Bug 486928 - (CVE-2009-0193, CVE-2009-0658, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062) CVE-2009-0658, CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062 acroread: multiple JBIG2-related security flaws
CVE-2009-0658, CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062 acr...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
http://www.adobe.com/support/security...
source=internet,reported=20090220,pub...
: Security
Depends On: 490122 490123 490124
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-23 04:58 EST by Jan Lieskovsky
Modified: 2010-10-23 03:50 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-25 10:28:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-02-23 04:58:46 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0658 to
the following vulnerability:

Buffer overflow in Adobe Reader 9.0 and earlier and Acrobat 9.0 and
earlier allows remote attackers to execute arbitrary code via a
crafted PDF document, related to a non-JavaScript function call, as
exploited in the wild in February 2009 by Trojan.Pidief.E.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0658
http://isc.sans.org/diary.html?n&storyid=5902
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
http://www.symantec.com/security_response/writeup.jsp?docid=2009-021212-5523-99&tabid=2
http://www.adobe.com/support/security/advisories/apsa09-01.html
http://www.securityfocus.com/bid/33751
Comment 1 Vincent Danen 2009-03-11 12:37:39 EDT
Adobe's advisory:

http://www.adobe.com/support/security/bulletins/apsb09-03.html

Only Adobe Reader 9.1 is now available; for Linux 8.1.3 is still the latest version.

The advisory also indicates:

"Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18. In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25."
Comment 4 Tomas Hoger 2009-03-19 03:57:18 EDT
Updated versions of Adobe Reader 8.x and 7.x were released for Windows and Macintosh platform:

http://www.adobe.com/support/security/bulletins/apsb09-04.html

Planned release of updated packages for Unix / Linux was moved to March 24:

"Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24."
Comment 5 Vincent Danen 2009-03-24 16:16:06 EDT
Updates of 8.1.4 for Linux are now available:

http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix
Comment 10 Vincent Danen 2009-03-24 21:28:44 EDT
In addition to the iDefense issue, there are other JBIG2-related issues that the new Adobe advisory points out.

http://www.adobe.com/support/security/bulletins/apsb09-04.html

Details

Critical vulnerabilities have been identified in Adobe Reader and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Acrobat and Adobe Reader update their product installations to versions 9.1, 8.1.4, or 7.1.1 using the instructions above to protect themselves from potential vulnerabilities.

These updates resolve the JBIG2 filter buffer overflow issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03 (CVE-2009-0658)
Note: there are reports that this issue is being exploited

These updates resolve additional JBIG2 input validation issues that could potentially lead to remote code execution. (CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062)

The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve an input validation issue in a JavaScript method that could potentially lead to remote code execution. This issue has already been resolved in Adobe Reader 8.1.3 and Acrobat 8.1.3. (CVE-2009-0927)
Comment 14 errata-xmlrpc 2009-03-25 09:48:22 EDT
This issue has been addressed in following products:

  Extras for RHEL 3
  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:0376 https://rhn.redhat.com/errata/RHSA-2009-0376.html
Comment 15 Red Hat Product Security 2009-03-25 10:28:08 EDT
This issue was addressed in:

Red Hat Enterprise Linux Extras:
  http://rhn.redhat.com/errata/RHSA-2009-0376.html

Note You need to log in before you can comment on or make changes to this bug.