Skip to navigation

Security Advisory Critical: Adobe Acrobat Reader security update

Advisory: RHSA-2007:0021-5
Type: Security Advisory
Severity: Critical
Issued on: 2007-01-22
Last updated on: 2007-01-23
Affected Products: Red Hat Enterprise Linux Extras (v. 3)
CVEs (cve.mitre.org): CVE-2006-5857
CVE-2007-0045
CVE-2007-0046

Details

Updated acroread packages that fix several security issues are now
available for Red Hat Enterprise Linux 3.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

[Updated 23 Jan 2007]
The previous acroread packages were missing dependencies on the new
libraries which could prevent acroread from starting. Replacement acroread
packages have been added to this erratum to correct this issue.

The Adobe Reader allows users to view and print documents in portable
document format (PDF).

A cross site scripting flaw was found in the way the Adobe Reader Plugin
processes certain malformed URLs. A malicious web page could inject
arbitrary javascript into the browser session which could possibly lead to
a cross site scripting attack. (CVE-2007-0045)

Two arbitrary code execution flaws were found in the way Adobe Reader
processes malformed document files. It may be possible to execute arbitrary
code on a victim's machine if the victim opens a malicious PDF file.
(CVE-2006-5857, CVE-2007-0046)

Please note that Adobe Reader 7.0.9 requires versions of several system
libraries that were not shipped with Red Hat Enterprise Linux 3. This
update contains additional packages that provide the required system
library versions for Adobe Reader. These additional packages are only
required by Adobe Reader and do not replace or affect any other aspects of
a Red Hat Enterprise Linux 3 system.

All users of Adobe Reader are advised to upgrade to these updated packages,
which contain Adobe Reader version 7.0.9 and additional libraries to
correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Enterprise Linux Extras (v. 3)

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-atk/1.8.0-1.el3/SRPMS/acroread-libs-atk-1.8.0-1.el3.src.rpm
Missing file
    MD5: c8c681d74a7d65be04aefc9f848914d8
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-glib2/2.4.7-1/SRPMS/acroread-libs-glib2-2.4.7-1.src.rpm
Missing file
    MD5: f17da5b78ca5cd10f9e3f8f083ad38b0
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-gtk2/2.4.13-1.el3/SRPMS/acroread-libs-gtk2-2.4.13-1.el3.src.rpm
Missing file
    MD5: bfe3be45fa23625f26c9cc1aed72c8c6
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-gtk2-engines/2.2.0-1.el3/SRPMS/acroread-libs-gtk2-engines-2.2.0-1.el3.src.rpm
Missing file
    MD5: c5112e91b1edcd6cd6afbe5b4171caeb
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-pango/1.6.0-1.el3/SRPMS/acroread-libs-pango-1.6.0-1.el3.src.rpm
Missing file
    MD5: a8c4b57e277f3b3f812a901b36f3c137
 
IA-32:
acroread-7.0.9-1.1.1.EL3.i386.rpm
File outdated by:  RHSA-2009:1499
    MD5: 18b5fd7db955cdfec7b3af2d72a6f754
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-atk/1.8.0-1.el3/i386/acroread-libs-atk-1.8.0-1.el3.i386.rpm
Missing file
    MD5: bcfe0cb05b7d3194a65d2bc8c8b289f8
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-glib2/2.4.7-1/i386/acroread-libs-glib2-2.4.7-1.i386.rpm
Missing file
    MD5: 4aea6e8bfa27bf71bc7ef430e4b8076a
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-gtk2/2.4.13-1.el3/i386/acroread-libs-gtk2-2.4.13-1.el3.i386.rpm
Missing file
    MD5: 720711f3a9e0cb8dd1bb98d150ada90d
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-gtk2-engines/2.2.0-1.el3/i386/acroread-libs-gtk2-engines-2.2.0-1.el3.i386.rpm
Missing file
    MD5: 7802f2d33784b6e5ae4a28528ba961c4
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-pango/1.6.0-1.el3/i386/acroread-libs-pango-1.6.0-1.el3.i386.rpm
Missing file
    MD5: cec6e37353b38494b59d523f13817abe
acroread-plugin-7.0.9-1.1.1.EL3.i386.rpm
File outdated by:  RHSA-2009:1499
    MD5: bd9a6b55071dcc8ad17c6af70c6f7cd5
 
x86_64:
acroread-7.0.9-1.1.1.EL3.i386.rpm
File outdated by:  RHSA-2009:1499
    MD5: 18b5fd7db955cdfec7b3af2d72a6f754
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-atk/1.8.0-1.el3/i386/acroread-libs-atk-1.8.0-1.el3.i386.rpm
Missing file
    MD5: bcfe0cb05b7d3194a65d2bc8c8b289f8
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-glib2/2.4.7-1/i386/acroread-libs-glib2-2.4.7-1.i386.rpm
Missing file
    MD5: 4aea6e8bfa27bf71bc7ef430e4b8076a
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-gtk2/2.4.13-1.el3/i386/acroread-libs-gtk2-2.4.13-1.el3.i386.rpm
Missing file
    MD5: 720711f3a9e0cb8dd1bb98d150ada90d
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-gtk2-engines/2.2.0-1.el3/i386/acroread-libs-gtk2-engines-2.2.0-1.el3.i386.rpm
Missing file
    MD5: 7802f2d33784b6e5ae4a28528ba961c4
ftp://updates.redhat.com/rhn/repository/NULL/acroread-libs-pango/1.6.0-1.el3/i386/acroread-libs-pango-1.6.0-1.el3.i386.rpm
Missing file
    MD5: cec6e37353b38494b59d523f13817abe
 

Bugs fixed (see bugzilla for more information)

222273 - CVE-2006-5857 Multiple Acrobat vulnerabilities (CVE-2007-0045 CVE-2007-0046)
223946 - acroread package lacks proper depends on acroread-libs-*


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/