
    > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html

    Well, I think that Linux version is not suffered from CAN-2005-1306:
    http://www.adobe.com/support/techdocs/331710.html

    Platforms affected are Windows and Mac OS. Am I missing something?

    WBR 

    -- 
bsam
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability"

    Relevant Pages

    • Re: FC11 - flash plugin for Firefox
      ... Adobe flash 10 is this: if I play a video, and after it finishes, I do not ... I haven't had quite that level of problems--with Adobe 64-bit Flash, ... Linux development because of a perceived lack of desktop market ...
      (Fedora)
    • Re: Why Do the MS Fanbois LIE about Ubuntu?
      ... Quark, Adobe packages, Filemaker Pro, and the like. ... Linux just doesn't have the software base for the feature rich apps. ...
      (microsoft.public.windows.vista.general)
    • Re: Ubuntu 8.04 Is Ready to Take On Windows
      ... If Microsoft successfully take over Yahoo, ... Adobe makes windows software because of money. ... Symantec and Adobe both make products for Linux... ...
      (Ubuntu)
    • Re: Arcoread7 secutiry vulnerability
      ... >> know Adobe has not released any fix for the Linux version of Adobe ... err on the side of caution and will rather list a package as affected, ... I have just written a mail to the original reporter of the problem to ...
      (FreeBSD-Security)
    • Re: Firefox Acroread plugin not working
      ... of Acrobat Reader that worked without problems for Fedora Core 4. ... It is not Adobe's fault that the Red Hat / Fedora Core ... But it appears the fix is to request that Adobe include that command ... Adobe packaged Acrobat Reader for a generic Linux distribution. ...
      (Fedora)