Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Adobe Acrobat 5.05 available for linux
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
jhboricua
Tux's lil' helper
Tux's lil' helper


Joined: 07 May 2002
Posts: 113

PostPosted: Wed May 29, 2002 2:53 pm    Post subject: Adobe Acrobat 5.05 available for linux Reply with quote

Looks like its been available since the 27th but the Adobe site doesn't mention nothing about it. The link to the Adobe FTP server that has the file is below.

ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/5.x/
Back to top
View user's profile Send private message
474
l33t
l33t


Joined: 19 Apr 2002
Posts: 714

PostPosted: Sun Jun 02, 2002 8:14 pm    Post subject: Well spotted Reply with quote

Nice one!
Back to top
View user's profile Send private message
Zenham
n00b
n00b


Joined: 04 Jul 2002
Posts: 13
Location: Earth

PostPosted: Fri Jul 19, 2002 6:19 pm    Post subject: ebuild bug Reply with quote

There is a bug in the past coupld (5,6) versions of the Acrobat 5.05 ebuild, I did some troubleshooting and found the cause to be a path error in the wrapper script. A patch is attached to the bug report:

https://bugs.gentoo.org/show_bug.cgi?id=4046

Cheers
_________________
Quality is Job 1.0.1d (plus patches). Any deviations from your preconcieved notions of 'quality' and our product you should consider to be merely the advanced delusions of an extraordinarily warped psyche, you sick bastard.
Back to top
View user's profile Send private message
Rutger
n00b
n00b


Joined: 20 Jul 2002
Posts: 32
Location: Leiden, Netherlands

PostPosted: Sat Jul 20, 2002 12:44 am    Post subject: Reply with quote

This is a known bug. The following comes from packages.mask:

# using securityfocus's perl wrapper script. but the bug still inherently
# exists in acroread, so I will mask it. users who really really want it
# are free to unmask.
>=app-text/acroread-5.05-r5

It seems it has indeed something to do with the wrapper thingy, but I think we better wait until it's "safe" to use. Or did you really fix this problem?
Back to top
View user's profile Send private message
Zenham
n00b
n00b


Joined: 04 Jul 2002
Posts: 13
Location: Earth

PostPosted: Tue Jul 23, 2002 10:25 pm    Post subject: Reply with quote

Quote:
It seems it has indeed something to do with the wrapper thingy, but I think we better wait until it's "safe" to use. Or did you really fix this problem?


I did not fix the bug in acroread, only Adobe can do that. What I *did* fix was to correct an error in the wrapper script. This wrapper prevents the exploit from being an issue (unless the user's home directory is world-writable, which is a whole 'nother ball of wax fish). It's a world-writable-file-in-tmp-which-follows-links exploit.

On top of that, as built by the last few (two, I think) versions of the ebuild for acroread, Acrobat would not, even when unmasked, work as a plug-in for Mozilla/Galeon. It would bomb, and lock down all browser processes to the point of requiring a kill -9. I fixed this, as well... at least, I found what problems exist wiuth the current ebuild, and documented the problems and how to resolve them.

What I posted *is* calling acroread through the security wrapper, assuming you make the link as I mentioned in the bug report to /opt/Acrobat5/acroread and not acroread.real; this is as secure as it gets (until Adobe fixes the problem itself).

Basically, the wrapper keeps you from running the acrobat reader as a priviledged account, and changes the temp directory to ${HOME}/.acrobat, in order to make acroread make its font list in the user's home directory.

More basically, what my "fix" is, is a correction in the paths, and an annotation that the current ebuild is broken due to egregious uses of strip on non-executables, and due to the lack of a proper path in the wrapper script.

I did not provide a new ebuild file because I don't have write access to the CVS tree, and beyond that, I am only glancingly familiar with ebuild. What I've done is provide the solution.

For more info on the exploit:

http://online.securityfocus.com/archive/1/278984/2002-07-20/2002-07-26/2

To summarize:

1. No, acroread still has a security hole.
2. Yes, the wrapper (with my fix) works, and avoids that security hole.
3. No, that's not the only problem with the ebuild.
4. Yes, I posted the solution to the other problem.
5. Yes, you really should read the bug posting I provided the link for :)

Cheers-
_________________
Quality is Job 1.0.1d (plus patches). Any deviations from your preconcieved notions of 'quality' and our product you should consider to be merely the advanced delusions of an extraordinarily warped psyche, you sick bastard.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum