Bug 749381 (CVE-2011-2431, CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436, CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2442, CVE-2011-4374) - acroread: multiple code execution flaws (APSB11-24)
Summary: acroread: multiple code execution flaws (APSB11-24)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2431, CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436, CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2442, CVE-2011-4374
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 737587 737588 737589
Blocks: 751852
TreeView+ depends on / blocked
 
Reported: 2011-10-26 21:11 UTC by Vincent Danen
Modified: 2019-09-29 12:48 UTC (History)
1 user (show)

Fixed In Version: acroread 9.4.6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-18 23:25:55 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1434 0 normal SHIPPED_LIVE Critical: acroread security update 2011-11-08 16:13:47 UTC

Description Vincent Danen 2011-10-26 21:11:06 UTC
Adobe security bulletin APSB11-24 describes multiple security flaws that can
lead to arbitrary code execution when a malicious PDF file is opened in Adobe
Reader.

http://www.adobe.com/support/security/bulletins/apsb11-24.html

These updates resolve a security bypass vulnerability that could lead to code execution (CVE-2011-2431). 

These updates resolve a buffer overflow vulnerability in the U3D TIFF Resource that could lead to code execution (CVE-2011-2432). 

These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2011-2433). 

These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2011-2434).

These updates resolve an buffer overflow vulnerability that could lead to code execution (CVE-2011-2435). 

These updates resolve a heap overflow vulnerability in the Adobe image parsing library that could lead to code execution (CVE-2011-2436). 

These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2011-2437). 

These updates resolve three stack overflow vulnerabilities in the Adobe image parsing library that could lead to code execution (CVE-2011-2438). 

These updates resolve a memory leakage condition vulnerability that could lead to code execution (CVE-2011-2439). 

These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2011-2440). 

These updates resolve a logic error vulnerability that could lead to code execution (CVE-2011-2442). 

These updates also incorporate the Adobe Flash Player updates as noted in Security Bulletin APSB11-21 and Security Bulletin APSB11-26.

Comment 1 Vincent Danen 2011-10-26 21:15:49 UTC
Adobe Reader 9.4.6 for UNIX is currently scheduled to be released on November 7, 2011.

Comment 2 errata-xmlrpc 2011-11-08 11:14:09 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2011:1434 https://rhn.redhat.com/errata/RHSA-2011-1434.html

Comment 3 Vincent Danen 2012-01-18 23:25:08 UTC
Adobe has updated their bulletin APSB11-24 today with the following:

These updates resolve an integer overflow vulnerability that could lead to code execution (Adobe Reader 9.x on Linux only) (CVE-2011-4374).  This fix would already be in our already-released packages that provide 9.4.6.


Note You need to log in before you can comment on or make changes to this bug.