155313 – Acroread security updates not made available?

Bug 155313 - Acroread security updates not made available?

Summary: Acroread security updates not made available?

Status:	RESOLVED WONTFIX

Alias:	None

Product:	SUSE LINUX 10.0
Classification:	openSUSE
Component:	Update Problems (show other bugs)
Version:	Final
Hardware:	x86 SuSE Linux 10.0

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	Klaus Kämpf

URL:
Whiteboard:	CVE-2005-2470: CVSS v2 Base Score: 7....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2006-03-05 05:45 UTC by John Hillier
Modified:	2009-10-13 20:50 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Customer
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Hillier 2006-03-05 05:45:47 UTC

Acroread version 7.0.1 is included with SUSE Linux 10 but the security update from Adobe to version 7.0.5 is only availabe via YAST Source Mirrors for SUSE Linux 10.1, not for SUSE Linux 10 or via YOU (YAST Online Update). Even though this is technically third party software I believe since Acroread is packaged with the non-OSS version of SUSE Linux 10 then Novell should either provide the security update or at least contact the package maintainer. 

Also clarification would be appreciated regarding the difference between Acroread 7.0.5 and the file "AdobeReader 7.0.5" listed on Adobe's site. YAST views the package as a seperate installation instead of an update.

Additional information for the bugzilla team. It was attempted to use Acroread 7.0.5 from the SUSE Linux 10.1 YAST Source Mirrors but this caused compatibility issues with Firefox 1.5.0.1 (another application not available via YOU) and with third party software used such as Apple Shake 4.0.

Comment 1 Marcus Meissner 2006-03-06 07:14:56 UTC

acroread 7.0.5 does not have Linux specific security problems we know of, so there is no upgrade.

Comment 2 John Hillier 2006-03-07 03:44:52 UTC

(In reply to comment #1)
> acroread 7.0.5 does not have Linux specific security problems we know of, so
> there is no upgrade.
> 

As I stated in my post this is not in reference to a security vulnerability with Acroread 7.0.5 but that an update from Acroread 7.0.1 was not provided for SUSE Linux 10 customers. As indicated here http://www.securityfocus.com/bid/14603 "Adobe Acrobat and Adobe Reader Remote Buffer Overflow Vulnerability" was detected with version 7.0.1 and reason for my request for Novell to supply an update to version 7.0.5 via YOU. I would download this update from a YAST Source Mirror but unfortunately the Acroread 7.0.5 is only available on SUSE Linux 10.1 YAST Source Mirrors. I find this surprizing considering SUSE Linux 10.1 is still in Beta stage of developement and that preference should be on securing the current release.

Comment 3 Marcus Meissner 2006-03-07 06:58:25 UTC

Your assumption is wrong, you need to read the article more carefully:

"Not Vulnerable:    Adobe Acrobat Reader (UNIX) 7.0.1"
which is the current released version by us.

Also, check the CAN number via: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2470

Than you will see that we released an update for this BID, and that the fixed
version is 7.0.1.

http://lists.suse.com/archive/suse-security-announce/2005-Aug/0005.html

Comment 4 Thomas Biege 2009-10-13 20:50:08 UTC

CVE-2005-2470: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)