Bug 629134 - VUL-0: acroread integer overflow
VUL-0: acroread integer overflow
Status: RESOLVED FIXED
: 632230 633159 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.1:35332 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-06 14:27 UTC by Ludwig Nussel
Modified: 2016-04-15 12:56 UTC (History)
5 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2010-08-06 14:27:52 UTC
The issue is public.

Adobe has announced an update of acroead to fix an integer overflow (CVE-2010-2862):
http://www.adobe.com/support/security/bulletins/apsb10-17.html

Security Advisory for Adobe Reader and Acrobat

Release date: August 5, 2010

Vulnerability identifier: APSB10-17

Platform: Platforms
Summary

Adobe is planning to release updates for Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh to resolve critical security issues, including CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. Adobe expects to make these updates available during the week of August 16, 2010.

Note that these updates represent an out-of-band release. Adobe is currently scheduled to release the next quarterly security update for Adobe Reader and Acrobat on October 12, 2010.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.

(Note: This Security Advisory will be replaced with the final Security Bulletin upon release of the updates during the week of August 16, 2010.)
Affected software versions

Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh
Severity rating

Adobe categorizes these as critical updates.
Comment 1 Bin Li 2010-08-09 06:55:10 UTC
Okay, wait for the updates link for download.
Comment 4 Ludwig Nussel 2010-08-19 14:15:28 UTC
9.3.4 appeared at their ftp server:
ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.3.4/
Comment 5 Ludwig Nussel 2010-08-20 14:11:16 UTC
http://www.adobe.com/support/security/bulletins/apsb10-17.html

These updates resolve an integer overflow vulnerability that could lead to code
execution (CVE-2010-2862).

These updates further mitigate a social engineering attack that could lead to
code execution (CVE-2010-1240).
Comment 7 Ludwig Nussel 2010-08-20 14:33:01 UTC
*** Bug 633159 has been marked as a duplicate of this bug. ***
Comment 12 Bin Li 2010-08-26 10:47:25 UTC
Done, for 11.1, 11.2 and 11.3.

 46314  State:new     By:BinLi        When:2010-08-26T12:45:56
        submit:       home:BinLi:branches:openSUSE:11.2:Update:Test/acroread  ->  openSUSE:11.2:Update:Test   
        Descr: 'Update to 9.3.4 for integer overflow(bnc#629134, swampid#35325)'

 46313  State:new     By:BinLi        When:2010-08-26T12:45:35
        submit:       home:BinLi:branches:openSUSE:11.3:NonFree/acroread  ->  openSUSE:11.3:NonFree   
        Descr: 'Update to 9.3.4 for integer overflow(bnc#629134, swampid#35325)'

  7870  State:new     By:BinLi        When:2010-08-26T12:45:15
        submit:       home:BinLi:branches:SUSE:openSUSE:11.1:Update:Test/acroread  ->  SUSE:openSUSE:11.1:Update:Test   
        Descr: 'Update to 9.3.4 for integer overflow(bnc#629134, swampid#35325)'
Comment 13 Bin Li 2010-08-26 10:58:41 UTC
Forward to security team.
Comment 14 Tobias Burnus 2010-08-27 08:05:19 UTC
For Factory, one can find the package at:
  http://download.opensuse.org/factory/repo/non-oss/suse/i586/

For the others, comment 13 applies:
> Forward to security team.
Comment 15 Ludwig Nussel 2010-08-27 08:43:24 UTC
packages are currently in the update-test repo (comment#12 was accidentally private):
https://build.opensuse.org/maintenance/qa_11.3#anker-35332

reopen for tracking
Comment 16 Swamp Workflow Management 2010-09-01 08:43:30 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
openSUSE 11.1 (i586)
openSUSE 11.2 (i586, x86_64)
openSUSE 11.3 (i586)
Comment 17 Ludwig Nussel 2010-09-01 08:49:39 UTC
released
Comment 18 Swamp Workflow Management 2010-09-01 10:49:08 UTC
Update released for: acroread_ja, acroread_ja-debuginfo
Products:
SLE-DESKTOP 11 (i386, x86_64)
Comment 19 Swamp Workflow Management 2010-09-01 10:54:57 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DESKTOP 10-SP3 (i386, x86_64)
Comment 20 Swamp Workflow Management 2010-09-01 10:58:35 UTC
Update released for: acroread_ja, acroread_ja-debuginfo
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
Comment 21 Swamp Workflow Management 2010-09-01 11:10:01 UTC
Update released for: acroread_ja, acroread_ja-debuginfo
Products:
SLE-DESKTOP 10-SP3 (i386, x86_64)
Comment 22 Swamp Workflow Management 2010-09-01 11:40:20 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DEBUGINFO 11 (i386, x86_64)
SLE-DESKTOP 11 (i386, x86_64)
Comment 23 Swamp Workflow Management 2010-09-01 11:45:29 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
Comment 24 Swamp Workflow Management 2010-09-30 20:55:21 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SUSE-MOBLIN 2.0 (i386)
SUSE-MOBLIN 2.0-DEBUG (i386)
Comment 25 Bernhard Wiedemann 2016-04-15 12:56:10 UTC
This is an autogenerated message for OBS integration:
This bug (629134) was mentioned in
https://build.opensuse.org/request/show/46336 11.3:NonFree / acroread
https://build.opensuse.org/request/show/46337 11.2:Test / acroread