Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0560 -- [OSX] Security Update 2008-003 and Mac OS X v10.5.3 29 May 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: AFP Server Apache AppKit Apple Pixlet Video ATS CFNetwork CoreFoundation CoreGraphics CoreTypes CUPS Flash Player Plug-in Help Viewer iCal International Components for Unicode Image Capture ImageIO Kernel LoginWindow Mail ruby Single Sign-On Wiki Server Publisher: Apple Operating System: Mac OS X Impact: Execute Arbitrary Code/Commands Root Compromise Denial of Service Cross-site Scripting Provide Misleading Information Inappropriate Access Access: Remote/Unauthenticated CVE Names: CVE-2008-1655 CVE-2008-1654 CVE-2008-1580 CVE-2008-1579 CVE-2008-1578 CVE-2008-1577 CVE-2008-1576 CVE-2008-1575 CVE-2008-1574 CVE-2008-1573 CVE-2008-1572 CVE-2008-1571 CVE-2008-1036 CVE-2008-1035 CVE-2008-1034 CVE-2008-1033 CVE-2008-1032 CVE-2008-1031 CVE-2008-1030 CVE-2008-1028 CVE-2008-1027 CVE-2008-0177 CVE-2007-6612 CVE-2007-6388 CVE-2007-6359 CVE-2007-6019 CVE-2007-5275 CVE-2007-5269 CVE-2007-5268 CVE-2007-5266 CVE-2007-5000 CVE-2007-4465 CVE-2007-3847 CVE-2007-1863 CVE-2007-0071 CVE-2006-3747 CVE-2005-3357 CVE-2005-3352 Ref: ESB-2008.0361 ESB-2008.0521 ESB-2008.0131 AA-2008.0009 AL-2007.0131 AA-2007.0086 ESB-2008.0056 AA-2007.0078 AL-2006.0061 ESB-2006.0006 Original Bulletin: http://support.apple.com/kb/HT1897 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2008-05-28 Security Update 2008-003 and Mac OS X v10.5.3 Security Update 2008-003 and Mac OS X v10.5.3 are now available and address the following issues: AFP Server CVE-ID: CVE-2008-1027 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Files that are not designated for sharing may be accessed remotely Description: AFP Server did not check that a file or directory to be served was inside a folder designated for sharing. A connected user or guest may access any files or folders for which they have permission, even if not contained in folders designated for sharing. This update addresses the issue by denying access to files and folders that are not inside a folder designated for sharing. Credit to Alex deVries and Robert Rich for reporting this issue. Apache CVE-ID: CVE-2005-3352, CVE-2005-3357, CVE-2006-3747, CVE-2007-1863, CVE-2007-3847, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388 Available for: Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in Apache 2.0.55 Description: Apache is updated to version 2.0.63 to address several vulnerabilities, the most serious of which may lead to cross-site scripting. Further information is available via the Apache web site at http://httpd.apache.org. Apache 2.0.x is only shipped with Mac OS X Server v10.4.x systems. Mac OS X v10.5.x and Mac OS X Server v10.5.x ship with Apache 2.2.x. The issues that affected Apache 2.2.x were addressed in Security Update 2008-002 for Mac OS X v10.5.2 and Mac OS X Server v10.5.2. AppKit CVE-ID: CVE-2008-1028 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Opening a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution Description: An implementation issue exists in AppKit's processing of document files. Opening a maliciously crafted file in an editor that uses AppKit, such as TextEdit, may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of document files. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Rosyna of Unsanity for reporting this issue. Apple Pixlet Video CVE-ID: CVE-2008-1577 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues exist in the handling of files using the Pixlet codec. Opening a maliciously crafted movie file may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. ATS CVE-ID: CVE-2008-1575 Available for: Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Printing a PDF document containing a maliciously crafted embedded font may lead to arbitrary code execution Description: A memory corruption issue exists in the Apple Type Services server's handling of embedded fonts in PDF files. Printing a PDF document containing a maliciously crafted font may lead to arbitrary code execution. This update addresses the issue by performing additional validation of embedded fonts. This issue does not affect systems prior to Mac OS X v10.5. Credit to Melissa O'Neill of Harvey Mudd College for reporting this issue. CFNetwork CVE-ID: CVE-2008-1580 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An information disclosure issue exists in Safari's SSL client certificate handling. When a web server issues a client certificate request, the first client certificate found in the keychain is automatically sent, which may lead to the disclosure of the information contained in the certificate. This update addresses the issue by prompting the user before sending the certificate. CoreFoundation CVE-ID: CVE-2008-1030 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Applications' use of the CFData API in certain ways may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow in CoreFoundation's handling of CFData objects may result in a heap buffer overflow. An application calling CFDataReplaceBytes with an with invalid length argument may unexpectedly terminate or lead to