Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2005.0359 -- APPLE-SA-2005-05-03 Security Update 2005-005 4 May 2005 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: apache AppKit AppleScript bluetooth chfn / chpass / chsh finder foundation framework help viewer LDAP client libXpm lukemftpd Netinfo setup tool Server Admin HTTP proxy service sudo Terminal VPN server Publisher: Apple Operating System: Mac OS X 10.3.9 Mac OS X Server 10.3.9 Impact: Root Compromise Execute Arbitrary Code/Commands Inappropriate Access Denial of Service Reduced Security Access: Remote/Unauthenticated Existing Account CVE Names: CAN-2005-1344 CAN-2005-1343 CAN-2005-1342 CAN-2005-1341 CAN-2005-1340 CAN-2005-1339 CAN-2005-1338 CAN-2005-1337 CAN-2005-1336 CAN-2005-1335 CAN-2005-1333 CAN-2005-1332 CAN-2005-1331 CAN-2005-1330 CAN-2005-0594 CAN-2005-0342 CAN-2004-1308 CAN-2004-1307 CAN-2004-1051 CAN-2004-0688 CAN-2004-0687 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-05-03 Security Update 2005-005 Security Update 2005-005 is now available and delivers the following security enhancements: Apache CVE-ID: CAN-2005-1344 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: The htdigest program contains a buffer overflow, which if used improperly in a CGI application, could allow a remote system compromise Description: The htdigest program could be used in a CGI application to manage user access controls to a web server. htdigest contains a buffer overflow. This update fixes the buffer overflow in htdigest. Apple does not provide any CGI applications that use the htdigest program. Credit to JxT of SNOsoft for reporting this issue. AppKit CVE-ID: CAN-2004-1308, CAN-2004-1307 CERT: VU#125598, VU#539110 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: An integer overflow in the handling of TIFF files could permit arbitrary code execution Description: A malformed TIFF image could contain parameters that result in image data overwriting the heap. This issue has been addressed by adding additional tests when calculating the space needed for an image. AppKit CVE-ID: CAN-2005-1330 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: A Cocoa application will quit through an unhandled exception from NXSeek() Description: A malformed TIFF image can cause a call to NXSeek() with an offset outside the image. This raises an exception which is not handled. The default handler then causes the application to exit. This update causes an error to be returned to the application. Credit to Henrik Dalgaard of Echo One for reporting this issue. AppleScript CVE-ID: CAN-2005-1331 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Scripts created using the applescript: URI mechanism could display code differently than that which would actually run Description: The applescript: URI mechanism is a feature that allows AppleScript code to be distributed via a hyperlink. When an applescript: URI is clicked, the AppleScript Editor opens and displays the code that has been downloaded. If the code is then compiled and run, it may not execute exactly as it is displayed. This issue has been addressed by rejecting URIs containing characters that could be used to mislead the user. Credit to David Remahl of www.remahl.se/david for reporting this issue. Bluetooth CVE-ID: CAN-2005-1332 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Bluetooth-enabled systems may allow file exchange without prompting users Description: The Bluetooth file exchange service is enabled by default on systems with Bluetooth capability. This could allow files to be shared without properly notifying the user. In addition, the default directory for file sharing may be used by other applications, leading to unintentional file sharing. Security Update 2005-005 disables Bluetooth file exchange and changes the location of the default transfer directory on systems where the old default directory is set. In addition, new users of a system must now enable Bluetooth file exchange before it is allowed. Users with Bluetooth-enabled systems should read the article at http://docs.info.apple.com/article.html?artnum=301381 for more information on the changes provided by this update. Credit to kf_lists[at]digitalmunition[dot]com for reporting this issue. Bluetooth CVE-ID: CAN-2005-1333 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Directory traversal via Bluetooth file and object exchange Description: Due to insufficient input checking, the Bluetooth file and object exchange services could be used to access files outside of the default file exchange directory. Security Update 2005-005 