Re: Arcoread7 secutiry vulnerability

From: Boris Samorodov (bsam_at_ipt.ru)
Date: 08/28/05

  • Next message: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability" 
    To: "Simon L. Nielsen" <simon@FreeBSD.org>
Date: Sun, 28 Aug 2005 15:25:25 +0400

    On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote:

    > On 2005.08.28 14:56:11 +0400, Boris Samorodov wrote:

    > > On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote:
    > >
    > > > I've just updated my acroread port to 7.0.1 & was surprised when portaudit
    > > > still listed it as a vulnerability.

    > It is, at least based on the information we (Security Team) have.

    > > I think it is portaudit problem.
    > >
    > > > According to http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/85093, the
    > > > upgrade to 7.0.1 is suppoed to fix the problem, but according to
    > > > http://www.freebsd.org/ports/portaudit/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html
    > > > and Adobe's web site at http://www.adobe.com/support/techdocs/331710.html,
    > > > the problem exists in 7.0.1 as well, but is fixed in 7.0.2.
    > >
    > > > I'm just wondering who is right here, or am I missing something?
    > >
    > > It looks like you missed the platfom to pay attention to. For Linux
    > > and Solaris "users should upgrade to Adobe Reader 7.0.1"...

    > You are mixing up two different vulnerabilities [1]. The vulnerability
    > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow
    > vulnerability" [2]. The vulnerability portaudit is warning you about
    > is "acroread -- XML External Entity vulnerability" [3]. As far as I
    > know Adobe has not released any fix for the Linux version of Adobe
    > Reader for [3].

    > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html
    > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html
    > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html

    Well, I think that Linux version is not suffered from CAN-2005-1306:
    http://www.adobe.com/support/techdocs/331710.html

    Platforms affected are Windows and Mac OS. Am I missing something?

    WBR 

    -- 
bsam
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability"

    Relevant Pages

    • Re: Ubuntu 8.04 Is Ready to Take On Windows
      ... If Microsoft successfully take over Yahoo, ... Adobe makes windows software because of money. ... Symantec and Adobe both make products for Linux... ...
      (Ubuntu)
    • Re: Arcoread7 secutiry vulnerability
      ... >> know Adobe has not released any fix for the Linux version of Adobe ... err on the side of caution and will rather list a package as affected, ... I have just written a mail to the original reporter of the problem to ...
      (FreeBSD-Security)
    • Re: Firefox Acroread plugin not working
      ... of Acrobat Reader that worked without problems for Fedora Core 4. ... It is not Adobe's fault that the Red Hat / Fedora Core ... But it appears the fix is to request that Adobe include that command ... Adobe packaged Acrobat Reader for a generic Linux distribution. ...
      (Fedora)
    • Re: flash player freezes web browser or x window
      ... hung process--it was invaribly in an ALSA call, ... rather have Adobe pushing their proprietary stuff over MS any day of the ... If Silverlight takes over, our only hope is that the Mono stuff might ... If you want to develop Flash under Linux, ...
      (alt.os.linux)
    • Re: Adobe Reader 8.1.1 printing does not work
      ... Is this a problem with only the linux version, have you heard about Adobe ... wanting to fix it, or ....? ... Actually, we observed it first with the Windows version, though the linux version is the same. ... This was a few months ago - I haven't looked recently to see if they are intending to fix it, but the reader version hasn't changed since we saw it. ...
      (Fedora)