arbitrary code execution. This update addresses the issue by performing additional validation of length parameters. CoreGraphics CVE-ID: CVE-2008-1031 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized variable issue exists in CoreGraphics' handling of PDF files. Opening a maliciously crafted PDF file may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through proper initialization of pointers. CoreTypes CVE-ID: CVE-2008-1032 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Users are not warned before opening certain potentially unsafe content types Description: This update extends the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system's ability to notify users before handling content types used by Automator, Help, Safari, and Terminal. On Mac OS X v10.4 this functionality is provided by the Download Validation feature. On Mac OS X v10.5 this functionality is provided by the Quarantine feature. Credit to Brian Mastenbrook for reporting this issue. CUPS CVE-ID: CVE-2008-1033 Available for: Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Printing to password-protected printers with debug logging enabled may lead to the disclosure of sensitive information Description: An issue exists in the CUPS scheduler's check of the authentication environment variables when debug logging is enabled. This may lead to the disclosure of the username, domain, and password when printing to a password-protected printer. This update addresses the issue by properly validating environment variables. This issue does not affect systems prior to Mac OS X v10.5 with Security Update 2008-002 installed. Flash Player Plug-in CVE-ID: CVE-2007-5275, CVE-2007- 6243, CVE-2007- 6637, CVE-2007-6019, CVE-2007-0071, CVE-2008-1655, CVE-2008-1654 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Opening maliciously crafted Flash content may lead to arbitrary code execution Description: Multiple issues exist in Adobe Flash Player Plug-in, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 9.0.124.0. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb08-11.html Help Viewer CVE-ID: CVE-2008-1034 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: A malicious help:topic URL may cause an unexpected application termination or arbitrary code execution Description: An integer underflow in Help Viewer's handling of help:topic URLs may result in a buffer overflow. Accessing a malicious help:topic URL may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Paul Haddad of PTH Consulting for reporting this issue. iCal CVE-ID: CVE-2008-1035 Available for: Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Opening a maliciously crafted iCalendar file in iCal may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in the iCal application's handling of iCalendar (usually ".ics") files. Opening a maliciously crafted iCalendar file in iCal may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by improving reference counting in the affected code. This issue does not affect systems prior to Mac OS X v10.5. Credit to Rodrigo Carvalho of Core Security Technologies for reporting this issue. International Components for Unicode CVE-ID: CVE-2008-1036 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Visiting certain web sites may result in the disclosure of sensitive information Description: A conversion issue exists in ICU's handling of certain character encodings. Particular invalid character sequences may not appear in the converted output, and this can affect content filters. Visiting a maliciously crafted web site may lead to cross site scripting and the disclosure of sensitive information. This update addresses the issue by replacing invalid character sequences with a fallback character. Image Capture CVE-ID: CVE-2008-1571 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Accessing a maliciously crafted URL may lead to information disclosure Description: A path traversal issue exists in Image Capture's embedded web server. This may lead to the disclosure of local files on the server system. This update addresses the issue through improved URL handling. This issue does not affect systems running Mac OS X v10.5 or later. Image Capture CVE-ID: CVE-2008-1572 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: A local user may manipulate files with the privileges of another user running Image Capture Description: An insecure file operation exists in Image Capture's handling of temporary files. This could allow a local user to overwrite files with the privileges of another user running Image Capture, or to access the contents of images being resized. This update addresses the issue through improved handling of temporary files. This issue does not affect systems running Mac OS X v10.5 or later. ImageIO CVE-ID: CVE-2008-1573 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Viewing a maliciously crafted BMP or GIF image may lead to information disclosure Description: An out-of-bounds memory read may occur in the BMP and GIF image decoding engine, which may lead to the disclosure of content in memory. This update addresses the issue by performing additional validation of BMP and GIF images. Credit to Gynvael Coldwind of Hispasec for reporting this issue. ImageIO CVE-ID: CVE-2007-5266, CVE-2007-5268, CVE-2007-5269 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Multiple vulnerabilities in libpng version 1.2.18 Description: Multiple vulnerabilities exist in libpng version 1.2.18, the most serious of which may lead to a remote denial of service. This update addresses the issue by updating to version 1.2.24. