Date: Sun, 28 Aug 2005 23:02:21 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Boris Samorodov <bsam@ipt.ru> Cc: Ian Moore <imoore@swiftdsl.com.au>, freebsd-security@FreeBSD.org, trevor@freebsd.org, secteam@FreeBSD.org Subject: Re: Arcoread7 secutiry vulnerability Message-ID: <20050828210221.GB857@zaphod.nitro.dk> In-Reply-To: <20050828114326.GE854@zaphod.nitro.dk> References: <200508281014.29868.imoore@swiftdsl.com.au> <87188868@srv.sem.ipt.ru> <20050828111317.GC854@zaphod.nitro.dk> <21107114@srv.sem.ipt.ru> <20050828114326.GE854@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
--R3G7APHDIzY6R/pk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.08.28 13:43:26 +0200, Simon L. Nielsen wrote: > On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote: > > On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote: > > > > > You are mixing up two different vulnerabilities [1]. The vulnerability > > > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow > > > vulnerability" [2]. The vulnerability portaudit is warning you about > > > is "acroread -- XML External Entity vulnerability" [3]. As far as I > > > know Adobe has not released any fix for the Linux version of Adobe > > > Reader for [3]. > >=20 > > > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html > > > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82= =2Ehtml > > > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54= =2Ehtml > >=20 > > Well, I think that Linux version is not suffered from CAN-2005-1306: > > http://www.adobe.com/support/techdocs/331710.html > >=20 > > Platforms affected are Windows and Mac OS. Am I missing something? >=20 > Adobe does not list the Linux version as affected, but the original > reporter of the problem does list the Linux version as affected, at > http://shh.thathost.com/secadv/adobexxe/ . In these cases we prefer > err on the side of caution and will rather list a package as affected, > even if it's not, rather than not listing a package that turn out to > be affected. >=20 > I have just written a mail to the original reporter of the problem to > try to clarify the issue. I just got a mail back from Sverre H. Huseby and he says that the Linux version indeed was affected, but 7.0.1 seems to be fixed, so I marked it as fixed in VuXML. --=20 Simon L. Nielsen FreeBSD Security Team --R3G7APHDIzY6R/pk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDEiZdh9pcDSc1mlERAnNxAJ9oluhQsLxHQRYbd+ZlzGx9c5DlRQCdELec SaxkNYu0lnni8Nb00j0j55c= =dhbW -----END PGP SIGNATURE----- --R3G7APHDIzY6R/pk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050828210221.GB857>