Bug 848183 (CVE-2012-1525, CVE-2012-2049, CVE-2012-2050, CVE-2012-2051, CVE-2012-4147, CVE-2012-4148, CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159, CVE-2012-4160)

Summary: acroread: multiple code execution flaw (APSB12-16)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: mkasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-24 10:06:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 848188    

Description Vincent Danen 2012-08-14 20:36:52 UTC 
Adobe security bulletin APSB12-16 describes numerous security flaws that can lead to arbitrary code exection in Adobe Reader:

These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2012-2049).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2012-2050).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-2051, CVE-2012-4147, CVE-2012-4148, CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159, CVE-2012-4160).

These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2012-1525).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-4161) (Macintosh only).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-4162) (Macintosh only).

Two of these flaws are mac-only, however the bulletin does not describe whether or not the Linux/UNIX builds of 9.x are affected or not.  I've sent an email to PSIRT to confirm whether or not the Linux version is vulnerable to these issues.

External References:

http://www.adobe.com/support/security/bulletins/apsb12-16.html
Comment 2 Vincent Danen 2012-08-16 15:18:32 UTC 
Adobe has indicated that the next Adobe Reader for Linux will not be available for some time yet.  As we cannot patch Reader in any way, we are constrained by the vendor's release schedule and as such will release updates as soon as they are made generally available.
Comment 3 Vincent Danen 2012-08-16 15:24:06 UTC 
Also refer to:

http://blogs.adobe.com/asset/2011/06/notes-on-adobe-reader-and-acrobat-10-1.html

Specifically the "Support Model Change for Adobe Reader for Linux" which describes that Adobe will only release Reader for Linux updates twice a year (or every other quarterly release).
Comment 4 Tomas Hoger 2012-08-17 08:02:10 UTC 
http://gynvael.coldwind.pl/?id=483
Comment 5 Tomas Hoger 2013-01-24 10:06:04 UTC 
The acroread packages in Red Hat Enterprise Linux 5 and 6 Supplementary were updated to the latest upstream version 9.5.3 via RHSA-2013:0150:

https://rhn.redhat.com/errata/RHSA-2013-0150.html

According to the Adobe blog post linked in comment #3, this update should contain fixes for all known security issues fixed in previous updates that only provided new Adobe Reader versions for Windows and Macintosh platforms.

Even though upstream bulletin APSB12-16 did not get updated by Adobe to list Linux version 9.5.3 as fixing listed security issues, previous upstream statements indicate that should be assumed.  Hence closing this.