Bug 612064 - VUL-0: acroread authplay.so code exec
VUL-0: acroread authplay.so code exec
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P1 - Urgent : Critical
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11:34220 maint:rele...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-07 08:25 UTC by Ludwig Nussel
Modified: 2019-05-01 15:22 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2010-06-07 08:25:53 UTC
Your friendly security team received the following report.
Please respond ASAP.
The issue is public.

Adobe reports an exploitable code execution problem that affects acrobat reader:
http://www.adobe.com/support/security/advisories/apsa10-01.html

---------------------------------------------------------------
Security Advisory for Flash Player, Adobe Reader and Acrobat

Release date: June 4, 2010

Vulnerability identifier: APSA10-01

CVE number: CVE-2010-1297

Platform: All

Summary

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier
versions for Windows, Macintosh, Linux and Solaris operating systems, and the
authplay.dll component that ships with Adobe Reader and Acrobat 9.x for
Windows, Macintosh and UNIX operating systems. This vulnerability
(CVE-2010-1297) could cause a crash and potentially allow an attacker to take
control of the affected system. There are reports that this vulnerability is
being actively exploited in the wild against both Adobe Flash Player, and Adobe
Reader and Acrobat. This advisory will be updated once a schedule has been
determined for releasing a fix.

Affected software versions

Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions
for Windows, Macintosh, Linux and Solaris
Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh
and UNIX

Note:
The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/
technologies/flashplayer10/ does not appear to be vulnerable.
Adobe Reader and Acrobat 8.x are confirmed not vulnerable.

MItigations

Adobe Flash Player
The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/
technologies/flashplayer10/ does not appear to be vulnerable.

Adobe Reader and Acrobat
Deleting, renaming, or removing access to the authplay.dll file that ships with
Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users
will experience a non-exploitable crash or error message when opening a PDF
file that contains SWF content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is
typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for
Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for
Acrobat.

Severity rating

Adobe categorizes this as a critical issue.

Details

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier
versions for Windows, Macintosh, Linux and Solaris operating systems, and the
authplay.dll component that ships with Adobe Reader and Acrobat 9.x for
Windows, Macintosh and UNIX operating systems. This vulnerability
(CVE-2010-1297) could cause a crash and potentially allow an attacker to take
control of the affected system. There are reports that this vulnerability is
being actively exploited in the wild against both Adobe Flash Player, and Adobe
Reader and Acrobat.

The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/
technologies/flashplayer10/ does not appear to be vulnerable.

Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Mitigation is
available for Adobe Reader and Acrobat 9.x customers as detailed above.
Comment 1 Bin Li 2010-06-08 07:04:28 UTC
Ludwig,

 Now the acroread have included 'Reader/intellinux/lib/libauthplay.so.0.0.0', but I don't where to find the correct library for the updates.

 And I found the latest reader is still AdbeRdr9.3.2-1_i486linux_enu.tar.bz2, so we don't need upgrade it. Now the Aodbe Flash Player just in Version Release Candidate 7(Jun 2, 2010) from the provided links. And the flashplayer10_1_rc7_linux_060210.so.tar.gz just include libflashplayer.so file, not have libauthplay.so.
 
 So what did we need to update?

 Thanks!
Comment 2 Ludwig Nussel 2010-06-08 07:19:22 UTC
For a real fix we can only wait for adobe to release a new acrobat reader. In the meantime we could release an acroread package that has libauthplay removed.
Comment 3 Ludwig Nussel 2010-06-25 09:26:25 UTC
Adobe announced that they are going to release updates at Jne 29, 2010
Comment 4 Ludwig Nussel 2010-06-29 15:20:49 UTC
acoread is about to be released
----------------
Adobe Security Bulletin – APSB10-15:
Security updates available for Adobe Reader and Acrobat
[...]

This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-1297).
Note: There are reports that this issue is being actively exploited in the wild.

This update mitigates a social engineering attack that could lead to code execution
(CVE-2010-1240).

This update resolves an invalid pointer vulnerability that could lead to code execution
(CVE-2010-1285).

This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-1295).

This update resolves an invalid pointer vulnerability that could lead to code execution
(CVE-2010-2168).

This update resolves an invalid pointer vulnerability that could lead to code execution
(CVE-2010-2201).

This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2202).

This update resolves a UNIX-only memory corruption vulnerability that could lead to
code execution (CVE-2010-2203).

This update resolves a denial of service vulnerability; arbitrary code execution has not
been demonstrated, but may be possible (CVE-2010-2204).
3

This update resolves an uninitialized memory vulnerability that could lead to code
execution (CVE-2010-2205).

This update resolves an array-indexing error vulnerability that could lead to code
execution (CVE-2010-2206).

This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2207).

This update resolves a dereference deleted heap object vulnerability that could lead to
code execution (CVE-2010-2208).

