Red Hat Bugzilla – Bug 848183
acroread: multiple code execution flaw (APSB12-16)
Last modified: 2013-01-24 05:06:04 EST
Adobe security bulletin APSB12-16 describes numerous security flaws that can lead to arbitrary code exection in Adobe Reader:
These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2012-2049).
These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2012-2050).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-2051, CVE-2012-4147, CVE-2012-4148, CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159, CVE-2012-4160).
These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2012-1525).
These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-4161) (Macintosh only).
These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-4162) (Macintosh only).
Two of these flaws are mac-only, however the bulletin does not describe whether or not the Linux/UNIX builds of 9.x are affected or not. I've sent an email to PSIRT to confirm whether or not the Linux version is vulnerable to these issues.
Adobe has indicated that the next Adobe Reader for Linux will not be available for some time yet. As we cannot patch Reader in any way, we are constrained by the vendor's release schedule and as such will release updates as soon as they are made generally available.
Also refer to:
Specifically the "Support Model Change for Adobe Reader for Linux" which describes that Adobe will only release Reader for Linux updates twice a year (or every other quarterly release).
The acroread packages in Red Hat Enterprise Linux 5 and 6 Supplementary were updated to the latest upstream version 9.5.3 via RHSA-2013:0150:
According to the Adobe blog post linked in comment #3, this update should contain fixes for all known security issues fixed in previous updates that only provided new Adobe Reader versions for Windows and Macintosh platforms.
Even though upstream bulletin APSB12-16 did not get updated by Adobe to list Linux version 9.5.3 as fixing listed security issues, previous upstream statements indicate that should be assumed. Hence closing this.