Bug 717724 - VUL-0: CVE-2011-2431: acroread: multiple memory issues
VUL-0: CVE-2011-2431: acroread: multiple memory issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Bin Li
Security Team bot
maint:released:11.3:44058 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-14 09:50 UTC by Matthias Weckbecker
Modified: 2015-02-18 20:46 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2011-09-14 09:50:59 UTC
Adobe has released an update of acroread recently, 

  https://www.adobe.com/support/security/bulletins/apsb11-24.html

CVE-2011-1353, CVE-2011-2431, CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436, CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2441, CVE-2011-2442
Comment 1 Marcus Meissner 2011-09-14 15:45:28 UTC
please submit asap
Comment 2 Marcus Meissner 2011-09-14 15:48:10 UTC
Hmm, the page reads:

Adobe Reader 9.4.6 for UNIX is currently scheduled to be released on November 7, 2011.

Nearly 2 months delay. :(
Comment 3 Bin Li 2011-09-15 06:48:27 UTC
Okay, let me know when it got update.
Comment 4 Tobias Burnus 2011-11-06 20:20:00 UTC
Seemingly, the binaries are now available at:
  ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.6/enu/

AdbeRdr9.4.6-1_i486linux_enu.tar.bz2 	55769 KB 	04.11.2011 	19:57:00

The release is officially scheduled for Monday, 7 November according to http://www.adobe.com/support/security/bulletins/apsb11-24.html ("Adobe Reader 9.4.6 for UNIX is currently scheduled to be released on November 7, 2011.") -- Currently, only the English version is available (which should be sufficient).
Comment 5 Tobias Burnus 2011-11-07 17:50:24 UTC
For completeness, Adobe has now updated the Bulletin and now also officially links to the webserver. It seems as if there won't be any version but English, but I think (open)SUSE has never shipped the other languages.

Updated Security Bulletin:
   http://www.adobe.com/support/security/bulletins/apsb11-24.html
Binaries:
   ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.6/enu/
Comment 6 Swamp Workflow Management 2011-11-08 15:08:41 UTC
The SWAMPID for this issue is 44054.
This issue was rated as critical.
Please submit fixed packages until 2011-11-10.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Ludwig Nussel 2011-11-08 15:09:59 UTC
Please submit packages ASAP, don't forget Factory/12.1!
Comment 9 Bin Li 2011-11-11 09:52:42 UTC
Done for 11.4.

Request #90977:

  submit:   home:BinLi:branches:openSUSE:11.4:Update:Test/acroread(r2)(cleanup) -> openSUSE:11.4:Update:Test/acroread


Message:
    upgrade to 9.4.6(bnc#717724,swampid#44054).

State:   new          2011-11-11T10:51:46 BinLi
Comment 10 Bernhard Wiedemann 2011-11-11 10:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (717724) was mentioned in
https://build.opensuse.org/request/show/90977 11.4 / acroread
Comment 16 Swamp Workflow Management 2011-11-14 15:03:00 UTC
Update released for: acroread, acroread-cmaps, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
openSUSE 11.3 (i586)
openSUSE 11.4 (i586)
Comment 17 Swamp Workflow Management 2011-11-14 19:52:41 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
Comment 18 Swamp Workflow Management 2011-11-14 20:00:18 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
Comment 19 Bernhard Wiedemann 2011-11-15 06:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (717724) was mentioned in
https://build.opensuse.org/request/show/91427 Evergreen:11.2 / acroread
Comment 20 Bernhard Wiedemann 2011-11-15 16:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (717724) was mentioned in
https://build.opensuse.org/request/show/91618 Evergreen:11.1 / acroread
Comment 21 Tobias Burnus 2011-11-19 11:00:13 UTC
Could someone update Factory? I think the first step would be to review https://build.opensuse.org/request/show/91437 (request to accept it in devel:openSUSE:Factory).
Comment 22 Andreas Jaeger 2011-11-19 13:53:02 UTC
Bin Li, you're owner of the package in devel:openSUSE:Factory, please approve it yourself and push to factory.
Comment 23 Bin Li 2011-11-21 03:46:12 UTC
Andreas,

 Thanks for your reminder, just missed it. :)
Comment 24 Matthias Weckbecker 2011-11-21 10:37:13 UTC
Bin Li, there's still a running patchinfo w/o any submission for the acroread_ja package for sle11-sp1. Could, you possibly submit it too, please? 

Thanks in advance
Comment 25 Tobias Burnus 2011-11-21 10:49:39 UTC
(In reply to comment #22)
> Bin Li, you're owner of the package in devel:openSUSE:Factory, please approve
> it yourself and push to factory.

