[RHSA-2010:0037-01] Critical: acroread security and bug fix update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Critical: acroread security and bug fix update

Advisory ID: RHSA-2010:0037-01

Product: Red Hat Enterprise Linux Extras

Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0037.html

Issue date: 2010-01-13

CVE Names: CVE-2009-3953 CVE-2009-3954 CVE-2009-3955

CVE-2009-3956 CVE-2009-3959 CVE-2009-4324

=====================================================================

 

1. Summary:

 

Updated acroread packages that fix multiple security issues and three bugs

are now available for Red Hat Enterprise Linux 5 Supplementary.

 

This update has been rated as having critical security impact by the Red

Hat Security Response Team.

 

2. Relevant releases/architectures:

 

RHEL Desktop Supplementary (v. 5 client) - i386, x86_64

RHEL Supplementary (v. 5 server) - i386, x86_64

 

3. Description:

 

Adobe Reader allows users to view and print documents in Portable Document

Format (PDF).

 

This update fixes several vulnerabilities in Adobe Reader. These

vulnerabilities are summarized on the Adobe Security Advisory APSB10-02

page listed in the References section. A specially-crafted PDF file could

cause Adobe Reader to crash or, potentially, execute arbitrary code as the

user running Adobe Reader when opened. (CVE-2009-4324, CVE-2009-3953,

CVE-2009-3954, CVE-2009-3955, CVE-2009-3959, CVE-2009-3956)

 

This update also fixes the following bugs:

 

* the acroread process continued to run even after closing a PDF file. If

multiple PDF files were opened and then closed, the acroread processes

continued to run and consume system resources (up to 100% CPU usage). With

this update, the acroread process correctly exits, which resolves this

issue. (BZ#473217)

 

* the PPKLite.api plug-in was missing, causing Adobe Reader to crash when

attempting to open signed PDF files. For such files, if an immediate crash

was not observed, clicking on the Signature Panel could trigger one. With

this update, the PPKLite.api plug-in is included, which resolves this

issue. (BZ#472975)

 

* Adobe Reader has been upgraded to version 9.3. (BZ#497957)

 

Adobe have discontinued support for Adobe Reader 8 for Linux. All users of

Adobe Reader are advised to install these updated packages, which contain

Adobe Reader version 9.3, which is not vulnerable to these issues and fixes

these bugs. All running instances of Adobe Reader must be restarted for the

update to take effect.

 

4. Solution:

 

Before applying this update, make sure that all previously-released

errata relevant to your system have been applied.

 

This update is available via Red Hat Network. Details on how to use

the Red Hat Network to apply this update are available at

http://kbase.redhat.com/faq/docs/DOC-11259

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

472975 - acroread missing PPKLite.api and crashes on signed PDFs

473217 - acroread takes 100% cpu and does not die when killed

547799 - CVE-2009-4324 acroread: media.newplayer JavaScript API code execution vulnerability (APSB10-02)

554293 - CVE-2009-3953 CVE-2009-3954 CVE-2009-3955 CVE-2009-3959 acroread: multiple code execution flaws (APSB10-02)

554296 - CVE-2009-3956 acroread: script injection vulnerability (APSB10-02)

 

6. Package List:

 

RHEL Desktop Supplementary (v. 5 client):

 

i386:

acroread-9.3-1.el5.i386.rpm

acroread-plugin-9.3-1.el5.i386.rpm

 

x86_64:

acroread-9.3-1.el5.i386.rpm

acroread-plugin-9.3-1.el5.i386.rpm

 

RHEL Supplementary (v. 5 server):

 

i386:

acroread-9.3-1.el5.i386.rpm

acroread-plugin-9.3-1.el5.i386.rpm

 

x86_64:

acroread-9.3-1.el5.i386.rpm

acroread-plugin-9.3-1.el5.i386.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://www.redhat.com/security/team/key/#package

 

7. References:

 

https://www.redhat.com/security/data/cve/CVE-2009-3953.html

https://www.redhat.com/security/data/cve/CVE-2009-3954.html

https://www.redhat.com/security/data/cve/CVE-2009-3955.html

https://www.redhat.com/security/data/cve/CVE-2009-3956.html

https://www.redhat.com/security/data/cve/CVE-2009-3959.html

https://www.redhat.com/security/data/cve/CVE-2009-4324.html

http://www.redhat.com/security/updates/classification/#critical

http://www.adobe.com/support/security/bulletins/apsb10-02.html

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://www.redhat.com/security/team/contact/

 

Copyright 2010 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFLTfktXlSAg2UNWIIRAtxHAJ9WKDp5rvHdg6iaKnXZ6NCZPRdiIACgmsfz

BO8XjHIZODRu7ZK0nPM3FaE=

=983N

-----END PGP SIGNATURE-----

 

 

--