[NT] Adobe PageMaker PMD File Processing Buffer Overflows



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Adobe PageMaker PMD File Processing Buffer Overflows
------------------------------------------------------------------------


SUMMARY

" <http://www.adobe.com/products/pagemaker/index.html> Adobe PageMaker 7.0
software is the ideal page layout program for business, education, and
small- and home-office professionals who want to create high-quality
publications such as brochures and newsletters. Get started quickly with
templates, graphics, and intuitive design tools; work productively across
Adobe applications; and easily leverage existing content to create
customized communications." Secunia Research has discovered two
vulnerabilities in Adobe PageMaker, which can be exploited by malicious
people to compromise a user's system.

DETAILS

Vulnerable Systems:
* Adobe PageMaker version 7.0.1

The vulnerabilities are caused due to boundary errors when processing
certain structures in a .PMD file. These can be exploited to cause
stack-based and heap-based buffer overflows via e.g. a .PMD file with a
specially crafted font structure.

Successful exploitation allows execution of arbitrary code.

Solution:
The vendor will be releasing a fix for the stack-based buffer overflow
shortly and is working on a fix for the heap-based buffer overflow.

Time Table:
23/10/2007 - Vendor notified.
24/10/2007 - Vendor response.
26/10/2007 - Additional vulnerability reported to vendor.
26/10/2007 - Vendor response.
13/11/2007 - Vendor acknowledges vulnerabilities.
05/12/2007 - Status update requested.
06/12/2007 - Vendor response (working on getting resources for development
and testing).
21/01/2008 - Status update requested.
10/03/2008 - Status update requested.
12/03/2008 - Vendor response (new developer currently getting familiar
with the code).
30/05/2008 - Vendor provides fix for testing and informs of expected
release date on 10th June 2008.
02/06/2008 - Vendor asks for CVE identifier.
03/06/2008 - Vendor provided with CVE identifier and informed that only
one of the vulnerabilities has been fixed in the supplied patch.
04/06/2008 - Vendor response (more time needed to address second
vulnerability).
04/07/2008 - Status update requested. Informed vendor that release date
now is set to end of October.
08/07/2008 - Vendor response (still trying to find resources to resolve
the vulnerabilities).
30/09/2008 - Vendor provides status update.
01/10/2008 - Vendor informed of fixed disclosure date (29/10/2008).
27/10/2008 - Vendor provides status update and requests CVE identifier for
the unpatched vulnerability.
28/10/2008 - Vendor provided with additional CVE identifier.
29/10/2008 - Public disclosure.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5394>
CVE-2007-5394 and
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6021>
CVE-2007-6021


ADDITIONAL INFORMATION

The information has been provided by Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2007-80/>
http://secunia.com/secunia_research/2007-80/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Multiple Vendor ImageMagick Multiple Denial of Service Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor ImageMagick Multiple Denial of Service Vulnerabilities ...
    (Securiteam)
  • [NEWS] Multiple Vendor OpenOffice TIFF File Parsing Multiple Integer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor OpenOffice TIFF File Parsing Multiple Integer Overflow ... exploitation of multiple integer overflow vulnerabilities within ...
    (Securiteam)
  • [NEWS] ePortfolio Java Multiple Input Validation Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ePortfolio Java Multiple Input Validation Vulnerabilities ... Stefan Friedli found several web-based vulnerabilities that were ... Server-side input validation should be provide by the application vendor ...
    (Securiteam)
  • [NT] MySQL MaxDB Web Agent Multiple DoS Vulnerabilities (DBMCli, DBMWeb)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to exist in MySQL MaxDB and SAP DB Web Agent products. ... Vendor Status: ... These vulnerabilities are addressed in MySQL MaxDB 7.5.00.24 available for ...
    (Securiteam)
  • [Full-Disclosure] its all about timing
    ... Why do people look for vulnerabilities? ... They publish vuln info because they have customers that pay (or ... Full Disclosure issue must take into account the ... report vulns primarily to the vendor, in the hope that the vendor will ...
    (Full-Disclosure)