Bug 155313

Summary: Acroread security updates not made available?
Product: [openSUSE] SUSE LINUX 10.0 Reporter: John Hillier <imaginebox>
Component: Update ProblemsAssignee: E-mail List <yast2-maintainers>
Status: RESOLVED WONTFIX QA Contact: Klaus Kämpf <kkaempf>
Severity: Normal    
Priority: P5 - None CC: security-team, suse-beta
Version: Final   
Target Milestone: ---   
Hardware: x86   
OS: SuSE Linux 10.0   
Whiteboard: CVE-2005-2470: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description John Hillier 2006-03-05 05:45:47 UTC 
Acroread version 7.0.1 is included with SUSE Linux 10 but the security update from Adobe to version 7.0.5 is only availabe via YAST Source Mirrors for SUSE Linux 10.1, not for SUSE Linux 10 or via YOU (YAST Online Update). Even though this is technically third party software I believe since Acroread is packaged with the non-OSS version of SUSE Linux 10 then Novell should either provide the security update or at least contact the package maintainer. 

Also clarification would be appreciated regarding the difference between Acroread 7.0.5 and the file "AdobeReader 7.0.5" listed on Adobe's site. YAST views the package as a seperate installation instead of an update.

Additional information for the bugzilla team. It was attempted to use Acroread 7.0.5 from the SUSE Linux 10.1 YAST Source Mirrors but this caused compatibility issues with Firefox 1.5.0.1 (another application not available via YOU) and with third party software used such as Apple Shake 4.0.
Comment 1 Marcus Meissner 2006-03-06 07:14:56 UTC 
acroread 7.0.5 does not have Linux specific security problems we know of, so there is no upgrade.
Comment 2 John Hillier 2006-03-07 03:44:52 UTC 
(In reply to comment #1)
> acroread 7.0.5 does not have Linux specific security problems we know of, so
> there is no upgrade.
> 

As I stated in my post this is not in reference to a security vulnerability with Acroread 7.0.5 but that an update from Acroread 7.0.1 was not provided for SUSE Linux 10 customers. As indicated here http://www.securityfocus.com/bid/14603 "Adobe Acrobat and Adobe Reader Remote Buffer Overflow Vulnerability" was detected with version 7.0.1 and reason for my request for Novell to supply an update to version 7.0.5 via YOU. I would download this update from a YAST Source Mirror but unfortunately the Acroread 7.0.5 is only available on SUSE Linux 10.1 YAST Source Mirrors. I find this surprizing considering SUSE Linux 10.1 is still in Beta stage of developement and that preference should be on securing the current release.
Comment 3 Marcus Meissner 2006-03-07 06:58:25 UTC 
Your assumption is wrong, you need to read the article more carefully:

"Not Vulnerable:    Adobe Acrobat Reader (UNIX) 7.0.1"
which is the current released version by us.

Also, check the CAN number via: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2470

Than you will see that we released an update for this BID, and that the fixed
version is 7.0.1.

http://lists.suse.com/archive/suse-security-announce/2005-Aug/0005.html
Comment 4 Thomas Biege 2009-10-13 20:50:08 UTC 
CVE-2005-2470: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)