Bug 735275 - VUL-0: acroread 9.4.6 vulnerable
VUL-0: acroread 9.4.6 vulnerable
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.3:44934 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-07 09:35 UTC by Ludwig Nussel
Modified: 2012-01-22 14:00 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-12-07 09:35:30 UTC
Your friendly security team received the following report.
Please respond ASAP.
The issue is public.

http://www.adobe.com/support/security/advisories/apsa11-04.html

-----
A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. 
-----

Adobe plans to release updates at January 10th.
Comment 1 Swamp Workflow Management 2011-12-07 23:00:16 UTC
bugbot adjusting priority
Comment 2 Bin Li 2011-12-08 03:01:53 UTC
Fine, let me known if the updates is available.
Comment 3 Ludwig Nussel 2011-12-19 10:56:23 UTC
Name: CVE-2011-4369

Unspecified vulnerability in the PRC component in Adobe Reader and Acrobat 9.x before 9.4.7 on Windows, Adobe Reader and Acrobat 9.x through 9.4.6 on Mac OS X, Adobe Reader and Acrobat 10.x through 10.1.1 on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.
Comment 4 Tobias Burnus 2012-01-09 20:04:25 UTC
(In reply to comment #2)
> Fine, let me known if the updates is available.

The files have just landed at:
  ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.7/enu/
Comment 5 Swamp Workflow Management 2012-01-10 10:05:47 UTC
The SWAMPID for this issue is 44853.
This issue was rated as moderate.
Please submit fixed packages until 2012-01-24.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Ludwig Nussel 2012-01-11 08:39:43 UTC
The 9.4.7 directory seems to have vanished.
Comment 7 Tobias Burnus 2012-01-11 09:02:31 UTC
(In reply to comment #6)
> The 9.4.7 directory seems to have vanished.

The link of comment 4 still works for me
  ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.7/enu/

It is also (now) linked from
  http://www.adobe.com/support/security/bulletins/apsb11-30.html
Comment 8 Ludwig Nussel 2012-01-11 09:10:30 UTC
weird

$ ftp -a ftp.adobe.com
Connected to ftp.adobe.com.
220 Welcome message
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /pub/adobe/reader/unix/9.x/9.4.7/enu/
550 Failed to change directory.
ftp> cd /pub/adobe/reader/unix/9.x/
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||30041|).
150 Here comes the directory listing.
drwxr-xr-x    3 10276    50           4096 Nov 11 09:24 9.1
drwxr-xr-x    3 10276    50           4096 Nov 11 09:22 9.4.6
226 Directory send OK.
ftp> 


Do you have packaging skills and could take care of Factory maybe?
Comment 9 Bin Li 2012-01-11 10:26:33 UTC
Done for openSUSE.

 99749  State:new     By:BinLi        When:2012-01-11T11:23:06
        submit:       home:BinLi:branches:openSUSE:11.3:Update:Test/acroread  ->  openSUSE:11.3:Update:Test   
        Descr: 'upgrade to 9.4.7(bnc#735275,swampid#44853)'

 99748  State:new     By:BinLi        When:2012-01-11T11:22:29
        submit:       home:BinLi:branches:openSUSE:11.4:Update/acroread  ->  openSUSE:11.4:Update:Test   
        Descr: 'upgrade to 9.4.7(bnc#735275,swampid#44853)'

Request #99746:
  submit:   home:BinLi:branches:openSUSE:12.1:Update/acroread(r2) -> openSUSE:12.1:Update:Test/acroread
Message:
    upgrade to 9.4.7(bnc#735275,swampid#44853)

 99745  State:new     By:BinLi        When:2012-01-11T11:20:48
        submit:       home:BinLi:branches:devel:openSUSE:Factory/acroread  ->  devel:openSUSE:Factory   
        Descr: 'upgrade to 9.4.7(bnc#735275,swampid#44853)'
Comment 10 Bin Li 2012-01-11 10:33:05 UTC
Done for SLE.

Request #17162:

  submit:   home:BinLi:branches:SUSE:SLE-10-SP4:Update:Test/acroread(r3)(cleanup) -> SUSE:SLE-10-SP4:Update:Test/acroread

Message:
    upgrade to 9.4.7(bnc#735275,swampid#44853)


Request #17161:

  submit:   home:BinLi:branches:SUSE:SLE-11-SP1:Update:Test/acroread(r3)(cleanup) -> SUSE:SLE-11-SP1:Update:Test/acroread

Message:
    upgrade to 9.4.7(bnc#735275,swampid#44853)


Request #17160:

  submit:   home:BinLi:branches:SUSE:SLE-11-SP2:GA/acroread(r2)(cleanup) -> SUSE:SLE-11-SP2:GA/acroread

Message:
    upgrade to 9.4.7(bnc#735275,swampid#44853)
Comment 11 Bin Li 2012-01-11 10:33:48 UTC
Reassign it.
Comment 12 Bernhard Wiedemann 2012-01-11 11:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (735275) was mentioned in
https://build.opensuse.org/request/show/99746 12.1 / acroread
https://build.opensuse.org/request/show/99748 11.4 / acroread
https://build.opensuse.org/request/show/99749 11.3 / acroread
Comment 13 Bernhard Wiedemann 2012-01-11 23:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (735275) was mentioned in
https://build.opensuse.org/request/show/99847 Factory / acroread
Comment 14 Swamp Workflow Management 2012-01-17 10:47:22 UTC
Update released for: acroread, acroread-cmaps, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
openSUSE 11.3 (i586)
openSUSE 11.4 (i586)
Comment 15 Swamp Workflow Management 2012-01-17 12:53:12 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
Comment 16 Swamp Workflow Management 2012-01-17 13:00:33 UTC
Update released for: acroread, acroread-cmaps, acroread-debuginfo, acroread-fonts-ja, acroread-fonts-ko, acroread-fonts-zh_CN, acroread-fonts-zh_TW
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
Comment 17 Sebastian Krahmer 2012-01-18 14:12:31 UTC
done
Comment 18 Bernhard Wiedemann 2012-01-18 15:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (735275) was mentioned in
https://build.opensuse.org/request/show/100559 Evergreen:11.2 / acroread
Comment 19 Bernhard Wiedemann 2012-01-22 14:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (735275) was mentioned in
https://build.opensuse.org/request/show/101047 Evergreen:11.1 / acroread