Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 28 Aug 2005 13:13:18 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Boris Samorodov <bsam@ipt.ru>
Cc:        Ian Moore <imoore@swiftdsl.com.au>, freebsd-security@FreeBSD.org, trevor@freebsd.org, secteam@FreeBSD.org
Subject:   Re: Arcoread7 secutiry vulnerability
Message-ID:  <20050828111317.GC854@zaphod.nitro.dk>
In-Reply-To: <87188868@srv.sem.ipt.ru>
References:  <200508281014.29868.imoore@swiftdsl.com.au> <87188868@srv.sem.ipt.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On 2005.08.28 14:56:11 +0400, Boris Samorodov wrote:

> On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote:
> 
> > I've just updated my acroread port to 7.0.1 & was surprised when portaudit 
> > still listed it as a vulnerability.

It is, at least based on the information we (Security Team) have.

> I think it is portaudit problem.
> 
> > According to  http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/85093, the 
> > upgrade to 7.0.1 is suppoed to fix the problem, but according to 
> > http://www.freebsd.org/ports/portaudit/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html 
> > and Adobe's web site at http://www.adobe.com/support/techdocs/331710.html, 
> > the problem exists in 7.0.1 as well, but is fixed in 7.0.2.
> 
> > I'm just wondering who is right here, or am I missing something?
> 
> It looks like you missed the platfom to pay attention to. For Linux
> and Solaris "users should upgrade to Adobe Reader 7.0.1"...

You are mixing up two different vulnerabilities [1]. The vulnerability
fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow
vulnerability" [2].  The vulnerability portaudit is warning you about
is "acroread -- XML External Entity vulnerability" [3].  As far as I
know Adobe has not released any fix for the Linux version of Adobe
Reader for [3].

[1] http://www.vuxml.org/freebsd/pkg-acroread7.html
[2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html
[3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html

-- 
Simon L. Nielsen
FreeBSD Security Team

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFDEZxNh9pcDSc1mlERAn4yAKCRaEoeokOmpe4fRlwlO/26hV97qACfYpWR
Rqcvyo56isWYhLvg3HSR1J4=
=uGn5
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050828111317.GC854>