Bug 848183 - (CVE-2012-1525, CVE-2012-2049, CVE-2012-2050, CVE-2012-2051, CVE-2012-4147, CVE-2012-4148, CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159, CVE-2012-4160) acroread: multiple code execution flaw (APSB12-16)
acroread: multiple code execution flaw (APSB12-16)
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20120814,repor...
: Security
Depends On:
Blocks: 848188
  Show dependency treegraph
 
Reported: 2012-08-14 16:36 EDT by Vincent Danen
Modified: 2013-01-24 05:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-24 05:06:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-08-14 16:36:52 EDT
Adobe security bulletin APSB12-16 describes numerous security flaws that can lead to arbitrary code exection in Adobe Reader:

These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2012-2049).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2012-2050).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-2051, CVE-2012-4147, CVE-2012-4148, CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159, CVE-2012-4160).

These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2012-1525).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-4161) (Macintosh only).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2012-4162) (Macintosh only).

Two of these flaws are mac-only, however the bulletin does not describe whether or not the Linux/UNIX builds of 9.x are affected or not.  I've sent an email to PSIRT to confirm whether or not the Linux version is vulnerable to these issues.

External References:

http://www.adobe.com/support/security/bulletins/apsb12-16.html
Comment 2 Vincent Danen 2012-08-16 11:18:32 EDT
Adobe has indicated that the next Adobe Reader for Linux will not be available for some time yet.  As we cannot patch Reader in any way, we are constrained by the vendor's release schedule and as such will release updates as soon as they are made generally available.
Comment 3 Vincent Danen 2012-08-16 11:24:06 EDT
Also refer to:

http://blogs.adobe.com/asset/2011/06/notes-on-adobe-reader-and-acrobat-10-1.html

Specifically the "Support Model Change for Adobe Reader for Linux" which describes that Adobe will only release Reader for Linux updates twice a year (or every other quarterly release).
Comment 4 Tomas Hoger 2012-08-17 04:02:10 EDT
http://gynvael.coldwind.pl/?id=483
Comment 5 Tomas Hoger 2013-01-24 05:06:04 EST
The acroread packages in Red Hat Enterprise Linux 5 and 6 Supplementary were updated to the latest upstream version 9.5.3 via RHSA-2013:0150:

https://rhn.redhat.com/errata/RHSA-2013-0150.html

According to the Adobe blog post linked in comment #3, this update should contain fixes for all known security issues fixed in previous updates that only provided new Adobe Reader versions for Windows and Macintosh platforms.

Even though upstream bulletin APSB12-16 did not get updated by Adobe to list Linux version 9.5.3 as fixing listed security issues, previous upstream statements indicate that should be assumed.  Hence closing this.

Note You need to log in before you can comment on or make changes to this bug.