Bug 486928 (CVE-2009-0193, CVE-2009-0658, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062)
| Summary: | CVE-2009-0658, CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062 acroread: multiple JBIG2-related security flaws | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | huzaifas, kreilly, krh, madisonj, mjc, msanders, rmonk, tao, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.adobe.com/support/security/advisories/apsa09-01.html | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-03-25 14:28:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 490122, 490123, 490124 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2009-02-23 09:58:46 UTC
Adobe's advisory: http://www.adobe.com/support/security/bulletins/apsb09-03.html Only Adobe Reader 9.1 is now available; for Linux 8.1.3 is still the latest version. The advisory also indicates: "Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18. In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25." Updated versions of Adobe Reader 8.x and 7.x were released for Windows and Macintosh platform: http://www.adobe.com/support/security/bulletins/apsb09-04.html Planned release of updated packages for Unix / Linux was moved to March 24: "Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24." Updates of 8.1.4 for Linux are now available: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix In addition to the iDefense issue, there are other JBIG2-related issues that the new Adobe advisory points out. http://www.adobe.com/support/security/bulletins/apsb09-04.html Details Critical vulnerabilities have been identified in Adobe Reader and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. Adobe recommends users of Acrobat and Adobe Reader update their product installations to versions 9.1, 8.1.4, or 7.1.1 using the instructions above to protect themselves from potential vulnerabilities. These updates resolve the JBIG2 filter buffer overflow issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03 (CVE-2009-0658) Note: there are reports that this issue is being exploited These updates resolve additional JBIG2 input validation issues that could potentially lead to remote code execution. (CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062) The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve an input validation issue in a JavaScript method that could potentially lead to remote code execution. This issue has already been resolved in Adobe Reader 8.1.3 and Acrobat 8.1.3. (CVE-2009-0927) This issue has been addressed in following products: Extras for RHEL 3 Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:0376 https://rhn.redhat.com/errata/RHSA-2009-0376.html This issue was addressed in: Red Hat Enterprise Linux Extras: http://rhn.redhat.com/errata/RHSA-2009-0376.html |