Bug 231055 (CVE-2007-1199)

Summary: CVE-2007-1199 acroread arbitrary file:// URL execution
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Jonathan Blandford <jrb>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ddumas, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-05 16:26:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2007-03-05 20:28:38 UTC 
Adobe Acrobat Reader suffers from a flaw where a PDF file containing a file://
URL can allow a malicious PDF file to open that URL without user interaction. 
In order for this flaw to be exploited, a user will need to have a file
containing the payload at a known location.
Comment 3 Kristian Høgsberg 2007-03-05 21:18:48 UTC 
is there a new acroread version that fixes this?
Comment 4 Josh Bressers 2007-03-05 23:46:05 UTC 
No update yet.  This bug is simply a placeholder for us so we can check for the
fix in the future.
Comment 6 Vincent Danen 2010-12-22 21:09:31 UTC 
Hints on Gentoo's bugzilla indicate that this should have been fixed in 8.1.2:

http://www.adobe.com/support/security/advisories/apsa08-01.html

However, searching for this CVE name on Adobe's web site does not return any results, so if it has been fixed they've not named it or given it a duplicate name (looking at various reports, this may have been assigned CVE-2007-5020 (http://www.adobe.com/support/security/advisories/apsa07-04.html), but hard to verify; I've emailed Adobe asking for further info).

At this point, it's been nearly four years so I suspect that it has been corrected in our currently-shipping acroread packages (9.4.1).

And if this is not corrected, there isn't much we can do about it due to the closed-source nature of acroread.  Since there is no proof that this CVE has been addressed, this should probably closed as CANTFIX, but will wait a bit to see if Adobe responds.
Comment 7 Vincent Danen 2011-01-05 16:26:05 UTC 
I received notification back from Adobe that "confirmed this issue has been fixed for Adobe Reader for UNIX with Reader 9.4.1 on Ubuntu 9.04 and Open Solaris x86, as well as the 8.x release too".  So the latest version from upstream that we ship has the fix, however they didn't pin-point exactly which version provided the fix.

As a result, I am going to close this as UPSTREAM as we cannot know for certain which version fixed the flaw.