View previous topic :: View next topic |
Author |
Message |
jhboricua Tux's lil' helper
Joined: 07 May 2002 Posts: 113
|
Posted: Wed May 29, 2002 2:53 pm Post subject: Adobe Acrobat 5.05 available for linux |
|
|
Looks like its been available since the 27th but the Adobe site doesn't mention nothing about it. The link to the Adobe FTP server that has the file is below.
ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/5.x/ |
|
Back to top |
|
|
474 l33t
Joined: 19 Apr 2002 Posts: 714
|
Posted: Sun Jun 02, 2002 8:14 pm Post subject: Well spotted |
|
|
Nice one! |
|
Back to top |
|
|
Zenham n00b
Joined: 04 Jul 2002 Posts: 13 Location: Earth
|
Posted: Fri Jul 19, 2002 6:19 pm Post subject: ebuild bug |
|
|
There is a bug in the past coupld (5,6) versions of the Acrobat 5.05 ebuild, I did some troubleshooting and found the cause to be a path error in the wrapper script. A patch is attached to the bug report:
https://bugs.gentoo.org/show_bug.cgi?id=4046
Cheers _________________ Quality is Job 1.0.1d (plus patches). Any deviations from your preconcieved notions of 'quality' and our product you should consider to be merely the advanced delusions of an extraordinarily warped psyche, you sick bastard. |
|
Back to top |
|
|
Rutger n00b
Joined: 20 Jul 2002 Posts: 32 Location: Leiden, Netherlands
|
Posted: Sat Jul 20, 2002 12:44 am Post subject: |
|
|
This is a known bug. The following comes from packages.mask:
# using securityfocus's perl wrapper script. but the bug still inherently
# exists in acroread, so I will mask it. users who really really want it
# are free to unmask.
>=app-text/acroread-5.05-r5
It seems it has indeed something to do with the wrapper thingy, but I think we better wait until it's "safe" to use. Or did you really fix this problem? |
|
Back to top |
|
|
Zenham n00b
Joined: 04 Jul 2002 Posts: 13 Location: Earth
|
Posted: Tue Jul 23, 2002 10:25 pm Post subject: |
|
|
Quote: | It seems it has indeed something to do with the wrapper thingy, but I think we better wait until it's "safe" to use. Or did you really fix this problem? |
I did not fix the bug in acroread, only Adobe can do that. What I *did* fix was to correct an error in the wrapper script. This wrapper prevents the exploit from being an issue (unless the user's home directory is world-writable, which is a whole 'nother ball of wax fish). It's a world-writable-file-in-tmp-which-follows-links exploit.
On top of that, as built by the last few (two, I think) versions of the ebuild for acroread, Acrobat would not, even when unmasked, work as a plug-in for Mozilla/Galeon. It would bomb, and lock down all browser processes to the point of requiring a kill -9. I fixed this, as well... at least, I found what problems exist wiuth the current ebuild, and documented the problems and how to resolve them.
What I posted *is* calling acroread through the security wrapper, assuming you make the link as I mentioned in the bug report to /opt/Acrobat5/acroread and not acroread.real; this is as secure as it gets (until Adobe fixes the problem itself).
Basically, the wrapper keeps you from running the acrobat reader as a priviledged account, and changes the temp directory to ${HOME}/.acrobat, in order to make acroread make its font list in the user's home directory.
More basically, what my "fix" is, is a correction in the paths, and an annotation that the current ebuild is broken due to egregious uses of strip on non-executables, and due to the lack of a proper path in the wrapper script.
I did not provide a new ebuild file because I don't have write access to the CVS tree, and beyond that, I am only glancingly familiar with ebuild. What I've done is provide the solution.
For more info on the exploit:
http://online.securityfocus.com/archive/1/278984/2002-07-20/2002-07-26/2
To summarize:
1. No, acroread still has a security hole.
2. Yes, the wrapper (with my fix) works, and avoids that security hole.
3. No, that's not the only problem with the ebuild.
4. Yes, I posted the solution to the other problem.
5. Yes, you really should read the bug posting I provided the link for
Cheers- _________________ Quality is Job 1.0.1d (plus patches). Any deviations from your preconcieved notions of 'quality' and our product you should consider to be merely the advanced delusions of an extraordinarily warped psyche, you sick bastard. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|