addresses this issue by adding enhanced filtering for path-delimiting characters. Credit to kf_lists[at]digitalmunition[dot]com for reporting this issue. Directory Services CVE-ID: CAN-2005-1335 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: chfn/chpass/chsh could be manipulated to give privileges to an unprivileged user Description: chfn/chpass/chsh is a hard-linked set of SUID programs. Certain code paths use external helper programs in an insecure manner which could lead to a privilege escalation. This update provides secure mechanisms for running helper programs. Finder CVE-ID: CAN-2005-0342 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Unsafe handling of .DS_Store files could be used by local attackers to overwrite files and lead to privilege escalation Description: Finder uses .DS_Store files to store and retrieve information used to display folders on the system. When writing these files, Finder could follow a link resulting in the overwrite of an arbitrary file. In addition, these files could contain data supplied by malicious users, allowing them to gain privileges by altering system configuration files. Security Update 2005-005 addresses this issue by updating Finder to check that .DS_Store files are not links before writing to them. Foundation CVE-ID: CAN-2005-1336 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Buffer overflow via an environment variable for applications using the Foundation framework Description: The incorrect handling of an environment variable within the Foundation framework can result in a buffer overflow that may be used to execute arbitrary code. This issue has been addressed by improved handling of the environment variable. Help Viewer CVE-ID: CAN-2005-1337 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Help Viewer could be used to run Javascript without the restrictions normally imposed Description: When Javascript is loaded for a remote site, it is executed in a restricted environment. The environment restrictions are not applied for local Javascript files loaded by the Help Viewer. Security Update 2005-005 addresses this by only allowing Help Viewer to load registered pages. Credit to David Remahl of www.remahl.se/david for reporting this issue. LDAP CVE-ID: CAN-2005-1338 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Passwords could initially be stored into LDAP in plain text when using an LDAP server not running on Mac OS X Description: When a system is bound to an LDAP server that has "ldap_extended_operation" disabled or not supported, and new accounts are created using the Workgroup Manager, then the initial password can be stored in the clear. If the password is modified using the Inspector it will be correctly stored in a hashed form. This issue does not occur when using the Apple supplied Open Directory server. For servers not supporting "ldap_extended_operation", this update now stores new passwords in the hashed form. libXpm CVE ID: CAN-2004-0687 CERT: VU#882750 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: A vulnerability in the parsing of malformed XPM files could allow arbitrary code execution Description: The xpmParseColors() function in the XFree86 libXpm library contains a vulnerability in the parsing of malformed image files that may lead to a stack overflow and could allow arbitrary code execution. Images downloaded via a web browser may use the XPM format and allow remote exploitability. libXpm is not installed by default on Mac OS X or Mac OS X Server systems. It is an optional install item via the X11 package. Credit to Chris Evans <chris@scary.beasts.org> for reporting this issue. libXpm CVE ID: CAN-2004-0688 CERT: VU#537878 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: A vulnerability in the parsing of malformed XPM files could allow arbitrary code execution Description: Multiple libXpm routines contain integer overflow vulnerabilities that may allow an attacker to cause a denial-of-service condition or execute arbitrary code. Images downloaded via a web browser may use the XPM format and allow remote exploitability. libXpm is not installed by default on Mac OS X or Mac OS X Server systems. It is an optional install item via the X11 package. Credit to Chris Evans <chris@scary.beasts.org> for reporting this issue. lukemftpd CVE-ID: CAN-2005-1339 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: When using the chroot feature of ftp, users can bypass the restriction by using their full name Description: The ftp server allows users to login with either their full name or their short name. In