Factory: It does not build without the tar.bz2 and hence fails. (I don't know whether _service should do the download automatically or not.)
Cf. https://build.opensuse.org/package/show?package=acroread&project=devel%3AopenSUSE%3AFactory


(In reply to comment #24)
> Bin Li, there's still a running patchinfo w/o any submission for the
> acroread_ja package for sle11-sp1. Could, you possibly submit it too, please? 

I am not sure whether that's possible. As written in comment 4, Adobe only provides the language English (enu) while with 9.4.2 it had enu, deu, jpn and fra. Cf. ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x
[I don't know whether it does, but "acroread" should probably obsolete "acroread_ja".]

(If you (or any one at SUSE) has a Adobe contact, maybe you could change this. There seems to be also no interest of Adobe to provide version X of the reader for Unix/Linux.)
Comment 26 Matthias Weckbecker 2011-11-21 15:28:51 UTC
(In reply to comment #25)
> (In reply to comment #22)
> I am not sure whether that's possible. [...]

You were right. It's not. Canceled the patchinfo.
Comment 27 Bin Li 2011-11-22 03:40:07 UTC
Close it.
Comment 28 Tobias Burnus 2011-11-22 07:15:35 UTC
(In reply to comment #27)
> Close it.

Well, Factory is not yet updated. In particular, the build at devel:openSUSE:Factory still fails with:

----- building acroread.spec (user abuild)
error: File /home/abuild/rpmbuild/SOURCES/AdbeRdr9.4.6-1_i486linux_enu.tar.bz2: No such file or directory
Comment 29 Tobias Burnus 2011-11-23 10:27:28 UTC
Reopen: Factory is not fixed.

Step 1: The build at devel:openSUSE:Factory needs to be fixed
        - it currently fails because AdbeRdr9.4.6-1_i486linux_enu.tar.bz2
        is not in the src.rpm
Comment 30 Bin Li 2011-11-24 06:23:27 UTC
(In reply to comment #29)
> Reopen: Factory is not fixed.
> 
> Step 1: The build at devel:openSUSE:Factory needs to be fixed
>         - it currently fails because AdbeRdr9.4.6-1_i486linux_enu.tar.bz2
>         is not in the src.rpm

yes, we use the _service to download the tar file when build the rpm.
Comment 31 Tobias Burnus 2011-11-29 11:24:01 UTC
(In reply to comment #30)
> > Step 1: The build at devel:openSUSE:Factory needs to be fixed
> >         - it currently fails because AdbeRdr9.4.6-1_i486linux_enu.tar.bz2
> >         is not in the src.rpm
> 
> yes, we use the _service to download the tar file when build the rpm.

Which obviously does not work at:

https://build.opensuse.org/package/show?package=acroread&project=devel%3AopenSUSE%3AFactory

Can you give a status update? The latest change I could find was the creation of home:BinLi:branches:devel:openSUSE:Factory five days ago with disabled builds and seemingly no code change.


Would be a pull request acceptable where I (re)add a tar.bz2? If so, I will branch devel:openSUSE:Factory, add it, and do a "obs sr".
Comment 32 Bernhard Wiedemann 2011-12-04 18:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (717724) was mentioned in
https://build.opensuse.org/request/show/95350 Factory / acroread
Comment 33 Bin Li 2011-12-05 05:04:36 UTC
The reason was that that package was linked and contained a project.diff that patched the _service file.

And already fixed. close it now.
Comment 34 Bin Li 2011-12-05 05:37:04 UTC
And again, submit it into 12.1. cause 12.1 still use the old one.

submit:   home:BinLi:branches:openSUSE:12.1:NonFree/acroread(r2) -> openSUSE:12.1:Update:Test/acroread


Message:
    Update to 9.4.6 for bnc#717724(swampid#44054).
Comment 35 Bin Li 2011-12-05 05:39:39 UTC
reopen it again for 12.1.
Comment 36 Bin Li 2011-12-05 05:40:18 UTC
Security team,

 Could we let it in 12.1? Thanks!
Comment 37 Bernhard Wiedemann 2011-12-05 06:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (717724) was mentioned in
https://build.opensuse.org/request/show/95387 12.1 / acroread
Comment 38 Bin Li 2011-12-05 10:04:26 UTC
Accepted by 12.1. Close it.
Comment 39 Tobias Burnus 2011-12-07 13:06:38 UTC
REOPEN.

Factory is still not fixed - more than 1 months after Adobe has released the new package. The build is now working at devel:openSUSE:Factory (thanks to Adrian Schröter for fixing the tar.gz downloading).

However, the package is not yet in openSUSE:Factory:NonFree. I tried to request the inclusion of the devel:openSUSE:Factory package (which has been updated by BinLin and Adrian Schröter) into openSUSE:Factory:NonFree, but the request is still pending: https://build.opensuse.org/request/show/95350
Comment 40 Ludwig Nussel 2011-12-07 13:29:53 UTC
it's still pending legal review but otherwise on the way.