Bug 760908 (CVE-2011-2462)

Summary: CVE-2011-2462 acroread: U3D memory corruption vulnerability (APSB11-30)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: mkasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: acroread 9.4.7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-10 22:59:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 772826, 772827, 772828    
Bug Blocks: 760915    

Description Jan Lieskovsky 2011-12-07 10:39:49 UTC 
Adobe has published an advisory, describing the presence of a critical vulnerability:

This U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe Reader X Protected Mode and Acrobat X Protected View mitigations would prevent an exploit of this kind from executing.

in versions of Adobe Reader v9.4.6 and earlier versions for UNIX operating system.

According to the advisory [1], the Adobe Reader 9.x update for UNIX operating system is planned for January 10, 2012.

References:
[1] http://www.adobe.com/support/security/advisories/apsa11-04.html
Comment 1 Tomas Hoger 2011-12-15 14:52:26 UTC 
http://blogs.adobe.com/asset/2011/12/background-on-cve-2011-2462.html
Comment 3 Vincent Danen 2012-01-10 21:50:39 UTC 
Updated 9.4.7 packages are now available for Linux:

http://www.adobe.com/support/security/bulletins/apsb11-30.html
Comment 4 errata-xmlrpc 2012-01-10 22:57:21 UTC 
This issue has been addressed in following products:

  Extras for RHEL 4
  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2012:0011 https://rhn.redhat.com/errata/RHSA-2012-0011.html