-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2008-09-15 Mac OS X v10.5.5 and Security Update 2008-006
Mac OS X v10.5.5 and Security Update 2008-006 are now available and address the following issues: ATS CVE-ID: CVE-2008-2305 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Viewing a document containing a maliciously crafted font may lead to arbitrary code execution Description: A heap buffer overflow exists in Apple Type Services' handling of PostScript font names. Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. This update addresses the issue by performing additional validation of font names. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue. BIND Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: BIND is updated to address performance issues Description: BIND is updated to version 9.4.2-P2 to address performance issues. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P2. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P2. Further information is available via the ISC web site at http://www.isc.org/index.pl?/sw/bind/ ClamAV CVE-ID: CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215 Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4 Impact: Multiple vulnerabilities in ClamAV 0.92.1 Description: Multiple vulnerabilities exist in ClamAV 0.92.1, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating to ClamAV 0.93.3. Further information is available via the ClamAV website at http://www.clamav.net/ Directory Services CVE-ID: CVE-2008-2329 Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: A person with access to the login screen may be able to list user names Description: An information disclosure issue exists in Login Window when it is configured to authenticate users with Active Directory. By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed. This update addresses the issue through improved processing of user names in Directory Services. Credit to IT Department of the West Seneca Central School District for reporting this issue. Directory Services CVE-ID: CVE-2008-2330 Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4 Impact: A local user may obtain the server password if an OpenLDAP system administrator runs slapconfig Description: An insecure file operation issue exists in the slapconfig tool used for configuring OpenLDAP. A local user can cause the password entered by a system administrator running slapconfig to be written to a file controlled by the user. This update addresses the issue by checking the return value of the mkfifo function. Finder CVE-ID: CVE-2008-2331 Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: The Get Info window may not display the actual privileges for a file Description: Finder does not update the displayed permissions under some circumstances in a Get Info window. After clicking the lock button, changes to the filesystem Sharing & Permissions will take effect, but will not be displayed. This update addresses the issue by properly updating the displayed permissions when access privileges on a file are changed. This issue does not affect systems prior to Mac OS X v10.5. Credit to Michel Colman for reporting this issue. Finder CVE-ID: CVE-2008-3613 Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: An attacker with access to the local network may cause a denial of service Description: A null pointer dereference issue exists in the Finder when it searches for a remote disc. An attacker with access to the local network can cause Finder to exit immediately after it starts, making the system unusable. This update addresses the issue by adding a check for a null pointer. This issue only affects these configurations: any product running Mac OS X v10.5.2, MacBook Air running Mac OS X v10.5.3, and MacBook Air running Mac OS X v10.5.4. Credit to Yuxuan Wang of Sogou for reporting this issue. ImageIO CVE-ID: CVE-2008-2327 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: Multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of TIFF images. ImageIO CVE-ID: CVE-2008-2332 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exits in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of TIFF images. Credit to Robert Swiecki of Google Security Team for reporting this issue. ImageIO CVE-ID: CVE-2008-3608 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of JPEG images. ImageIO CVE-ID: CVE-2008-1382 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: libpng in ImageIO is updated to version 1.2.29 Description: libpng in ImageIO is updated to version 1.2.29. CVE-2008-1382 is not known to affect the use of libpng in ImageIO, and this update is applied as a precautionary measure. Kernel CVE-ID: CVE-2008-3609 Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Files may be accessed by a local user who does not have the proper permissions Description: Cached credentials are not always flushed when a vnode is recycled. This may