Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 28 Aug 2005 13:43:26 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Boris Samorodov <bsam@ipt.ru>
Cc:        Ian Moore <imoore@swiftdsl.com.au>, freebsd-security@FreeBSD.org, trevor@freebsd.org, secteam@FreeBSD.org
Subject:   Re: Arcoread7 secutiry vulnerability
Message-ID:  <20050828114326.GE854@zaphod.nitro.dk>
In-Reply-To: <21107114@srv.sem.ipt.ru>
References:  <200508281014.29868.imoore@swiftdsl.com.au> <87188868@srv.sem.ipt.ru> <20050828111317.GC854@zaphod.nitro.dk> <21107114@srv.sem.ipt.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

--ZInfyf7laFu/Kiw7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote:
> On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote:
>
> > You are mixing up two different vulnerabilities [1]. The vulnerability
> > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow
> > vulnerability" [2].  The vulnerability portaudit is warning you about
> > is "acroread -- XML External Entity vulnerability" [3].  As far as I
> > know Adobe has not released any fix for the Linux version of Adobe
> > Reader for [3].
>=20
> > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html
> > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.h=
tml
> > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.h=
tml
>=20
> Well, I think that Linux version is not suffered from CAN-2005-1306:
> http://www.adobe.com/support/techdocs/331710.html
>=20
> Platforms affected are Windows and Mac OS. Am I missing something?

Adobe does not list the Linux version as affected, but the original
reporter of the problem does list the Linux version as affected, at
http://shh.thathost.com/secadv/adobexxe/ .  In these cases we prefer
err on the side of caution and will rather list a package as affected,
even if it's not, rather than not listing a package that turn out to
be affected.

I have just written a mail to the original reporter of the problem to
try to clarify the issue.

--=20
Simon L. Nielsen
FreeBSD Security Team

--ZInfyf7laFu/Kiw7
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFDEaNeh9pcDSc1mlERAszVAKCPh5JmphoXHtrsmMix7F7kZ/nARQCgmqKS
fJmb0ksDMqLLiGF+ExsYj84=
=eVdN
-----END PGP SIGNATURE-----

--ZInfyf7laFu/Kiw7--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050828114326.GE854>