Arcoread7 secutiry vulnerability

[Simon L. Nielsen]

On 2005.08.28 13:43:26 +0200, Simon L. Nielsen wrote:
> On 2005.08.28 15:25:25 +0400, Boris Samorodov wrote:
> > On Sun, 28 Aug 2005 13:13:18 +0200 Simon L. Nielsen wrote:
> >
> > > You are mixing up two different vulnerabilities [1]. The vulnerability
> > > fixed by the 7.0.1 upgrade was "acroread -- plug-in buffer overflow
> > > vulnerability" [2].  The vulnerability portaudit is warning you about
> > > is "acroread -- XML External Entity vulnerability" [3].  As far as I
> > > know Adobe has not released any fix for the Linux version of Adobe
> > > Reader for [3].
> > 
> > > [1] http://www.vuxml.org/freebsd/pkg-acroread7.html
> > > [2] http://www.vuxml.org/freebsd/f74dc01b-0e83-11da-bc08-0001020eed82.html
> > > [3] http://www.vuxml.org/freebsd/02bc9b7c-e019-11d9-a8bd-000cf18bbe54.html
> > 
> > Well, I think that Linux version is not suffered from CAN-2005-1306:
> > http://www.adobe.com/support/techdocs/331710.html
> > 
> > Platforms affected are Windows and Mac OS. Am I missing something?
> 
> Adobe does not list the Linux version as affected, but the original
> reporter of the problem does list the Linux version as affected, at
> http://shh.thathost.com/secadv/adobexxe/ .  In these cases we prefer
> err on the side of caution and will rather list a package as affected,
> even if it's not, rather than not listing a package that turn out to
> be affected.
> 
> I have just written a mail to the original reporter of the problem to
> try to clarify the issue.

I just got a mail back from Sverre H. Huseby and he says that the
Linux version indeed was affected, but 7.0.1 seems to be fixed, so I
marked it as fixed in VuXML.

-- 
Simon L. Nielsen
FreeBSD Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050828/a524ef80/attachment.bin