Bug 505049 (CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889, CVE-2009-1855, CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859, CVE-2009-1861, CVE-2009-2028)

Summary: acroread: multiple security fixes in version 8.1.6 (APSB09-07)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: kreilly, krh, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-17 09:24:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 505062, 505063, 505064    
Bug Blocks:    

Description Tomas Hoger 2009-06-10 13:56:24 UTC 
Adobe has published a security bulletin APSB09-07 for security issues addressed in Adobe Reader and Acrobat products:

  http://www.adobe.com/support/security/bulletins/apsb09-07.html

Quoting Adobe bulletin APSB09-07 for issues descriptions:

  This update resolves a stack overflow vulnerability that could
  potentially lead to code execution (CVE-2009-1855).

  This update resolves an integer overflow that leads to a Denial of
  Service (DoS); arbitrary code execution has not been demonstrated,
  but may be possible (CVE-2009-1856).

  This update resolves a memory corruption vulnerability that leads
  to a Denial of Service (DoS); arbitrary code execution has not been
  demonstrated, but may be possible (CVE-2009-1857).

  This update resolves a memory corruption vulnerability in the JBIG2
  filter that could potentially lead to code execution (CVE-2009-1858).

  This update resolves a memory corruption vulnerability that could
  potentially lead to code execution (CVE-2009-1859).

  This update resolves a memory corruption vulnerability in the JBIG2
  filter that leads to a Denial of Service (DoS); arbitrary code
  execution has not been demonstrated, but may be possible (CVE-2009-0198).

  This update resolves multiple heap overflow vulnerabilities in the
  JBIG2 filter that could potentially lead to code execution
  (CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512,
  CVE-2009-0888, CVE-2009-0889).

  This update resolves multiple heap overflow vulnerabilities that
  could potentially lead to code execution (CVE-2009-1861).

  Additionally, this update resolves Adobe internally discovered issues.

Security fixes are available in product version 9.1.2, 8.1.6, or 7.1.3, currently only available for Windows and Macintosh platforms, updates for UNIX platforms should be released on Jun 16.
Comment 2 Tomas Hoger 2009-06-11 15:39:24 UTC 
Additional CVE has been assigned by Mitre - CVE-2009-2028:

Multiple unspecified vulnerabilities in Adobe Reader 7 and Acrobat 7
before 7.1.3, Adobe Reader 8 and Acrobat 8 before 8.1.6, and Adobe
Reader 9 and Acrobat 9 before 9.1.2 have unknown impact and attack
vectors, related to "Adobe internally discovered issues."
Comment 4 errata-xmlrpc 2009-06-17 09:16:28 UTC 
This issue has been addressed in following products:

  Extras for RHEL 3
  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1109 https://rhn.redhat.com/errata/RHSA-2009-1109.html