Bugzilla – Bug 42666
VUL-0: CVE-2003-0508: buffer overflow in acroread
Last modified: 2021-09-27 10:17:26 UTC
Hi, unfortunately another security problem was found in acrobat reader. http://www.securityfocus.com/archive/1/327335 A buffer overflow can be exploited via malformed pdf files to compromise a system.
<!-- SBZ_reproduce --> http://www.securityfocus.com/archive/1/327335 Proof-of-Concept code is attached to this posting too.
Ok, the problem is that we have to wait for an update from Adobe. I think we should release the current package that fix' the URL handling problem and later, when the buffer overflow ist fixed, release a new one. Is this ok?
Yes. Thomas, A question regarding bug 42583/27584: Must I submit the package again together with the patchinfo and putonftp file or is it o.k. if I do nothing (i.e. you would release the new acroread package by yourself)?
As soon as it's build by autobuild (I dindt saw a patchinfo/putonftp so far) and it's tested I will release the new acroread for fixing the url issue. In a few minutes I'll send you the p&p files for the buffer overflow
Created attachment 13012 [details] patchinfo
Created attachment 13013 [details] putonftp
More info: http://www.securityfocus.com/archive/1/328649
As IBM is measuring our bug processing time and as I cannot do anything else than wait for an update package from Adobe I resolve this bug as "REMIND" to keep the bug processing time low. (For the meaning of "REMIND" see http://bugzilla.suse.de/bug_status.html) Of course as soon as there is an update package from Adobe at ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/5.x/ (i.e. /mirror/server/ftp.adobe.com/pub/adobe/acrobatreader/unix/5.x/) I will make a new acrobat security update package.
<!-- SBZ_reopen -->Reopened by jsmeix@suse.de at Mon Aug 11 12:12:59 2003, took initial reporter thomas@suse.de to cc
ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/5.x/linux-508.tar.gz available now. The README in this arcive reads: ------------------------------------------------------------- A security patch was applied that solves a problem reported with long URLs in weblinks which can cause a buffer overrun. ------------------------------------------------------------- Building new acroread packages - please wait.
See bug 43717 for possible problems with version 5.08
For testing acroread version 5.08 for 8.2 and STABLE is available here: http://w3.suse.de/~jsmeix/acroread-5.08-0.i586.82.rpm http://w3.suse.de/~jsmeix/acroread-5.08-0.i586.STABLE.rpm
Johannes, an update results in a version upgrade. Can we please have a summary which versions of SuSE Linux are affected by this problem? Roman.
ALL :-( Reason: http://www.securityfocus.com/archive/1/327335 reads: Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier "and earlier" => ALL Roman, please tell me down to which version I should make acroread update packages. Is it all versions shown here: http://www.suse.de/de/private/download/updates/index.html i.e. 7.2, 7.2, 8.0, 8.1, 8.2
For SuSE Linux 9.0 Adobe Acrobat Reader 5.0.8 is in STABLE. I would be grateful if updating 7.2, 7.3, 8.0, 8.1, SLES8 and 8.2 could be postponed until the 9.0 master was finished. Furthermore this way we know the 9.0 beta test results. O.k.?
Yes. Leaving the bug open...
Done for 8.2-i386 and 8.1/SLES8/UL-i386. This was a minor version update from version 5.07 to 5.08 To be done for 8.0-i386, 7.3-i386, 7.2/SLES7-i386: This requires major changes in spec files and detailed testing because this will be a major version update from version 4.05 to 5.08 Regarding detailed testing: According to a customer feedback acroread version 4.05 accepts German umlauts to fill in forms but version 5.7 (and 5.8) don't - see http://bugzilla.suse.de/show_bug.cgi?id=28718 Should I really make the major version update for 8.0, 7.3 and 7.2/SLES7 ?
Question: What about having acroread version 5.08 on SP3 for SLES8 ? Added Ralf to Cc.
No answer from Ralf. Ralf, please reassign the bug back to security-team@suse.de once you're done with it. Next in chain: cs@suse.de. Background: It would be desireable to have the updates for 7.3 and 8.0, too.
We will just pick up for SP3 just any security update that was released until our deadline. So no need to ask me for security updates. Just do and release them and we will automatically pick them up if they are ready in time for SP3.
SP3 released, box packages approved
CVE-2003-0508
CVE-2003-0508: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)