FreeBSD : acroread uudecoder input validation error (78348ea2-ec91-11d8-b913-000c41e2cdad)

critical Nessus Plugin ID 14266

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

An iDEFENSE security advisory reports :

Remote exploitation of an input validation error in the uudecoding feature of Adobe Acrobat Reader (Unix) 5.0 allows an attacker to execute arbitrary code.

The Unix and Linux versions of Adobe Acrobat Reader 5.0 automatically attempt to convert uuencoded documents back into their original format. The vulnerability specifically exists in the failure of Acrobat Reader to check for the backtick shell metacharacter in the filename before executing a command with a shell. This allows a maliciously constructed filename to execute arbitrary programs.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?09112fc9

http://www.nessus.org/u?3843030f

Plugin Details

Severity: Critical

ID: 14266

File Name: freebsd_acroread_509.nasl

Version: 1.15

Type: local

Published: 8/12/2004

Updated: 11/10/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:acroread, p-cpe:/a:freebsd:freebsd:acroread4, p-cpe:/a:freebsd:freebsd:acroread5, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 8/12/2004

Vulnerability Publication Date: 8/12/2004

Reference Information

CVE: CVE-2004-0630