Bug 480800 (CVE-2008-5331)
| Summary: | CVE-2008-5331 acroread: more efficient password encryption | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CANTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jrb, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5331 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-24 03:34:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Josh Bressers
2009-01-20 16:58:54 UTC
I'm not sure I buy into this. Sounds like the people making the claims that it's easier to brute-force passwords in Acrobat 9 are selling a product to do that. Marketing gimmick? Maybe. Anyways, upstream does not consider this to be a vulnerability as noted in the blog post above, it's up to the user to use a decent password or it doesn't matter what kind of encryption is used. If you use the password "cat" you've pretty much sunk your own ship. Encryption strength, or lack thereof, really doesn't have much to do when you're brute-forcing a password and Acrobat 9 is using 256-bit AES vs 128-bit AES in previous versions. Ultimately, if Adobe doesn't think this is an issue to fix, we certainly can't fix it due to the closed-source nature of the product. So I am closing this bug in light of this. |