[gentoo-dev] GLSA: acroread

[gentoo-dev] GLSA: acroread

[Seemant Kulleen]

- -----------------------------------------------------------------------
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT
- -----------------------------------------------------------------------
PACKAGE         : acroread  -- Adobe Acrobat Reader
SUMMARY         : security vulnerability in acroread
DATE            : Sun Jul  7 23:02:04 UTC 2002
- -----------------------------------------------------------------------

OVERVIEW

There is a temp file vulnerability that can be used to access user
accounts, and possibly gain system priveleges.

DETAIL


Acroread creates or overwrites the file /tmp/AdobeFnt06.lst.UID, and
changes its permissions to wide open (mode 666); it also follows
symlinks.

http://bugs.gentoo.org/show_bug.cgi?id=4657
http://online.securityfocus.com/archive/1/278984

SOLUTION

It is recommended that all Gentoo Linux users who are running acroread
update their systems as follows.

emerge --clean rsync
emerge unmerge acroread
emerge xpdf

For now, the acroread ebuild will issue a warning to users to unmerge the
package, and will proceed to emerge xpdf, for use as a pdf document
viewer.

- ------------------------------------------------------------------------
jago@telefragged.com
seemant@gentoo.org
drobbins@gentoo.org
- ------------------------------------------------------------------------

-- 
Seemant Kulleen
Developer and Project Co-ordinator,
Gentoo Linux					http://www.gentoo.org/~seemant