Note: This is an archival copy of Security Sun Alert 240106 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019499.1.
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
Multiple Security Vulnerabilities in the Adobe Reader may lead to Execution of Arbitrary Code and Overwrite Arbitrary Files
Multiple security vulnerabilities in the Adobe Reader may allow remote unprivileged users to execute arbitrary code with the permissions of the local user or create a Denial of Service (DoS) condition. In addition, Adobe Reader may give local users the ability to overwrite arbitrary files through the use of symbolic links.
These issues are described in the following documents:
APSB08-15 at http://www.adobe.com/support/security/bulletins/apsb08-15.html
CVE-2008-0883 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0883
CVE-2008-2641 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2641
2. Contributing Factors
These issues can occur in the following release:
To determine the version of Adobe Reader installed on the system, the following command can be run:
$ /usr/bin/acroread -versionTo determine earlier versions of Adobe Reader installed on a system, (ie. Solaris 10 3/05) the following command can be run (depending on whichever of the following files exists):
$ cat /usr/sfw/lib/Acrobat5/Reader/AcroVersion
$ cat /usr/lib/AdobeReader/Reader/AcroVersion
$ cat /usr/lib/AdobeReader/Adobe/Reader8/Reader/AcroVersion
There are no predictable symptoms that would indicate these issues have been exploited to execute arbitrary code.
To avoid the described issues, do not load PDF files from untrusted sources.
This can done in Mozilla as follows:
This can be done in Firefox as follows:
This issue is addressed in the following release:
08-Aug-2008: Updated Note in Contributing Factors section for clarification
10-Sep-2008: Updated Contributing Factors and Resolution sections, re-release Resolved
This solution has no attachment