This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2209).

This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2210).

This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2211).

This update resolves a memory corruption vulnerability that could lead to code
execution (CVE-2010-2212).
Comment 5 Swamp Workflow Management 2010-06-30 07:45:14 UTC
The SWAMPID for this issue is 34217.
This issue was rated as critical.
Please submit fixed packages as soon as possible.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Bin Li 2010-06-30 08:56:51 UTC
Still not found the new updates in downloads of Adobe website.
Just wait...
Comment 7 Ludwig Nussel 2010-06-30 09:04:09 UTC
this one?
ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.3.3/
Comment 8 Bin Li 2010-06-30 09:15:23 UTC
Okay, download it now, thanks! It's a little slow to download it, I'll finish it before tomorrow.
Comment 9 Bin Li 2010-07-01 08:44:34 UTC
Done for 11.0, 11.1 and 11.2.

 42354  State:new     By:BinLi        When:2010-07-01T10:40:07
        submit:       home:BinLi:branches:openSUSE:11.2:NonFree/acroread  ->  openSUSE:11.2:NonFree   
        Descr: Update to 9.3.2 for security fixes(bnc#612064, swampid#34217)

 42355  State:new     By:BinLi        When:2010-07-01T10:41:28
        submit:       home:BinLi:branches:openSUSE:11.1:NonFree/acroread  ->  openSUSE:11.1:NonFree   
        Descr: Update to 9.3.3 for security fixes(bnc#612064, swampid#34217)

 42357  State:new     By:BinLi        When:2010-07-01T10:42:46
        submit:       home:BinLi:branches:openSUSE:11.2:NonFree/acroread  ->  openSUSE:11.0:NonFree   
        Descr: Update to 9.3.3 for security fixes(bnc#612064, swampid#34217)
Comment 10 Bin Li 2010-07-01 10:14:15 UTC
Done for sle11, sle10-sp2 and sle10-sp3.

  6910  State:new     By:BinLi        When:2010-07-01T12:10:16
        submit:       home:BinLi:branches:SUSE:SLE-11:Update/acroread_ja  ->  SUSE:SLE-11:Update     
        Descr: Update to 9.3.3 for security fixes(bnc#612064, swampid#34217)

  6909  State:new     By:BinLi        When:2010-07-01T11:36:28
        submit:       home:BinLi:branches:SUSE:SLE-10-SP3:Update/acroread_ja  ->  SUSE:SLE-10-SP3:Update   
        Descr: Update to 9.3.3 for security fixes(bnc#612064, swampid#34217)

  6906  State:new     By:BinLi        When:2010-07-01T11:30:12
        submit:       home:BinLi:branches:SUSE:SLE-11:Update/acroread  ->  SUSE:SLE-11:Update     
        Descr: Update to 9.3.3 for security fixes(bnc#612064, swampid#34217)

  6907  State:new     By:BinLi        When:2010-07-01T11:32:39
        submit:       home:BinLi:branches:SUSE:SLE-10-SP3:Update/acroread  ->  SUSE:SLE-10-SP3:Update   
        Descr: Update to 9.3.3 for security fixes(bnc#612064, swampid#34217)

 6908  State:new     By:BinLi        When:2010-07-01T11:33:58
        submit:       home:BinLi:branches:SUSE:SLE-10-SP2:Update/acroread  ->  SUSE:SLE-10-SP2:Update   
        Descr: Update to 9.3.3 for security fixes(bnc#612064, swampid#34217)
Comment 11 Bin Li 2010-07-01 10:15:10 UTC
->Fixed.

Forward to security team.
Comment 12 Marcus Meissner 2010-07-01 10:58:55 UTC
your submission are partially broken ...

1. SLE 10 SP3:
6907: home:BinLi:branches:SUSE:SLE-10-SP3:Update/acroread: remote error: 400 conflict in file acroread.spec
6909: home:BinLi:branches:SUSE:SLE-10-SP3:Update/acroread_ja: remote error: 400 conflict in file acroread_ja.spec

2. SLE 11 GA:
6906: home:BinLi:branches:SUSE:SLE-11:Update/acroread: remote error: 400 conflict in file acroread.spec
6910: home:BinLi:branches:SUSE:SLE-11:Update/acroread_ja: remote error: 400 conflict in file acroread_ja.spec


can you run "osc pull" in your branch checkouts, resolve the conflicts, and submitreq again please?


(the opensuse ones also did not arrive, I am still checking them)
Comment 13 Bin Li 2010-07-01 11:31:33 UTC
How could I do it in WebUI? And when I use the 'osc pull' it prompt 'Please commit your local changes first!'

If I rdelete the branch and branch again, I'll re-download and re-upload again.
Comment 14 Ludwig Nussel 2010-07-01 11:40:48 UTC
(In reply to comment #13)
> How could I do it in WebUI? And when I use the 'osc pull' it prompt 'Please
> commit your local changes first!'
 
