[RHSA-2008:0641-02] Critical: acroread security update

news · July 21, 2008

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

=====================================================================

Red Hat Security Advisory

Synopsis: Critical: acroread security update

Advisory ID: RHSA-2008:0641-02

Product: Red Hat Enterprise Linux Extras

Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0641.html

Issue date: 2008-07-21

CVE Names: CVE-2008-0883 CVE-2008-2641

=====================================================================

1. Summary:

Updated acroread packages that fix various security issues are now

available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary.

This update has been rated as having critical security impact by the Red

Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 Extras - i386, x86_64

Red Hat Desktop version 3 Extras - i386, x86_64

Red Hat Enterprise Linux ES version 3 Extras - i386, x86_64

Red Hat Enterprise Linux WS version 3 Extras - i386, x86_64

Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64

Red Hat Desktop version 4 Extras - i386, x86_64

Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64

Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64

RHEL Desktop Supplementary (v. 5 client) - i386, x86_64

RHEL Supplementary (v. 5 server) - i386, x86_64

3. Description:

Adobe Acrobat Reader allows users to view and print documents in Portable

Document Format (PDF).

An input validation flaw was discovered in a JavaScript engine used by

Acrobat Reader. A malicious PDF file could cause Acrobat Reader to crash

or, potentially, execute arbitrary code as the user running Acrobat Reader.

(CVE-2008-2641)

An insecure temporary file usage issue was discovered in the Acrobat Reader

"acroread" startup script. A local attacker could potentially overwrite

arbitrary files that were writable by the user running Acrobat Reader, if

the victim ran "acroread" with certain command line arguments.

(CVE-2008-0883)

All acroread users are advised to upgrade to these updated packages, that

contain Acrobat Reader version 8.1.2 Security Update 1, and are not

vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released

errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use

the Red Hat Network to apply this update are available at

http://kbase.redhat.com/faq/FAQ_58_10188

5. Bugs fixed (http://bugzilla.redhat.com/):

436263 - CVE-2008-0883 acroread: insecure handling of temporary files

452632 - CVE-2008-2641 acroread: input validation issue in a JavaScript method

6. Package List:

Red Hat Enterprise Linux AS version 3 Extras:

i386:

acroread-8.1.2.SU1-2.i386.rpm

acroread-plugin-8.1.2.SU1-2.i386.rpm

x86_64:

acroread-8.1.2.SU1-2.i386.rpm

Red Hat Desktop version 3 Extras:

i386:

acroread-8.1.2.SU1-2.i386.rpm

acroread-plugin-8.1.2.SU1-2.i386.rpm

x86_64:

acroread-8.1.2.SU1-2.i386.rpm

Red Hat Enterprise Linux ES version 3 Extras:

i386:

acroread-8.1.2.SU1-2.i386.rpm

acroread-plugin-8.1.2.SU1-2.i386.rpm

x86_64:

acroread-8.1.2.SU1-2.i386.rpm

Red Hat Enterprise Linux WS version 3 Extras:

i386:

acroread-8.1.2.SU1-2.i386.rpm

acroread-plugin-8.1.2.SU1-2.i386.rpm

x86_64:

acroread-8.1.2.SU1-2.i386.rpm

Red Hat Enterprise Linux AS version 4 Extras:

i386: