From owner-freebsd-security@FreeBSD.ORG Mon Aug 29 10:53:17 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 910CF16A422 for ; Mon, 29 Aug 2005 10:53:17 +0000 (GMT) (envelope-from imoore@swiftdsl.com.au) Received: from smtp.ade.swiftdsl.com.au (smtp.ade.swiftdsl.com.au [218.214.228.98]) by mx1.FreeBSD.org (Postfix) with SMTP id E0FD043D48 for ; Mon, 29 Aug 2005 10:53:15 +0000 (GMT) (envelope-from imoore@swiftdsl.com.au) Received: (qmail 15594 invoked from network); 29 Aug 2005 10:53:17 -0000 Received: from unknown (HELO daemon.foo.lan) (218.214.176.70) by smtp.ade.swiftdsl.com.au with SMTP; 29 Aug 2005 10:53:17 -0000 From: Ian Moore To: "Simon L. Nielsen" Date: Mon, 29 Aug 2005 20:23:01 +0930 User-Agent: KMail/1.8.2 References: <200508281014.29868.imoore@swiftdsl.com.au> <20050828114326.GE854@zaphod.nitro.dk> <20050828210221.GB857@zaphod.nitro.dk> In-Reply-To: <20050828210221.GB857@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5599462.cnBkoGYVLK"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508292023.11924.imoore@swiftdsl.com.au> X-Mailman-Approved-At: Mon, 29 Aug 2005 12:07:21 +0000 Cc: Boris Samorodov , freebsd-security@freebsd.org, trevor@freebsd.org, secteam@freebsd.org Subject: Re: Arcoread7 secutiry vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2005 10:53:17 -0000 --nextPart5599462.cnBkoGYVLK Content-Type: text/plain; charset="cp 850" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 29 August 2005 06:32, Simon L. Nielsen wrote: > On 2005.08.28 13:43:26 +0200, Simon L. Nielsen wrote: > > On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote: > > > On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote: > > > > You are mixing up two different vulnerabilities [1]. The > > > > vulnerability fixed by the 7.0.1 upgrade was "acroread -- plug-in > > > > buffer overflow vulnerability" [2]. The vulnerability portaudit is > > > > warning you about is "acroread -- XML External Entity vulnerability" > > > > [3]. As far as I know Adobe has not released any fix for the Linux > > > > version of Adobe Reader for [3]. > > > > > > > > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html > > > > [2] > > > > http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.h= tm > > > >l [3] > > > > http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.h= tm > > > >l > > > > > > Well, I think that Linux version is not suffered from CAN-2005-1306: > > > http://www.adobe.com/support/techdocs/331710.html > > > > > > Platforms affected are Windows and Mac OS. Am I missing something? > > > > Adobe does not list the Linux version as affected, but the original > > reporter of the problem does list the Linux version as affected, at > > http://shh.thathost.com/secadv/adobexxe/ . In these cases we prefer > > err on the side of caution and will rather list a package as affected, > > even if it's not, rather than not listing a package that turn out to > > be affected. > > > > I have just written a mail to the original reporter of the problem to > > try to clarify the issue. > > I just got a mail back from Sverre H. Huseby and he says that the > Linux version indeed was affected, but 7.0.1 seems to be fixed, so I > marked it as fixed in VuXML. Thanks for clearing that up! Cheers, =2D-=20 Ian Moore GPG Key: http://home.swiftdsl.com.au/~imoore/imoore-swift.asc --nextPart5599462.cnBkoGYVLK Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDEukXqgbxoapAJlsRAsabAKC75Opv2b8BHIy9iFA0MHClyamXJQCfY3Ud uupCjQUeWmXMJYezhlcZ7wM= =8lK9 -----END PGP SIGNATURE----- --nextPart5599462.cnBkoGYVLK--