That happens if you e.g. run "osc pull" twice. Check "osc status". It displays
something like this:
C    acroread-cmaps.spec
C    acroread.changes
C    acroread.spec

You need to fix the conflicts in those files and then run 'osc resolved' on
them to be able to check them in again.
Comment 15 Marcus Meissner 2010-07-01 11:51:31 UTC
so

vi acroread-cmaps.spec
... fix the conflichts (marked with <<<< , === and >>>>)
osc resolved acroread-cmaps.spec

... same for the other 2 ... 

osc ci
Comment 16 Marcus Meissner 2010-07-01 11:58:03 UTC
for openSUSE ... 

the submitted packages are not incremental to the last update.
(The last update was submitted by ro@suse.de), so autobuild will most
likely reject them.


To get a good incremental change here, you need to branch from the :Update project

osc branch openSUSE:11.0:Update acroread
... 
osc co home:bili...
cd home:bili...

do the changes incrementally to the checkout
osc ci
osc submitreq -m "update to 9.3.3"

same for 11.1 and 11.2.
Comment 17 Ludwig Nussel 2010-07-01 12:03:27 UTC
see also
http://wiki.opensuse.org/openSUSE:Package_maintenance
Comment 18 Bin Li 2010-07-01 13:31:49 UTC
(In reply to comment #16)
> for openSUSE ... 
> the submitted packages are not incremental to the last update.
> (The last update was submitted by ro@suse.de), so autobuild will most
> likely reject them.
> To get a good incremental change here, you need to branch from the :Update
> project
> osc branch openSUSE:11.0:Update acroread
> ... 
> osc co home:bili...
> cd home:bili...
> do the changes incrementally to the checkout
> osc ci
> osc submitreq -m "update to 9.3.3"
> same for 11.1 and 11.2.

I know about this, I just don't wanna don't download and upload the big tar file(about 57M), every time, you know it take more than half hours time every time when download or upload.
Comment 19 Bin Li 2010-07-01 15:46:12 UTC
Done for sle11. I wrote a script for the others which could run in midnight, :) , tomorrow morning I'll finished it.

  6929  State:new     By:BinLi        When:2010-07-01T17:44:10
        submit:       home:BinLi:branches:SUSE:SLE-11:Update/acroread_ja  ->  SUSE:SLE-11:Update     
        Descr: Upgrade to 9.3.3 for security fix(bnC#612064,swampid#34217).

  6925  State:new     By:BinLi        When:2010-07-01T16:57:03
        submit:       home:BinLi:branches:SUSE:SLE-11:Update/acroread  ->  SUSE:SLE-11:Update     
        Descr: Upgrade 9.3.3 for security fix(bnc#612064, swampid#34217).
Comment 20 Bin Li 2010-07-02 03:07:13 UTC
Done for sle10-sp3.

  6932  State:new     By:BinLi        When:2010-07-02T05:06:30
        submit:       home:BinLi:branches:SUSE:SLE-10-SP3:Update/acroread_ja  ->  SUSE:SLE-10-SP3:Update   
        Descr: Upgrade to 9.3.3 for security fix(bnC#612064,swampid#34217).

  6931  State:new     By:BinLi        When:2010-07-02T05:04:15
        submit:       home:BinLi:branches:SUSE:SLE-10-SP3:Update/acroread  ->  SUSE:SLE-10-SP3:Update   
        Descr: Upgrade to 9.3.3 for security fix(bnC#612064,swampid#34217).
Comment 21 Bin Li 2010-07-02 06:07:26 UTC
Done, The openSUSE's submit should be okay.

  6934  State:new     By:BinLi        When:2010-07-02T08:06:19
        submit:       home:BinLi:branches:SUSE:SLE-10-SP2:Update/acroread  ->  SUSE:SLE-10-SP2:Update   
        Descr: Upgrade to 9.3.3 for security fix(bnC#612064,swampid#34217).
Comment 22 Ludwig Nussel 2010-07-02 14:09:58 UTC
box updates got rejected due to non-linear changes file
Comment 23 Bin Li 2010-07-05 02:31:30 UTC
(In reply to comment #22)
> box updates got rejected due to non-linear changes file

