Bug 676157 (CVE-2011-0562, CVE-2011-0563, CVE-2011-0565, CVE-2011-0566, CVE-2011-0567, CVE-2011-0585, CVE-2011-0586, CVE-2011-0589, CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, CVE-2011-0594, CVE-2011-0595, CVE-2011-0596, CVE-2011-0598, CVE-2011-0599, CVE-2011-0600, CVE-2011-0602, CVE-2011-0603, CVE-2011-0606) - CVE-2011-0562 CVE-2011-0563 CVE-2011-0565 CVE-2011-0566 CVE-2011-0567 CVE-2011-0585 CVE-2011-0586 CVE-2011-0589 CVE-2011-0590 CVE-2011-0591 CVE-2011-0592 CVE-2011-0593 CVE-2011-0594 CVE-2011-0595 acroread: critical APSB11-03
Summary: CVE-2011-0562 CVE-2011-0563 CVE-2011-0565 CVE-2011-0566 CVE-2011-0567 CVE-201...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-0562, CVE-2011-0563, CVE-2011-0565, CVE-2011-0566, CVE-2011-0567, CVE-2011-0585, CVE-2011-0586, CVE-2011-0589, CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, CVE-2011-0594, CVE-2011-0595, CVE-2011-0596, CVE-2011-0598, CVE-2011-0599, CVE-2011-0600, CVE-2011-0602, CVE-2011-0603, CVE-2011-0606
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 676161 676162 676163
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-08 23:16 UTC by Vincent Danen
Modified: 2019-09-29 12:42 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-04 14:32:39 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0301 0 normal SHIPPED_LIVE Critical: acroread security update 2011-02-23 21:17:46 UTC

Description Vincent Danen 2011-02-08 23:16:13 UTC 
Adobe security bulletin APSB11-03 describes multiple security flaws that can lead to arbitrary code execution when a malicious PDF file is opened in Adobe Reader.

http://www.adobe.com/support/security/bulletins/apsb11-03.html

These updates resolve a library-loading vulnerability that could lead to code execution (CVE-2011-0562).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-0563).

These updates resolve a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2011-0565).

These updates resolve an image-parsing memory corruption vulnerability that could lead to code execution (CVE-2011-0566).

These updates resolve an image-parsing memory corruption vulnerability that could lead to code execution (CVE-2011-0567).

These updates resolve a library-loading vulnerability that could lead to code execution (CVE-2011-0570).

These updates resolve a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2011-0585).

These updates resolve an input validation vulnerability that could lead to code execution (CVE-2011-0586).

These updates resolve a library-loading vulnerability that could lead to code execution (CVE-2011-0588).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-0589).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0590).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0591).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0592).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0593).

These updates resolve a font parsing input validation vulnerability that could lead to code execution (CVE-2011-0594).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0595).

These updates resolve a image parsing input validation vulnerability that could lead to code execution (CVE-2011-0596).

These updates resolve an image parsing input validation vulnerability that could lead to code execution (CVE-2011-0598).

These updates resolve an image parsing input validation vulnerability that could lead to code execution (CVE-2011-0599).

These updates resolve a 3D file parsing input validation vulnerability that could lead to code execution (CVE-2011-0600).

These updates resolve an image parsing input validation vulnerability that could lead to code execution (CVE-2011-0602).

These updates resolve an image-parsing memory corruption vulnerability that could lead to code execution (CVE-2011-0603).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-0606).

These flaws were corrected in Adobe Reader 9.4.2.  The UNIX packages for Adobe Reader are expected the week of February 28th.


In addition, APSB11-03 also notes a flaw that was reported to have been fixed in APSB10-28 (where it was noted as a memory corruption vulnerability):

These updates resolve an input validation vulnerability that could lead to code execution (CVE-2010-4091).
Comment 2 Vincent Danen 2011-02-09 01:21:18 UTC 
Upstream responded and indicated that CVE-2010-4091 was resolved in Adobe Reader 9.4.1 (APSB10-28), and that APSB11-03 fully resolves the issue in 8.2.6 and 10.0.1.
Comment 4 Vincent Danen 2011-02-11 04:10:46 UTC 
CVE-2011-0570 and CVE-2011-0588 are Windows-specific and do not affect the UNIX platform.
Comment 5 Tomas Hoger 2011-02-23 07:58:22 UTC 
Updated version 9.4.2 is now available on Adobe FTP:
  ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.2/
Comment 6 errata-xmlrpc 2011-02-23 21:17:51 UTC 
This issue has been addressed in following products:

  Extras for RHEL 4
  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2011:0301 https://rhn.redhat.com/errata/RHSA-2011-0301.html
Note You need to log in before you can comment on or make changes to this bug.