Packaging acrotex with TeX Live

Henri Menke henri at henrimenke.de
Mon Oct 12 19:55:42 CEST 2020


On 12/10/20, 13:45, Jim Diamond via tex-live wrote:
> On Mon, Oct 12, 2020 at 17:36 (+0200), Henri Menke via tex-live wrote:
> 
> > On 12/10/20, 11:41, Jim Diamond via tex-live wrote:
> 
> >> That is not true.  I recently got Acrobat reader 9.5.5 running on
> >> Slackware64-current (which is very up to date, unlike Slackware 14.2,
> >> the most recent "released" version of Slackware).  To get it running
> >> there I needed to install some 32-compatibility stuff (which, as I
> >> understand it, many 64-bit Linux distributions install by default),
> >> but that was about it.
> 
> > Even if you can run Adobe Reader 9.5.5, you definitely shouldn't.  It
> > has tons of unfixed code execution vulnerabilities.
> 
> > https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/version_id-124630/Adobe-Acrobat-Reader-9.5.html
> 
> I think one of us is not interpreting that page correctly.  (I think
> it was you.)  (Unless my eyes deceive me) All of those vulnerabilities
> say "***before*** 9.5.5" (or 9.5.4 or 9.5.3).  And so it would seem to
> me they don't apply to 9.5.5.

You're right, but all of these apply:

https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe:2.3:a:adobe:acrobat_reader:9.5.5:*:*:*:*:*:*:*

> 
> > It is also vulnerable to a whole class of information exfiltration
> > attacks.
> 
> > https://www.pdf-insecurity.org/
> 
> That might be so.  But for someone looking at documents which are not
> signed (or have other security features), I'm don't see the relevance.

You're missing the point.  If you open a document that contains forms,
they can be used to exfiltrate whatever you enter into those forms to a
remote attacker.

> 
> I realize this thread started with someone talking about PDF viewers
> which support security features, but (at most) I think you could advise
> "don't use PDF files for security applications", as opposed to "Don't
> use Acroread 9.5.5".

By that logic you could also say “don't use your computer for security
applications” as opposed to “don't use Windows XP”.  Using outdated
software with known vulnerabilites is *always* a bad idea.

Cheers, Henri

> 
> Cheers.
>                                 Jim


More information about the tex-live mailing list.