pkg/42688: old acroread packages should be removed, because of security risks

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/42688: old acroread packages should be removed, because of security risks
From: soda%NetBSD.org@localhost
Date: Fri, 29 Jan 2010 00:05:00 +0000 (UTC)

>Number:         42688
>Category:       pkg
>Synopsis:       old acroread packages should be removed, because of security 
>risks
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 29 00:05:00 +0000 2010
>Originator:     SODA Noriyuki
>Release:        NetBSD 5.0.1
>Organization:
>Environment:
System: NetBSD heab 5.0.1 NetBSD 5.0.1 (GENERIC) #0: Thu Jul 30 01:39:11 UTC 
2009 
builds%b8.netbsd.org@localhost:/home/builds/ab/netbsd-5-0-1-RELEASE/i386/200907292356Z-obj/home/builds/ab/netbsd-5-0-1-RELEASE/src/sys/arch/i386/compile/GENERIC
 i386
Architecture: i386
Machine: i386

>Description:

acroread, acroread5, acroread7, and acroread8 packages
should be removed from pkgsrc. because:

- All of them have severe security holes.

- All of them are not maintained anymore.
  from http://rhn.redhat.com/errata/RHSA-2010-0060.html
  > Adobe have discontinued support for Adobe Reader 8 for Linux.

- There are several alternative PDF readers which are usable.
  e.g. epdfview, evince, ... (acroread 9 is desirable too, though)

- The risks to continue to use these packages are high.
  There are lots of 0-days attacks against Acrobat reader
  (and Flashplayer) these days.
  And even trustworthy web sites are not really trustworthly these days
  due to the Gumblar virus and its variants which steal passwords
  of web admins.
  And antivirus vendors claim that there is a treat of PDF viruses
  against linux too: 
    
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-0125-99
  Since acroread is a linux binary, nearly all PDF viruses against
  linux do work against NetBSD too, unless the virus relies on a
  linux-specific kernel hole.

  If it's a TeX source file, security risks could be practically
  avoided by knowledgeable users.  But the risks about PDF files
  cannot be avoided even by knowledgeable users these days.

- Having them in pkgsrc gives false impression to our users
  that there is a secure way to continue to use them.


>How-To-Repeat:
>Fix:
cvs remove && cvs ci

Prev by Date: pkg/42687: www/midori crashes after start
Next by Date: pkg/42689: [graphics/imlib2] Checking file-check failure
Previous by Thread: pkg/42687: www/midori crashes after start
Next by Thread: pkg/42689: [graphics/imlib2] Checking file-check failure
Indexes:

Home | Main Index | Thread Index | Old Index