From owner-freebsd-security@FreeBSD.ORG Sun Aug 28 11:13:21 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B020516A41F; Sun, 28 Aug 2005 11:13:21 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B2E943D49; Sun, 28 Aug 2005 11:13:20 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 1D5B211A5F; Sun, 28 Aug 2005 13:13:18 +0200 (CEST) Date: Sun, 28 Aug 2005 13:13:18 +0200 From: "Simon L. Nielsen" To: Boris Samorodov Message-ID: <20050828111317.GC854@zaphod.nitro.dk> References: <200508281014.29868.imoore@swiftdsl.com.au> <87188868@srv.sem.ipt.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="L6iaP+gRLNZHKoI4" Content-Disposition: inline In-Reply-To: <87188868@srv.sem.ipt.ru> User-Agent: Mutt/1.5.9i Cc: Ian Moore , freebsd-security@FreeBSD.org, trevor@freebsd.org, secteam@FreeBSD.org Subject: Re: Arcoread7 secutiry vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2005 11:13:21 -0000 --L6iaP+gRLNZHKoI4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.08.28 14:56:11 +0400, Boris Samorodov wrote: > On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote: >=20 > > I've just updated my acroread port to 7.0.1 & was surprised when portau= dit=20 > > still listed it as a vulnerability. It is, at least based on the information we (Security Team) have. > I think it is portaudit problem. >=20 > > According to http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/85093,= the=20 > > upgrade to 7.0.1 is suppoed to fix the problem, but according to=20 > > http://www.freebsd.org/ports/portaudit/02bc9b7c-e019-11d9-a8bd-000cf18b= be54.html=20 > > and Adobe's web site at http://www.adobe.com/support/techdocs/331710.ht= ml,=20 > > the problem exists in 7.0.1 as well, but is fixed in 7.0.2. >=20 > > I'm just wondering who is right here, or am I missing something? >=20 > It looks like you missed the platfom to pay attention to. For Linux > and Solaris "users should upgrade to Adobe Reader 7.0.1"... You are mixing up two different vulnerabilities [1]. The vulnerability fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow vulnerability" [2]. The vulnerability portaudit is warning you about is "acroread -- XML External Entity vulnerability" [3]. As far as I know Adobe has not released any fix for the Linux version of Adobe Reader for [3]. [1] http://www.vuxml.org/freebsd/pkg-acroread7.html [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html --=20 Simon L. Nielsen FreeBSD Security Team --L6iaP+gRLNZHKoI4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDEZxNh9pcDSc1mlERAn4yAKCRaEoeokOmpe4fRlwlO/26hV97qACfYpWR Rqcvyo56isWYhLvg3HSR1J4= =uGn5 -----END PGP SIGNATURE----- --L6iaP+gRLNZHKoI4--