Re: Arcoread7 secutiry vulnerability

• Previous message: Boris Samorodov: "Re: Arcoread7 secutiry vulnerability"
• In reply to: Boris Samorodov: "Re: Arcoread7 secutiry vulnerability"
• Next in thread: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability"
• Reply: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 28 Aug 2005 13:43:26 +0200
To: Boris Samorodov <bsam@ipt.ru>

On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote:
> On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote:
>
> > You are mixing up two different vulnerabilities [1]. The vulnerability
> > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow
> > vulnerability" [2]. The vulnerability portaudit is warning you about
> > is "acroread -- XML External Entity vulnerability" [3]. As far as I
> > know Adobe has not released any fix for the Linux version of Adobe
> > Reader for [3].
>
> > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html
> > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html
> > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html
>
> Well, I think that Linux version is not suffered from CAN-2005-1306:
> http://www.adobe.com/support/techdocs/331710.html
>
> Platforms affected are Windows and Mac OS. Am I missing something?

Adobe does not list the Linux version as affected, but the original
reporter of the problem does list the Linux version as affected, at
http://shh.thathost.com/secadv/adobexxe/ . In these cases we prefer
err on the side of caution and will rather list a package as affected,
even if it's not, rather than not listing a package that turn out to
be affected.

I have just written a mail to the original reporter of the problem to
try to clarify the issue.

-- 
Simon L. Nielsen
FreeBSD Security Team

• application/pgp-signature attachment: stored

• Previous message: Boris Samorodov: "Re: Arcoread7 secutiry vulnerability"
• In reply to: Boris Samorodov: "Re: Arcoread7 secutiry vulnerability"
• Next in thread: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability"
• Reply: Simon L. Nielsen: "Re: Arcoread7 secutiry vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Ubuntu 8.04 Is Ready to Take On Windows ... If Microsoft successfully take over Yahoo, ... Adobe makes windows software because of money. ... Symantec and Adobe both make products for Linux... ... (Ubuntu) Re: Firefox Acroread plugin not working ... of Acrobat Reader that worked without problems for Fedora Core 4. ... It is not Adobe's fault that the Red Hat / Fedora Core ... But it appears the fix is to request that Adobe include that command ... Adobe packaged Acrobat Reader for a generic Linux distribution. ... (Fedora) Re: flash player freezes web browser or x window ... hung process--it was invaribly in an ALSA call, ... rather have Adobe pushing their proprietary stuff over MS any day of the ... If Silverlight takes over, our only hope is that the Mono stuff might ... If you want to develop Flash under Linux, ... (alt.os.linux) Re: [SLE] Switching to linux workstation?? ... >> Photoshop and willing to pay for it then they better be emailing the CEO ... >> of Adobe with their CC numbers ready to purchase it because he's STILL ... > industry-standard graphics programs were ported to Linux, ... (SuSE) Re: Adobe Premier / Aftereffects : linux equivalents? ... I have tried some of the linux products like blender, ... the features of adobe products look so tempting, ... Even though they don't at least they are hearing customers/potential customers asking about linux. ... (alt.os.linux)