Bug 58788 (CVE-2004-0631)

Summary: VUL-0: CVE-2004-0631: buffer overflow and shell meta character problem in acroread
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Meixner <jsmeix>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: VERIFIED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: burnus, forgotten_OS1JNCFbCX, jsmeix, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: i386   
OS: Linux   
Whiteboard: CVE-2004-0631: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 57092    
Bug Blocks:    
Attachments: patchinfo for box
patchinfo for maintained

Description Forgotten User OS1JNCFbCX 2004-08-13 17:15:28 UTC 
I assume you have already read this, but if this was not the case: 
 
http://idefense.com/application/poi/display?id=124&type=vulnerabilities 
 
http://idefense.com/application/poi/display?id=125&type=vulnerabilities
Comment 1 Ludwig Nussel 2004-08-13 17:37:38 UTC 
this is CAN-2004-0630 and CAN-2004-0631. The advisories state that 'the vendor 
appears to have silently fixed this vulnerability' and that 5.09 is not 
affected. We have 5.08 on most releases. Johannes do you know whether adobe 
has patched 5.08 already?
Comment 2 Johannes Meixner 2004-08-13 17:48:07 UTC 
I have no information from Adobe.
I will not touch any acroread package until bug 57092 is not solved.
Comment 3 Ludwig Nussel 2004-08-16 22:53:26 UTC 
*** Bug 58851 has been marked as a duplicate of this bug. ***
Comment 4 Tobias Burnus 2004-08-16 23:16:42 UTC 
I want to mark that one can find at
http://www.adobe.com/products/acrobat/readstep2.html 
the version 5.0.9.

HEAD /pub/adobe/acrobatreader/unix/5.x/linux-509.tar.gz HTTP/1.1
Host: ardownload.adobe.com
Last-Modified: Tue, 25 May 2004 00:13:30 GMT

And in the advisitories, I find:
"iDEFENSE has tested Adobe Acrobat Reader (UNIX) 5.0.9, which appears to be
patched against this vulnerability."
Comment 5 Johannes Meixner 2004-08-16 23:46:31 UTC 
We know about the newest version.
We know where to get it.
We know what iDEFENSE wrote.
Nevertheless: Read my comment #2.
Comment 6 Marcus Meissner 2004-08-16 23:50:41 UTC 
Johannes wants to say that we will need to clarify the license issues before 
doing any further updates.
Comment 7 Forgotten User OS1JNCFbCX 2004-08-16 23:54:16 UTC 
Johannes, I think the problem here was, that external people are not allowed 
to read bug 57092.
Comment 8 Johannes Meixner 2004-08-17 00:04:30 UTC 
Ah, yes, thanks to explain it!
Comment 9 Johannes Meixner 2004-08-17 17:07:25 UTC 
<!-- SBZ_reopen -->Reopened by jsmeix@suse.de at Tue Aug 17 11:07:25 2004, took initial reporter rschiele@uni-mannheim.de to cc
Comment 10 Johannes Meixner 2004-08-17 17:07:25 UTC 
Especially for acroread version 5.09 the license problem is solved, see
http://bugzilla.suse.de/show_bug.cgi?id=42092#c19

Therefore I will now make security updates to version 5.09
Comment 11 Johannes Meixner 2004-08-17 20:06:30 UTC 
Submitted acroread version 5.09 package to /work/src/done/
 8.1/acroread = SLES8/acroread = UL1/acroread
 8.2/acroread
 9.0/acroread
 9.1/acroread = SLES9/acroread

For me it is fixed.
I reassign it to the security-team.
Comment 12 Sebastian Krahmer 2004-08-17 20:10:51 UTC 
I submitted the patchinfo files. Will append them here for
completeness.
Comment 13 Sebastian Krahmer 2004-08-17 20:11:35 UTC 
Created attachment 22752 [details]
patchinfo for box

...
Comment 14 Sebastian Krahmer 2004-08-17 20:11:56 UTC 
Created attachment 22753 [details]
patchinfo for maintained

...
Comment 15 Johannes Meixner 2004-08-17 20:16:54 UTC 
According to
/work/src/done/PATCHINFO/acroread.patch.maintained
---------------------------------------------------------------------------
DISTRIBUTION: sles7-i386,sles8-slec-i386,sles9-i386,sles9-x86_64,ul1-i386
---------------------------------------------------------------------------
the security update should be made for SLES7 too
and according to "is_maintained acroread"
---------------------------------------------------------------------------
Package is on CD slos-1.0.i386
        Distribution: sles7-i386
        Distributionstring: SuSE-Linux-SLOS-i386
        Marketing-Name: SuSE Linux Office Server
---------------------------------------------------------------------------
it is really maintained for SLES7 but there is no directory for SLES7
under /work/src/done/
Therefore I don't know what to do regarding SLES7.
Comment 16 Sebastian Krahmer 2004-08-17 20:24:12 UTC 
I think SLES7 isnt supported anymore no?
So I will remove the sles7 entry from patchinfo.
Comment 17 Marcus Meissner 2004-08-17 21:19:30 UTC 
yes, please remove it.
Comment 18 Marcus Meissner 2004-08-26 23:23:16 UTC 
updates approved.
Comment 19 Thomas Biege 2009-10-13 20:31:35 UTC 
CVE-2004-0631: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)