发布时间 :2005-01-10 00:00:00
修订时间 :2008-09-10 15:29:21

[原文]Buffer overflow in the mailListIsPdf function in Adobe Acrobat Reader 5.09 for Unix allows remote attackers to execute arbitrary code via an e-mail message with a crafted PDF attachment.

[CNNVD]Adobe AcrobatReader mailListIsPdf 缓冲区溢出漏洞(CNNVD-200501-104)

        Adobe Acrobat Reader是用于查看PDF文档的软件。
        Unix下的Adobe Acrobat Reader5.09版本中的mailListIsPdf函数存在缓冲区溢出漏洞。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  IDEFENSE  20041214 Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability
(UNKNOWN)  XF  adobe-acrobat-maillistlspdf-bo(18477)

- 漏洞信息

Adobe AcrobatReader mailListIsPdf 缓冲区溢出漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2005-10-20 00:00:00
        Adobe Acrobat Reader是用于查看PDF文档的软件。
        Unix下的Adobe Acrobat Reader5.09版本中的mailListIsPdf函数存在缓冲区溢出漏洞。

- 公告与补丁


- 漏洞信息 (F35336)

iDEFENSE Security Advisory 2004-12-14.t (PacketStormID:F35336)
2004-12-30 00:00:00
iDefense Labs,Greg MacManus

iDEFENSE Security Advisory 12.14.2004 - Remote exploitation of a buffer overflow in version 5.09 of Adobe Acrobat Reader for Unix could allow for execution of arbitrary code.

Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability

iDEFENSE Security Advisory 12.14.04
December 14, 2004


Adobe Acrobat Reader is a program for viewing Portable Document Format
(PDF) documents. More information is available at the following site:


Remote exploitation of a buffer overflow in version 5.09 of Adobe 
Acrobat Reader for Unix could allow for execution of arbitrary code.

The vulnerability specifically exists in a the function mailListIsPdf().

This function checks if the input file is an email message containing 
a PDF. It unsafely copies user supplied data using strcat into a fixed 
sized buffer.


Successful exploitation allows an attacker to execute arbitrary code 
under the privileges of the local user. Remote exploitation is possible 
by sending a specially crafted e-mail and attaching either the 
maliciously crafted PDF document or a link to it.


iDEFENSE has confirmed the existence of this vulnerability in Adobe 
Acrobat Reader version 5.0.9 for Unix. Previous versions of Adobe 
Acrobat Reader 5 for Unix are suspected also to be vulnerable.


User awareness is the best defense against this class of attack. 
Users should be aware of the existence of such attacks and proceed with 
caution when following links from suspicious and/or unsolicited e-mail.

Additionally, you may wish to apply the following unofficial patch from 
iDEFENSE Labs to the acroread shell script. The acroread shell script 
calls the appropriate binary for the platform. The patch adds a check
that ensures that files passed as arguments to acroread are in fact PDF 
documents. This patch will not protect against files opened from within
the Acrobat Reader GUI.

The bin/ directory of the application contains an 'acroread' shell
script while the Reader/ directory contains a binary with the same name.
The command 'file acroread', when executed in the same directory as the
shell script, should return the line:

acroread: a /bin/sh script text executable

This result indicates the existence of the appropriate file that the
patch below can be applied to.


--- acroread.orig 2004-10-13 17:25:57.000000000 -0400
+++ acroread 2004-10-13 17:55:43.000000000 -0400
@@ -309,6 +309,16 @@
 if [ -f "$ACRO_EXEC_CMD" ] ; then
+  for CHECK in ${1+"$@"};
+  do
+   [ -f "$CHECK" ] && {
+    file "$CHECK" | grep "PDF document" || \
+    {
+     echo "$CHECK" exists, but is not a PDF document. 
+     exit 1;
+    }
+   }
+   done
   exec "$ACRO_EXEC_CMD" ${1+"$@"}
   echo "ERROR: Cannot find $ACRO_EXEC_CMD"


This vulnerability is fixed in Adobe Acrobat Reader 5.0.10 for Unix.
Further details of the vulnerability are available in the following
knowledgebase article:


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-1152 to this issue. This is a candidate for inclusion
in the CVE list (, which standardizes names for
security problems.


10/14/2004  Initial vendor notification
10/15/2004  Initial vendor response
12/14/2004  Coordinated public disclosure


This vulnerability was discovered by Greg MacManus, iDEFENSE Labs.

Get paid for vulnerability research


Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

- 漏洞信息

Adobe Acrobat Reader mailListIsPdf() Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Unknown

- 漏洞描述

A remote overflow exists in Adobe Acrobat Reader. The Adobe Acrobat Reader fails to validate the mailListIsPdf() function resulting in a buffer overflow. With a specially crafted request, an attacker can cause execute arbitrary code resulting in a loss of integrity.

- 时间线

2004-12-14 2004-10-14
Unknow Unknow

- 解决方案

Upgrade to version 5.0.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Adobe Acrobat Reader Email Message Remote Buffer Overflow Vulnerability
Boundary Condition Error 11923
Yes No
2004-12-14 12:00:00 2009-07-12 09:26:00
Greg MacManus of iDEFENSE Labs is credited with the discovery of this issue.

- 受影响的程序版本

Adobe Acrobat Reader (UNIX) 5.0.9
+ Gentoo Linux
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Desktop 1.0
+ S.u.S.E. Linux Enterprise Server 9
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
Adobe Acrobat Reader (UNIX) 5.0.10
+ Gentoo Linux

- 不受影响的程序版本

Adobe Acrobat Reader (UNIX) 5.0.10
+ Gentoo Linux

- 漏洞讨论

A remote buffer overflow vulnerability reportedly affects the email message checking functionality in Adobe Acrobat Reader for Unix. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

It should be noted that this issue only affects Adobe Acrobat Reader for the Unix platform.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

The vendor has released an upgrade dealing with this issue. Please see the referenced vendor knowledgebase article.

Gentoo Linux has released an advisory (GLSA 200412-12) resolving this issue. All Adobe Acrobat Reader users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-5.10"

For more information, please see the referenced Gentoo Linux advisory.

Red Hat has released advisory RHSA-2004:674-07 to address this issue in Red Hat Enterprise Linux. Please see the advisory in Web references for more information.

SuSE Linux has released a summary report (SUSE-SR:2005:001) advising that this as well as other issues have been resolved. Please see the referenced advisory for more information.

Adobe Acrobat Reader (UNIX) 5.0.9

- 相关参考