allow a local user to read or write to a file where the permissions would not allow it. This update addresses the issue through improved handling of purged vnodes. Credit to Nevin ":-)" Liber, Thomas Pelaia of Oak Ridge National Lab, Thomas Tempelmann, and Ram Kolli for reporting this issue. libresolv CVE-ID: CVE-2008-1447 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: libresolv is susceptible to DNS cache poisoning and may return forged information Description: libresolv provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, applications that rely on libresolv for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. Note that the BIND tools, dig, host, and nslookup use their own resolver library and are not addressed by this update. Credit to Dan Kaminsky of IOActive for reporting this issue. Login Window CVE-ID: CVE-2008-3610 Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: A user may log in without providing a password Description: A race condition exists in Login Window. To trigger this issue, the system must have the Guest account enabled or another account with no password. In a small proportion of attempts, an attempt to log in to such an account will not complete. The user list would then be presented again, and the person would be able to log in as any user without providing a password. If the original account were the Guest account, the contents of the new account will be deleted on logout. This update addresses the issue by properly clearing Login Window state when the login does not complete. This issue does not affect systems prior to Mac OS X v10.5. Login Window CVE-ID: CVE-2008-3611 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: A person with access to the login screen may be able to change a user's password Description: When a system has been configured to enforce policies on login passwords, users may be required to change their password in the login screen. If a password change fails, an error message is displayed, but the current password is not cleared. This may not be obvious to the user. If the user leaves the system unattended with this error message displayed, a person with access to the login screen may be able to reset that user's password. This update addresses the issue by clearing the current password when returning to the login screen. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Christopher A. Grande of Middlesex Community College for reporting this issue. mDNSResponder CVE-ID: CVE-2008-1447 Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue. OpenSSH CVE-ID: CVE-2008-1483, CVE-2008-1657 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Multiple vulnerabilities in OpenSSH, the most serious of which is local X11 session control Description: Multiple vulnerabilities exist in OpenSSH versions provided with Mac OS X v10.4.11 and Mac OS X v10.5.4, the most serious of which allows a local user to control another user's X11 session. This update addresses the issues by updating to OpenSSH 5.1p1. Further information is available via the OpenSSH web site at http://www.openssh.com/security.html QuickDraw Manager CVE-ID: CVE-2008-3614 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow exists in QuickDraw's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue. Ruby CVE-ID: CVE-2008-2376 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Running a Ruby script that uses untrusted input as the arguments to the Array#fill method may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow exists in rb_ary_fill(), which implements the Ruby Array#fill method. Running a Ruby script that uses untrusted input as the arguments to the Array#fill method may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of the arguments to rb_ary_fill(). SearchKit CVE-ID: CVE-2008-3616 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Applications passing untrusted input to the SearchKit API may lead to an unexpected application termination or arbitrary code execution Description: Integer overflow issues exist in functions within the SearchKit framework. Passing untrusted input to SearchKit via an application may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. System Configuration CVE-ID: CVE-2008-2312 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: A local user may obtain the PPP password Description: Network Preferences stores PPP passwords unencrypted in a world readable file, accessible to any local user. This update addresses the issue by storing PPP passwords in the system keychain when the password is changed. