Bug 676157 (CVE-2011-0562, CVE-2011-0563, CVE-2011-0565, CVE-2011-0566, CVE-2011-0567, CVE-2011-0585, CVE-2011-0586, CVE-2011-0589, CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, CVE-2011-0594, CVE-2011-0595, CVE-2011-0596, CVE-2011-0598, CVE-2011-0599, CVE-2011-0600, CVE-2011-0602, CVE-2011-0603, CVE-2011-0606)

Summary: CVE-2011-0562 CVE-2011-0563 CVE-2011-0565 CVE-2011-0566 CVE-2011-0567 CVE-2011-0585 CVE-2011-0586 CVE-2011-0589 CVE-2011-0590 CVE-2011-0591 CVE-2011-0592 CVE-2011-0593 CVE-2011-0594 CVE-2011-0595 acroread: critical APSB11-03
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: mkasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-04 14:32:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 676161, 676162, 676163    
Bug Blocks:    

Description Vincent Danen 2011-02-08 23:16:13 UTC 
Adobe security bulletin APSB11-03 describes multiple security flaws that can lead to arbitrary code execution when a malicious PDF file is opened in Adobe Reader.

http://www.adobe.com/support/security/bulletins/apsb11-03.html

These updates resolve a library-loading vulnerability that could lead to code execution (CVE-2011-0562).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-0563).

These updates resolve a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2011-0565).

These updates resolve an image-parsing memory corruption vulnerability that could lead to code execution (CVE-2011-0566).

These updates resolve an image-parsing memory corruption vulnerability that could lead to code execution (CVE-2011-0567).

These updates resolve a library-loading vulnerability that could lead to code execution (CVE-2011-0570).

These updates resolve a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2011-0585).

These updates resolve an input validation vulnerability that could lead to code execution (CVE-2011-0586).

These updates resolve a library-loading vulnerability that could lead to code execution (CVE-2011-0588).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-0589).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0590).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0591).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0592).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0593).

These updates resolve a font parsing input validation vulnerability that could lead to code execution (CVE-2011-0594).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0595).

These updates resolve a image parsing input validation vulnerability that could lead to code execution (CVE-2011-0596).

These updates resolve an image parsing input validation vulnerability that could lead to code execution (CVE-2011-0598).

These updates resolve an image parsing input validation vulnerability that could lead to code execution (CVE-2011-0599).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0600).

These updates resolve an image parsing input validation vulnerability that could lead to code execution (CVE-2011-0602).

These updates resolve an image-parsing memory corruption vulnerability that could lead to code execution (CVE-2011-0603).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-0606).

These flaws were corrected in Adobe Reader 9.4.2.  The UNIX packages for Adobe Reader are expected the week of February 28th.


In addition, APSB11-03 also notes a flaw that was reported to have been fixed in APSB10-28 (where it was noted as a memory corruption vulnerability):

These updates resolve an input validation vulnerability that could lead to code execution (CVE-2010-4091).
Comment 2 Vincent Danen 2011-02-09 01:21:18 UTC 
Upstream responded and indicated that CVE-2010-4091 was resolved in Adobe Reader 9.4.1 (APSB10-28), and that APSB11-03 fully resolves the issue in 8.2.6 and 10.0.1.
Comment 4 Vincent Danen 2011-02-11 04:10:46 UTC 
CVE-2011-0570 and CVE-2011-0588 are Windows-specific and do not affect the UNIX platform.
Comment 5 Tomas Hoger 2011-02-23 07:58:22 UTC 
Updated version 9.4.2 is now available on Adobe FTP:
  ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.2/
Comment 6 errata-xmlrpc 2011-02-23 21:17:51 UTC 
This issue has been addressed in following products:

  Extras for RHEL 4
  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2011:0301 https://rhn.redhat.com/errata/RHSA-2011-0301.html