order to restrict users to their home directory, all permitted login names must be listed in /etc/ftpchroot. Users are permitted to change their full name. This issue has been addressed by mapping full names to short names before checking the /etc/ftpchroot restriction list. Credit to Rob Griffiths of macosxhints.com for reporting this issue. NetInfo CVE-ID: CAN-2005-0594 Available for: Mac OS X Server v10.3.9 Impact: The Netinfo Setup Tool (NeST) contains a buffer overflow that could permit arbitrary code execution Description: NeST is a SUID tool. It contains a buffer overflow that could permit arbitrary code execution. This update prevents the buffer overflow from occurring. Credit to iDEFENSE Labs for reporting this issue. Server Admin CVE-ID: CAN-2005-1340 Available for: Mac OS X Server v10.3.9 Impact: Enabling the HTTP proxy service also enables it for users not on your network if there are no access restrictions Description: When the HTTP proxy service is enabled in Server Admin it does not restrict which networks can access it. If there are no external access controls, then users on the Internet can also use the proxy. The HTTP proxy service is disabled by default. This update adds a user interface component to Server Admin which allows the HTTP proxy to be restricted to local networks. sudo CVE-ID: CAN-2004-1051 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Bash scripts run via sudo can be subverted Description: Sudo versions prior to 1.6.8p2 do not properly sanitize their environment . A malicious local user with permission to run a bash shell script could exploit this to run arbitrary commands. Apple does not provide any pre-authorized bash shell scripts by default. This issue is addressed by removing bash shell functions from the environment before running subsequent commands. Terminal CVE-ID: CAN-2005-1341 CERT: VU#994510 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Malicious input could cause data to be inserted into a user's Terminal command line Description: The Terminal utility allows window titles to be read as input via a particular escape sequence. This could allow malicious content to inject data when it is displayed in a Terminal session. Security Update 2005-005 addresses the issue by removing handlers for this insecure escape sequence. Credit to David Remahl of www.remahl.se/david for reporting this issue. Terminal CVE-ID: CAN-2005-1342 CERT: VU#356070 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Escape characters embedded in x-man-path URIs could insert commands into a user's Terminal session Description: The x-man-path URI scheme provides support for displaying manual pages via the Terminal utility. Insufficient validation of these URIs can allow data to be inserted a Terminal session. Security Update 2005-005 addresses this by adding escape sequence validation to the URI handler. Credit to David Remahl of www.remahl.se/david for reporting this issue. VPN CVE-ID: CAN-2005-1343 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: A local user can obtain root privileges if the system is being used as a VPN server Description: A buffer overflow in "vpnd" could be used by a local user to obtain root privileges if the system is configured as a VPN server. This problem does not occur on systems that are configured as a VPN client. This issue cannot be exploited remotely. This update prevents the buffer overflow from occurring. Credit to Pieter de Boer of the master SNB at the Universiteit van Amsterdam (UvA) for reporting this issue. Security Update 2005-005 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.3.9 The download file is named: "SecUpd2005-005Pan.dmg" Its SHA-1 digest is: 81c479d52830163f0992482a0b3586acf2cb1cad For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2005-005Pan.dmg" Its SHA-1 digest is: eb3f5300e2c6062c10e9466eb3c822952e8aba83 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBQnf4upyw5owIz4TQAQJf3ggAk2JyzpL47gkJN1JiajlrCThvwxIDGFDT cM2LxLQjtLlysUqi0AxovdJ/D68DWZlsHQCdWYgVXIRP0Mg9W9nJEg9eXs474zoi foeDmGMPH4bVCnYvwp8c4IfCB8pkvON5jyh/kwYUQaYtE1Tm/ufN3fXz53kjJEFa /i+qfKbnC2rzzGe/HQsRhMO8ngnKMXp+ROezknBKLl9/teRpQMxZRFoU+8Oe8sQz yGp4+/VrIb05497AqMWqfHiak23a8s6c5up82cn+ggt/QCIPdeWKMn4+Aa2uTr1T Y284kk8Y6G8yiKHu8e9NXNol+Mo/WojJWj2L58Katk8zkCxu5Buc/w== =k6RY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQngZ5yh9+71yA2DNAQKizQP+J6Zd7pV/hVZsAkW8SlKhezAbwBODoMij E6DGCDM1tISTxhGzxhPe6nU4lop6kTsCDlEpGb8w+2e8ImHAoDo9FdF1RNEd2fO4 sHWu/ZVRfr6V+OY/6Kh3p1TatA+6j6DUsmVEU++ldXRUvbcCcRT2N3MARBZiZWfc gylAJuYzIcs= =eAJU -----END PGP SIGNATURE-----