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Hernan Ochoa of Core Security Technologies, Tore Halset of pvv.org, and Matt Johnston of the University Computer Club for reporting this issue. System Preferences CVE-ID: CVE-2008-3617 Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Users may be misled into believing their passwords are stronger than they are Description: Remote Management and Screen Sharing can be configured to require a password for VNC viewers. The maximum length for VNC viewer passwords is eight characters. The password field can display more than eight characters, implying that the additional characters are used in the password. This update addresses the issue by limiting VNC viewer passwords to eight characters in the user interface. Credit to Michal Fresel of hi competence e.U. for reporting this issue. System Preferences CVE-ID: CVE-2008-3618 Available for: Mac OS X v10.5 through v10.5.4 Impact: Authenticated users may have unexpected remote access to files and directories Description: The File Sharing pane in the Sharing preference pane does not fully convey the actual access privileges. A user may infer that only the folders listed under 'Shared Folders' are accessible. However, authenticated users may also access their home directories, and administrators may access all disks on the system. This update provides additional text to help explain the actual access permissions. Systems prior to Mac OS X v10.5 did not display a list of shared folders in the File Sharing pane. This issue does not affect Mac OS X Server systems. Time Machine CVE-ID: CVE-2008-3619 Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Backing up a system with Time Machine may lead to the disclosure of sensitive information Description: During the Time Machine Backup, several log files are saved to the backup drive with read permission allowed to other users. This may lead to the disclosure of sensitive information. This update addresses the issue by applying more restrictive permissions to saved log files. This issue does not affect systems prior to Mac OS X v10.5. Credit to Edwin McKenzie for reporting this issue. VideoConference CVE-ID: CVE-2008-3621 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: Videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the VideoConference framework's handling of H.264 encoded media. Videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Wiki Server CVE-ID: CVE-2008-3622 Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4 Impact: A remote attacker may cause persistent JavaScript injection on a Wiki server Description: The Wiki Server mailing list archive will execute JavaScript code embedded in messages. A remote person may send an email containing JavaScript code to a mailing list hosted on a Wiki server. Viewing the message from the Wiki Server mailing list archive will trigger the execution of the embedded JavaScript code on the system of the person viewing the message. This update addresses the issue by performing additional validation of emails. This issue does not affect systems prior to Mac OS X v10.5. Credit to Leon von Tippelskirch, and Matthias Wieczorek of the Chair for Applied Software Engineering, TU Munich for reporting this issue. Mac OS X v10.5.5 and Security Update 2008-006 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.5.5 or Security Update 2008-006. For Mac OS X v10.5.4 The download file is named: "MacOSXUpd10.5.5.dmg" Its SHA-1 digest is: bd9bf9304a5b3162f391233fe74fc64f6dbc2bf5 For Mac OS X v10.5 - v10.5.3 The download file is named: "MacOSXUpdCombo10.5.5.dmg" Its SHA-1 digest is: 91ac9b720ba3b4166e5dc1dd518b1651d77c0f46 For Mac OS X Server v10.5.4 The download file is named: "MacOSXServerUpd10.5.5.dmg" Its SHA-1 digest is: 00264fd6990b568b5017f1244820d1eeebda8ab2 For Mac OS X Server v10.5 - v10.5.3 The download file is named: "MacOSXServerUpdCombo10.5.5.dmg" Its SHA-1 digest is: cc463a4f2b2d2079fca56704057f407f86b96661 For Mac OS X v10.4.11 (Intel) The download file is named: "SecUpd2008-006Intel.dmg" Its SHA-1 digest is: c64a7aa8b13377b2066110fa86b4f879e0ca746b For Mac OS X v10.4.11 (PowerPC) The download file is named: "SecUpd2008-006PPC.dmg" Its SHA-1 digest is: 61898bf315d04958aaf487bb92ba257d059a33ce For Mac OS X Server v10.4.11 (Universal) The download file is named: "SecUpdSrvr2008-006Univ.dmg" Its SHA-1 digest is: 0309967cb7e6ae990bd3726e8af4abfeca776b63 For Mac OS X Server v10.4.11 (PowerPC) The download file is named: "SecUpdSrvr2008-006PPC.dmg" Its SHA-1 digest is: 61898bf315d04958aaf487bb92ba257d059a33ce Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: 9.7.2.1608 wsBVAwUBSM7BPnkodeiKZIkBAQia7QgAwK9TAxiOaVF6OdfxAKmddjXKgNNrjOZ5 AYyraJiuDxePpDcCzvZChc4kaBRFYFiU7ogxIG1RThuRpNmq5/t5VB/mgCVYR9KI kAbzWAEAQZUTxmds3qhOIAujjuCGu9zhQy5gTBEcQwvRH9TdAZM6fB74RbNSYH3s tHHK0VT07BEa2uC6mHrSArxj9KH34Fzg5CfDdPKdy+YhgmPBpqX9fts6m1ly7XuA 4XFEqmpvikZYhFYxiJv/mDV5pJiayhS3ePAfNG/UAkMP663WI4rn3bgmDMt9FeRF 9x2bPw+1QMaWXIfr8EoGSfXfHBy4WifpQInibnC8W30Vvq95salcww== =A1Vk -----END PGP SIGNATURE----- ******************************* * POST TO [EMAIL PROTECTED] * ******************************* Medianews mailing list [EMAIL PROTECTED] http://lists.etskywarn.net/mailman/listinfo/medianews