Date: Sun, 28 Aug 2005 15:25:25 +0400 From: Boris Samorodov <bsam@ipt.ru> To: "Simon L. Nielsen" <simon@FreeBSD.org> Cc: Ian Moore <imoore@swiftdsl.com.au>, freebsd-security@FreeBSD.org, trevor@freebsd.org, secteam@FreeBSD.org Subject: Re: Arcoread7 secutiry vulnerability Message-ID: <21107114@srv.sem.ipt.ru> In-Reply-To: <20050828111317.GC854@zaphod.nitro.dk> (Simon L. Nielsen's message of "Sun, 28 Aug 2005 13:13:18 %2B0200") References: <200508281014.29868.imoore@swiftdsl.com.au> <87188868@srv.sem.ipt.ru> <20050828111317.GC854@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote: > On 2005.08.28 14:56:11 +0400, Boris Samorodov wrote: > > On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote: > > > > > I've just updated my acroread port to 7.0.1 & was surprised when portaudit > > > still listed it as a vulnerability. > It is, at least based on the information we (Security Team) have. > > I think it is portaudit problem. > > > > > According to http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/85093, the > > > upgrade to 7.0.1 is suppoed to fix the problem, but according to > > > http://www.freebsd.org/ports/portaudit/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html > > > and Adobe's web site at http://www.adobe.com/support/techdocs/331710.html, > > > the problem exists in 7.0.1 as well, but is fixed in 7.0.2. > > > > > I'm just wondering who is right here, or am I missing something? > > > > It looks like you missed the platfom to pay attention to. For Linux > > and Solaris "users should upgrade to Adobe Reader 7.0.1"... > You are mixing up two different vulnerabilities [1]. The vulnerability > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow > vulnerability" [2]. The vulnerability portaudit is warning you about > is "acroread -- XML External Entity vulnerability" [3]. As far as I > know Adobe has not released any fix for the Linux version of Adobe > Reader for [3]. > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html Well, I think that Linux version is not suffered from CAN-2005-1306: http://www.adobe.com/support/techdocs/331710.html Platforms affected are Windows and Mac OS. Am I missing something? WBR -- bsam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21107114>