Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 651133 - (CVE-2010-4091) CVE-2010-4091 acroread: remote DoS or possible arbitrary code execution via EScript.api plugin
CVE-2010-4091 acroread: remote DoS or possible arbitrary code execution via E...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
public=20101104,reported=20101107,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-08 16:18 EST by Vincent Danen
Modified: 2018-03-01 11:30 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-06-04 10:32:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0934 normal SHIPPED_LIVE Critical: acroread security update 2010-12-07 08:55:48 EST

  None (edit)
Description Vincent Danen 2010-11-08 16:18:28 EST 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4091 to
the following vulnerability:

Name: CVE-2010-4091
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4091
Assigned: 20101025
Reference: EXPLOIT-DB:15419
Reference: URL: http://www.exploit-db.com/exploits/15419
Reference: FULLDISC:20101103 [0dayz] Acrobat Reader Memory Corruption Remote Arbitrary Code Execution
Reference: URL: http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0024.html
Reference: MISC: http://blogs.adobe.com/psirt/2010/11/potential-issue-in-adobe-reader.html
Reference: BID:44638
Reference: URL: http://www.securityfocus.com/bid/44638
Reference: SECUNIA:42095
Reference: URL: http://secunia.com/advisories/42095
Reference: VUPEN:ADV-2010-2890
Reference: URL: http://www.vupen.com/english/advisories/2010/2890
Reference: XF:adobe-reader-pdf-file-ce(62996)
Reference: URL: http://xforce.iss.net/xforce/xfdb/62996

The EScript.api plugin in Adobe Acrobat Reader 9.4.0, 8.1.7, and
probably other versions allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted PDF
document that triggers memory corruption, involving the printSeps
function.  NOTE: some of these details are obtained from third party
information.

Note: the linked Adobe blog posting provides some mitigation steps by utilizing the JavaScript Blacklist Framework, the steps for which are reproduced below:

1. Go to the Global Prefs file at:
    /Reader/GlobalPrefs/reader_prefs
2. Add the following line to the file:
    /JavaScriptPerms [/c << /BlackList [/t (Doc.printSeps) ] >> ]
Comment 1 errata-xmlrpc 2010-12-01 16:18:24 EST 
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5
  Extras for Red Hat Enterprise Linux 6

Via RHSA-2010:0934 https://rhn.redhat.com/errata/RHSA-2010-0934.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.