Re: Arcoread7 secutiry vulnerability

From: Simon L. Nielsen (simon_at_FreeBSD.org)
Date: 08/28/05

  • Next message: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability" 
    Date: Sun, 28 Aug 2005 13:43:26 +0200
To: Boris Samorodov <bsam@ipt.ru>

    On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote:
    > On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote:
    >
    > > You are mixing up two different vulnerabilities [1]. The vulnerability
    > > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow
    > > vulnerability" [2]. The vulnerability portaudit is warning you about
    > > is "acroread -- XML External Entity vulnerability" [3]. As far as I
    > > know Adobe has not released any fix for the Linux version of Adobe
    > > Reader for [3].
    >
    > > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html
    > > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html
    > > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html
    >
    > Well, I think that Linux version is not suffered from CAN-2005-1306:
    > http://www.adobe.com/support/techdocs/331710.html
    >
    > Platforms affected are Windows and Mac OS. Am I missing something?

    Adobe does not list the Linux version as affected, but the original
    reporter of the problem does list the Linux version as affected, at
    http://shh.thathost.com/secadv/adobexxe/ . In these cases we prefer
    err on the side of caution and will rather list a package as affected,
    even if it's not, rather than not listing a package that turn out to
    be affected.

    I have just written a mail to the original reporter of the problem to
    try to clarify the issue. 

    -- 
Simon L. Nielsen
FreeBSD Security Team

  • Next message: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability"

    Relevant Pages

    • Re: FC11 - flash plugin for Firefox
      ... Adobe flash 10 is this: if I play a video, and after it finishes, I do not ... I haven't had quite that level of problems--with Adobe 64-bit Flash, ... Linux development because of a perceived lack of desktop market ...
      (Fedora)
    • Re: Why Do the MS Fanbois LIE about Ubuntu?
      ... Quark, Adobe packages, Filemaker Pro, and the like. ... Linux just doesn't have the software base for the feature rich apps. ...
      (microsoft.public.windows.vista.general)
    • Re: Ubuntu 8.04 Is Ready to Take On Windows
      ... If Microsoft successfully take over Yahoo, ... Adobe makes windows software because of money. ... Symantec and Adobe both make products for Linux... ...
      (Ubuntu)
    • Re: Firefox Acroread plugin not working
      ... of Acrobat Reader that worked without problems for Fedora Core 4. ... It is not Adobe's fault that the Red Hat / Fedora Core ... But it appears the fix is to request that Adobe include that command ... Adobe packaged Acrobat Reader for a generic Linux distribution. ...
      (Fedora)
    • Re: Arcoread7 secutiry vulnerability
      ... >> Adobe does not list the Linux version as affected, ... >> err on the side of caution and will rather list a package as affected, ... >> I have just written a mail to the original reporter of the problem to ...
      (FreeBSD-Security)