Re[2]: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow

To: "Eric C. Lukens" <eric.lukens@xxxxxxx>
Subject: Re[2]: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow
From: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>
Date: Wed, 25 Mar 2009 22:55:32 +0300
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <49CA8408.8040000@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <200903250922.n2P9M5l6016676@xxxxxxxxxxxxxx> <87myb9k10c.fsf@xxxxxxxxxxxxxxxxx> <49CA8408.8040000@xxxxxxx>
Reply-to: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>

Dear Eric C. Lukens,

US-CERT  note  TA09-051A  on this issue beeing exploited in-the-wild was
issued on February, 20.

http://www.us-cert.gov/cas/techalerts/TA09-051A.html

--Wednesday, March 25, 2009, 10:20:40 PM, you wrote to 
bugtraq@xxxxxxxxxxxxxxxxx:

ECL> I noticed that as well, but suspected they were notified via more then
ECL> one mechanism or had already found the bug internally. I find it funny
ECL> that they had the final code ready on the 28th, but still didn't get it
ECL> out to the public for another 2 weeks.  I suppose they ran it through
ECL> one last QA procedure, or they just don't like to deliver things early.

ECL> -Eric

ECL> -------- Original Message  --------
ECL> Subject: Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary
ECL> Buffer Overflow
ECL> From: Florian Weimer <fw@xxxxxxxxxxxxx>
ECL> To: Secunia Research <remove-vuln@xxxxxxxxxxx>
ECL> Cc: bugtraq@xxxxxxxxxxxxxxxxx
ECL> Date: 3/25/09 11:42 AM
>> * Secunia Research:
>>
>>   
>>> ======================================================================
>>> 5) Solution 
>>>
>>> Update to version 7.1.1, 8.1.4, or 9.1.
>>>
>>> ======================================================================
>>> 6) Time Table 
>>>
>>> 06/03/2009 - Vendor notified.
>>> 07/03/2009 - Vendor response.
>>> 25/03/2009 - Public disclosure.
>>>     
>>
>> Something doesn't add up because the 9.1 binary I've got was created
>> on February 28th, according to Verisign's time stamping signature in
>> the Authenticode signature.
>>   



-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/

References:
- Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow
  - From: Secunia Research
- Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow
  - From: Florian Weimer
- Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow
  - From: Eric C. Lukens

Prev by Date: Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow
Next by Date: [SECURITY] [DSA 1755-1] New systemtap packages fix local privilege escalation
Previous by thread: Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow
Next by thread: [SECURITY] [DSA 1745-2] New lcms packages fix regression
Index(es):
- Date
- Thread