You said the openSUSE's release? Or SLE release?
Comment 24 Ludwig Nussel 2010-07-05 06:59:41 UTC
openSUSE
Comment 25 Swamp Workflow Management 2010-07-05 23:08:36 UTC
Update released for: acroread_ja, acroread_ja-debuginfo
Products:
SLE-DESKTOP 11 (i386, x86_64)
Comment 26 Swamp Workflow Management 2010-07-05 23:08:56 UTC
Update released for: acroread_ja, acroread_ja-debuginfo
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
Comment 27 Swamp Workflow Management 2010-07-05 23:09:18 UTC
Update released for: acroread_ja, acroread_ja-debuginfo
Products:
SLE-DESKTOP 10-SP3 (i386, x86_64)
Comment 28 Swamp Workflow Management 2010-07-05 23:09:38 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DESKTOP 10-SP3 (i386, x86_64)
Comment 29 Swamp Workflow Management 2010-07-05 23:09:59 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
Comment 30 Swamp Workflow Management 2010-07-05 23:10:20 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DEBUGINFO 11 (i386, x86_64)
SLE-DESKTOP 11 (i386, x86_64)
Comment 31 Bin Li 2010-07-06 03:54:13 UTC
11.2 is okay now. But I can't branch the 11.1 for updates, when I branch from openSUSE:11.1:Update or openSUSE:11.1:NonFree, it's okay, but when I check it out, it prompt failed. like below.
The link contains errors: linked package 'acroread' is empty
I'll try it later.

 42630  State:new     By:BinLi        When:2010-07-06T05:47:35
        submit:       home:BinLi:branches:openSUSE:11.2:Update:Test/acroread  ->  openSUSE:11.2:Update:Test   
        Descr: Upgrade 9.3.3 for security fix
Comment 32 Marcus Meissner 2010-07-06 09:35:05 UTC
11.2 submission looks good!


The setup for 11.0 and 11.1 is kinda weird there and I have to inquire why. 
Due to closed source nature of acroread the sources did not get uploaded
correctly.

What will work (tested) is branching acroread from the internal buildservice:

for 11.1:
osc -A https://api.suse.de branch SUSE:openSUSE:11.1:Update:Test acroread
... then use the osc co line quoted ... 

for 11.0 too:
osc -A https://api.suse.de branch SUSE:openSUSE:11.1:Update:Test acroread
... same as above ...
Comment 33 Bin Li 2010-07-07 03:11:36 UTC
Marcus,

 Thanks! I just submit the 11.2's update to 11.1 and 11.0 directly, is it okay?

 42669  State:new     By:BinLi        When:2010-07-07T05:08:48
        submit:       home:BinLi:branches:openSUSE:11.2:Update:Test/acroread  ->  openSUSE:11.1:Update   
        Descr: Upgrade 9.3.3 for security fix

 42670  State:new     By:BinLi        When:2010-07-07T05:09:04
        submit:       home:BinLi:branches:openSUSE:11.2:Update:Test/acroread  ->  openSUSE:11.0:Update   
        Descr: Upgrade 9.3.3 for security fix
Comment 34 Marcus Meissner 2010-07-07 09:29:12 UTC
No ... the acroread.changes need to be incremental, otherwise it will not get accepted.

Everything else is fine, but please take the .changes from 11.1 and 11.0
and just add the 9.3.3 changes blob at the beginning.
Comment 35 Bin Li 2010-07-08 03:42:37 UTC
Done.

  7056  State:new     By:BinLi        When:2010-07-08T05:38:39
        submit:       home:BinLi:branches:SUSE:openSUSE:11.1:Update:Test/acroread  ->  SUSE:openSUSE:11.1:Update:Test   
        Descr: Upgrade to 9.3.3 for security updates

  7057  State:new     By:BinLi        When:2010-07-08T05:41:08
        submit:       home:BinLi:branches:SUSE:openSUSE:11.0:Update:Test/acroread  ->  SUSE:openSUSE:11.0:Update:Test   
        Descr: Upgrade to 9.3.3 for security updates
Comment 36 Bin Li 2010-07-08 03:43:40 UTC
Forward to security team.
Comment 37 Marcus Meissner 2010-07-08 06:29:28 UTC
your submission was fine now, thanks!
Comment 38 Swamp Workflow Management 2010-07-08 09:50:37 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
openSUSE 11.0 (i386)
openSUSE 11.1 (i586)
openSUSE 11.2 (i586, x86_64)
Comment 39 Swamp Workflow Management 2010-07-16 14:08:26 UTC
Update released for: acroread, acroread-debuginfo
Products:
SUSE-MOBLIN 2.1 (i386)
SUSE-MOBLIN 2.1-DEBUG (i386)
Comment 40 Swamp Workflow Management 2010-07-26 20:08:33 UTC
Update released for: acroread, acroread-debuginfo
Products:
SUSE-MOBLIN 2.0 (i386)
SUSE-MOBLIN 2.0-DEBUG (i386)
Comment 41 Bernhard Wiedemann 2016-04-15 11:50:42 UTC
This is an autogenerated message for OBS integration:
This bug (612064) was mentioned in
https://build.opensuse.org/request/show/42368 Factory:NonFree / acroread
https://build.opensuse.org/request/show/42442 11.3:NonFree / acroread