Bugzilla – Bug 105054
VUL-0: Acrobat and Adobe Reader plug-in buffer overflow - 7.0 affected
Last modified: 2021-11-10 14:50:09 UTC
http://www.adobe.com/support/techdocs/321644.html Security Advisory: Acrobat and Adobe Reader plug-in buffer overflow Release Date: August 16th, 2005 Products: Adobe Reader 5.1, 6.0-6.0.3, 7.0-7.0.2, Adobe Acrobat 5.0-5.0.5, 6.0-6.0.3, 7.0-7.0.2 Platform : Windows, Mac OS, Linux, Solaris Vulnerability Identifier: CVE-2005-2470 Overview: Adobe has discovered a buffer overflow in Adobe Acrobat and Adobe Reader. This issue has been addressed and a product update is available to proactively mitigate potential malicious activity. Adobe always recommends that users keep their systems up to date, and install the latest update of these applications. Effect: If the vulnerability were successfully exploited, the application could crash with an increased risk of arbitrary code execution. Details: The identified vulnerability is a buffer overflow within a core application plug-in, which is part of Adobe Acrobat and Adobe Reader. If a malicious file were opened it could trigger a buffer overflow as the file is being loaded into Adobe Acrobat and Adobe Reader. A buffer overflow can cause the application to crash and increase the risk of malicious code execution. Recommendations: Adobe Reader on Linux or Solaris: -- For version 7.0, users should upgrade to Adobe Reader 7.0.1 from www.adobe.com/products/acrobat/readstep2.html . -- For versions prior to 7.0, users should upgraded to 7.0.1 from www.adobe.com/products/acrobat/readstep2.html .
In creating a package with this update, I get an error about the PPKLite.api plugin being unable to load. According to this site http://supportforum.sun.com/sjds/index.php?rid=0&t=msg&th=1783 openldap2-devel is needed. Installing that along with openssl-devl and cyrus-sasl-devel.rpm which where required did make it work. But this seems unexceptable to have to install 3 developer packages for this plugin to work... Other then this problem it is working on my sles9 box.
thanks George! CAN-2005-2470 Can you please provide updated packages for 9.0 - 9.3 and STABLE? As for the additional dependency what exactly does it need ? libldap.so? it should probably require libldap.so.<MAJOR> instead of the so symlink. :/
6 remote non-root user +1 default package +1 default active -1 user interaction +1 command execution Total Score: 8 (Critical) RedHat has already issued an advisory.
The readme has: If PPKLite still fails to load, make a link to the installed libldap.so.X and liblber.so.X in <INSTALL_PATH>/Reader/intellinux/lib with the names 'libldap.so' and 'liblber.so'. [1132741] I am trying to figure out the best way to do this. Suggestions welcome.
OK, I wasnt so smart when I was testing this.. I was using one built for 9.3 and trying to install it on sles9 which has different ldap library versions. I've built for sles9 and it works just fine with no errors. Checking it in for that. I'll update 9.0 - 9.3 and Stable with this new version tonight.
I submitted the update to 9.1 - 9.3 and SLES9. I have not put it in STABLE as there is another fix waiting there to be checked into. I can do that tomorrow. Not sure if I should start the patchinfo or not.
By the way, I did not test 9.1-9.3. Hopefully someone with those distributions can run it through and make sure it's working alright.
SM-Tracker-209
SM-Tracker-2095
patchinfos submitted.
released + adv