NetBSD Problem Report #42688

From soda@NetBSD.org  Fri Jan 29 00:01:01 2010
Return-Path: <soda@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 1BFA763C2BC
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 29 Jan 2010 00:01:01 +0000 (UTC)
Message-Id: <19298.9530.712858.798881@gargle.gargle.HOWL>
Date: Fri, 29 Jan 2010 09:00:58 +0900
From: soda@NetBSD.org
Reply-To: soda@NetBSD.org
To: gnats-bugs@gnats.NetBSD.org
Subject: old acroread packages should be removed, because of security risks
X-Send-Pr-Version: 3.95

>Number:         42688
>Category:       pkg
>Synopsis:       old acroread packages should be removed, because of security risks
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    joerg
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 29 00:05:00 +0000 2010
>Last-Modified:  Fri Jan 29 18:48:31 +0000 2010
>Originator:     SODA Noriyuki
>Release:        NetBSD 5.0.1
>Organization:
>Environment:
System: NetBSD heab 5.0.1 NetBSD 5.0.1 (GENERIC) #0: Thu Jul 30 01:39:11 UTC 2009 builds@b8.netbsd.org:/home/builds/ab/netbsd-5-0-1-RELEASE/i386/200907292356Z-obj/home/builds/ab/netbsd-5-0-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386

>Description:

acroread, acroread5, acroread7, and acroread8 packages
should be removed from pkgsrc. because:

- All of them have severe security holes.

- All of them are not maintained anymore.
  from http://rhn.redhat.com/errata/RHSA-2010-0060.html
  > Adobe have discontinued support for Adobe Reader 8 for Linux.

- There are several alternative PDF readers which are usable.
  e.g. epdfview, evince, ... (acroread 9 is desirable too, though)

- The risks to continue to use these packages are high.
  There are lots of 0-days attacks against Acrobat reader
  (and Flashplayer) these days.
  And even trustworthy web sites are not really trustworthly these days
  due to the Gumblar virus and its variants which steal passwords
  of web admins.
  And antivirus vendors claim that there is a treat of PDF viruses
  against linux too: 
    http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-0125-99
  Since acroread is a linux binary, nearly all PDF viruses against
  linux do work against NetBSD too, unless the virus relies on a
  linux-specific kernel hole.

  If it's a TeX source file, security risks could be practically
  avoided by knowledgeable users.  But the risks about PDF files
  cannot be avoided even by knowledgeable users these days.

- Having them in pkgsrc gives false impression to our users
  that there is a secure way to continue to use them.


>How-To-Repeat:
>Fix:
cvs remove && cvs ci

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: pkg-manager->joerg
Responsible-Changed-By: asau@NetBSD.org
Responsible-Changed-When: Fri, 29 Jan 2010 18:48:31 +0000
Responsible-Changed-Why:
Assign to proponent of the move.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.