Bug 105054

Summary: VUL-0: Acrobat and Adobe Reader plug-in buffer overflow - 7.0 affected
Product: [Novell Products] SUSE Security Incidents Reporter: George Horlacher <ghorlacher>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: VERIFIED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: qa
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description George Horlacher 2005-08-16 21:28:35 UTC 
http://www.adobe.com/support/techdocs/321644.html 
 
Security Advisory: Acrobat and Adobe Reader plug-in buffer overflow 
Release Date: August 16th, 2005  
 
Products: Adobe Reader 5.1, 6.0-6.0.3, 7.0-7.0.2, Adobe Acrobat 5.0-5.0.5, 
6.0-6.0.3, 7.0-7.0.2  
 
Platform : Windows, Mac OS, Linux, Solaris  
 
Vulnerability Identifier: CVE-2005-2470  
 
Overview: Adobe has discovered a buffer overflow in Adobe Acrobat and Adobe 
Reader. This issue has been addressed and a product update is available to 
proactively mitigate potential malicious activity. Adobe always recommends 
that users keep their systems up to date, and install the latest update of 
these applications.  
 
Effect: If the vulnerability were successfully exploited, the application 
could crash with an increased risk of arbitrary code execution.  
 
Details: The identified vulnerability is a buffer overflow within a core 
application plug-in, which is part of Adobe Acrobat and Adobe Reader. If a 
malicious file were opened it could trigger a buffer overflow as the file is 
being loaded into Adobe Acrobat and Adobe Reader. A buffer overflow can cause 
the application to crash and increase the risk of malicious code execution.  
 
Recommendations:  
 
Adobe Reader on Linux or Solaris:  
 
-- For version 7.0, users should upgrade to Adobe Reader 7.0.1 from 
www.adobe.com/products/acrobat/readstep2.html .  
 
-- For versions prior to 7.0, users should upgraded to 7.0.1 from 
www.adobe.com/products/acrobat/readstep2.html .
Comment 1 George Horlacher 2005-08-16 22:08:50 UTC 
In creating a package with this update, I get an error about the PPKLite.api 
plugin being unable to load. According to this site 
http://supportforum.sun.com/sjds/index.php?rid=0&t=msg&th=1783 
openldap2-devel is needed.  Installing that along with openssl-devl and 
cyrus-sasl-devel.rpm which where required did make it work.  But this seems 
unexceptable to have to install 3 developer packages for this plugin to 
work... Other then this problem it is working on my sles9 box.
Comment 2 Marcus Meissner 2005-08-17 06:37:47 UTC 
thanks George!   
  
CAN-2005-2470   
  
Can you please provide updated packages for 9.0 - 9.3 and STABLE?   
  
As for the additional dependency what exactly does it need ? libldap.so?  
 
it should probably require libldap.so.<MAJOR> instead of the so symlink. :/
Comment 3 Ludwig Nussel 2005-08-17 14:53:57 UTC 
   6 remote non-root user 
  +1 default package 
  +1 default active 
  -1 user interaction 
  +1 command execution 
 
Total Score: 8 (Critical) 
 
RedHat has already issued an advisory.
Comment 4 George Horlacher 2005-08-17 17:00:44 UTC 
The readme has: 
 
If PPKLite still fails to load, make a link to the 
installed libldap.so.X and liblber.so.X in 
<INSTALL_PATH>/Reader/intellinux/lib with the names 'libldap.so' and 
'liblber.so'. [1132741] 
 
I am trying to figure out the best way to do this. Suggestions welcome.
Comment 5 George Horlacher 2005-08-18 03:47:14 UTC 
OK, I wasnt so smart when I was testing this..  I was using one built for 9.3 
and trying to install it on sles9 which has different ldap library versions.  
I've built for sles9 and it works just fine with no errors.  Checking it in 
for that.  I'll update 9.0  - 9.3 and Stable with this new version tonight.
Comment 6 George Horlacher 2005-08-18 04:08:12 UTC 
I submitted the update to 9.1 - 9.3 and SLES9.  I have not put it in STABLE as 
there is another fix waiting there to be checked into. I can do that tomorrow. 
Not sure if I should start the patchinfo or not.
Comment 7 George Horlacher 2005-08-18 04:09:10 UTC 
By the way, I did not test 9.1-9.3.  Hopefully someone with those 
distributions can run it through and make sure it's working alright.
Comment 8 Marcus Meissner 2005-08-18 15:35:06 UTC 
SM-Tracker-209
Comment 9 Marcus Meissner 2005-08-18 15:35:30 UTC 
SM-Tracker-2095
Comment 10 Marcus Meissner 2005-08-18 15:59:34 UTC 
patchinfos submitted.
Comment 11 Marcus Meissner 2005-08-22 11:29:43 UTC 
released + adv