Packaging acrotex with TeX Live

Jim Diamond Jim.Diamond at acadiau.ca
Tue Oct 13 04:26:57 CEST 2020


On Mon, Oct 12, 2020 at 19:55 (+0200), Henri Menke via tex-live wrote:

> On 12/10/20, 13:45, Jim Diamond via tex-live wrote:
>> On Mon, Oct 12, 2020 at 17:36 (+0200), Henri Menke via tex-live wrote:

>>> On 12/10/20, 11:41, Jim Diamond via tex-live wrote:

>>>> That is not true.  I recently got Acrobat reader 9.5.5 running on
>>>> Slackware64-current (which is very up to date, unlike Slackware 14.2,
>>>> the most recent "released" version of Slackware).  To get it running
>>>> there I needed to install some 32-compatibility stuff (which, as I
>>>> understand it, many 64-bit Linux distributions install by default),
>>>> but that was about it.

>>> Even if you can run Adobe Reader 9.5.5, you definitely shouldn't.  It
>>> has tons of unfixed code execution vulnerabilities.

>>> https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/version_id-124630/Adobe-Acrobat-Reader-9.5.html

>> I think one of us is not interpreting that page correctly.  (I think
>> it was you.)  (Unless my eyes deceive me) All of those vulnerabilities
>> say "***before*** 9.5.5" (or 9.5.4 or 9.5.3).  And so it would seem to
>> me they don't apply to 9.5.5.

> You're right, but all of these apply:

> https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe:2.3:a:adobe:acrobat_reader:9.5.5:*:*:*:*:*:*:*

I looked at a few of those, and clearly there are lots of issues.
More on this in my next comment.


>>> It is also vulnerable to a whole class of information exfiltration
>>> attacks.

>>> https://www.pdf-insecurity.org/

>> That might be so.  But for someone looking at documents which are not
>> signed (or have other security features), I'm don't see the relevance.

> You're missing the point.  If you open a document that contains forms,
> they can be used to exfiltrate whatever you enter into those forms to a
> remote attacker.

So you seem to be saying "don't use Acroread 9.5.5 on PDF documents
with forms from untrusted sources".  This is good knowledge.  But it
is a lot different than "you definitely shouldn't use Acroread 9.5.5
at all".  For example, I'm not seeing why I shouldn't use Acroread to
look at PDF docs that I created.  Or that were created by people I
trust.


>> I realize this thread started with someone talking about PDF viewers
>> which support security features, but (at most) I think you could advise
>> "don't use PDF files for security applications", as opposed to "Don't
>> use Acroread 9.5.5".

> By that logic you could also say “don't use your computer for security
> applications” as opposed to “don't use Windows XP”.  Using outdated
> software with known vulnerabilites is *always* a bad idea.

I disagree.  I really don't see how me looking at (form free) PDF
files I created with Acroread is a bad idea.  And if I wanted to
restrict myself to using a computer system which I am 100% certain has
no vulnerabilities, I guess I'd have to audit the motherboard to see
if any components have been added by the fabricator, and also to audit
every line of code of every bit of software.  That is impractical, so
I have to accept that there is a certain risk with using any computer.
One can reduce one's risk by knowing about significant vulnerabilities
and avoiding them (and, again, knowing about the issues Acroread has
with PDFs with forms is valuable information, thanks for that), but
pretending that "non-outdated" software with no publicly known
vulnerabilities is perfectly safe is clearly not sensible.

Cheers.
                                Jim


More information about the tex-live mailing list.