Gentoo: GLSA-200408-14: acroread: UUDecode filename buffer overflow...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200408-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: acroread: UUDecode filename buffer overflow
      Date: August 15, 2004
      Bugs: #60205
        ID: 200408-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
acroread contains two errors in the handling of UUEncoded filenames
that may lead to execution of arbitrary code or programs.

Background
=========
acroread is Adobe's Acrobat PDF reader for Linux.

Affected packages
================
    -------------------------------------------------------------------
     Package            /  Vulnerable  /                    Unaffected
    -------------------------------------------------------------------
  1  app-text/acroread       <= 5.08                           >= 5.09

Description
==========
acroread contains two errors in the handling of UUEncoded filenames.
First, it fails to check the length of a filename before copying it
into a fixed size buffer and, secondly, it fails to check for the
backtick shell metacharacter in the filename before executing a command
with a shell.

Impact
=====
By enticing a user to open a PDF with a specially crafted filename, an
attacker could execute arbitrary code or programs with the permissions
of the user running acroread.

Workaround
=========
There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version of acroread.

Resolution
=========
All acroread users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=app-text/acroread-5.09"
    # emerge ">=app-text/acroread-5.09"

References
=========
  [ 1 ] iDEFENSE Advisory 125
        ;type=vulnerabilities
  [ 2 ] iDEFENSE Advisory 126
        ;type=vulnerabilities

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

    https://security.gentoo.org/glsa/200408-14

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org/.

License
======
Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/1.0/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBH3efzKC5hMHO6rkRAqOrAJ9AvnKDxSb+Wwx9PDE1PrMdRJPR2gCgi8Eg
IqibOXjRcG0lw4PJhSUSC3E=xfgU
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gentoo Linux Security Advisory GLSA 200408-14 https://security.gentoo.org/
Severity: Normal Title: acroread: UUDecode filename buffer overflow Date: August 15, 2004 Bugs: #60205 ID: 200408-14

Synopsis ======= acroread contains two errors in the handling of UUEncoded filenames that may lead to execution of arbitrary code or programs.
Background ========= acroread is Adobe's Acrobat PDF reader for Linux.
Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread <= 5.08 >= 5.09
========== acroread contains two errors in the handling of UUEncoded filenames. First, it fails to check the length of a ...

Read the Full Advisory

Get the Latest News & Insights