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html ImageIO CVE-ID: CVE-2008-1574 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Viewing a maliciously crafted JPEG2000 image file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow in the handling of JPEG2000 image files may result in a heap buffer overflow. Viewing a maliciously crafted JPEG2000 image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of JPEG2000 images. Kernel CVE-ID: CVE-2008-0177 Available for: Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: A remote attacker may be able to cause to an unexpected system shutdown Description: An undetected failure condition exists in the handling of packets with an IPComp header. By sending a maliciously crafted packet to a system configured to use IPSec or IPv6, an attacker may cause an unexpected system shutdown. This update addresses the issue by properly detecting the failure condition. Kernel CVE-ID: CVE-2007-6359 Available for: Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: A local user may be able to cause an unexpected system shutdown Description: A null pointer dereference exists in the kernel's handling of code signatures in the cs_validate_page function. This may allow a local user to cause an unexpected system shutdown. This update addresses the issue by performing additional validation of code signatures. This issue does not affect systems prior to Mac OS X v10.5. LoginWindow Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Managed Client preferences may not be applied Description: This update addresses a non-security issue introduced in Security Update 2007-004. Due to a race condition, LoginWindow may fail to apply certain preferences to fail on systems managed by Managed Client for Mac OS X (MCX). This update addresses the issue by eliminating the race condition in the handling of managed preferences. This issue does not affect systems running Mac OS X v10.5. Mail CVE-ID: CVE-2008-1576 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Sending mail through an SMTP server over IPv6 may lead to an unexpected application termination, information disclosure, or arbitrary code execution Description: An uninitialized buffer issue exists in Mail. When sending mail through an SMTP server over IPv6, Mail may use a buffer containing partially uninitialized memory, which could result in the disclosure of sensitive information to message recipients and mail server administrators. This could also potentially lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by properly initializing the variable. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Derek Morr of The Pennsylvania State University for reporting this issue. ruby CVE-ID: CVE-2007-6612 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: A remote attacker may be able to read arbitrary files Description: Mongrel is updated to version 1.1.4 to address a directory traversal issue in DirHandler which may lead to the disclosure of sensitive information. Further information is available via the Mongrel web site at http://mongrel.rubyforge.org Single Sign-On CVE-ID: CVE-2008-1578 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2 Impact: Passwords supplied to sso_util are exposed to other local users Description: The sso_util command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. Passwords exposed include those for users, administrators, and the KDC administration password. This update makes the password parameter optional, and sso_util will prompt for the password if needed. Credit to Geoff Franks of Hauptman Woodward Institute for reporting this issue. Wiki Server CVE-ID: CVE-2008-1579 Available for: Mac OS X Server v10.5 through v10.5.2 Impact: A remote attacker may determine valid user names on servers with the Wiki Server enabled Description: An information disclosure issue exists in Wiki Server when a nonexistent blog is accessed. Using the information in the error message, an attacker may deduce the existence of local user names. This update addresses the issue through improved handling of error messages. This issue does not affect systems prior to Mac OS X v10.5. Credit to Don Rainwater of the University of Cincinnati for reporting this issue. Security Update 2008-003 and Mac OS X v10.5.3 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2008-003 or Mac OS X v10.5.3. For Mac OS X v10.5.2 The download file is named: "MacOSXUpd10.5.3.dmg" Its SHA-1 digest is: 017ef905e5653b04e2455da261e804a72bf40139 For Mac OS X v10.5 - v10.5.1 The download file is named: "MacOSXUpdCombo10.5.3.dmg" Its SHA-1 digest is: 69acd7399de25f1548675d660fdf24eb401e3de3 For Mac OS X Server v10.5.2 The download file is named: "MacOSXServerUpd10.5.3.dmg" Its SHA-1 digest is: 336c9dceca724eab0b8c9db3943be3f9ecf244a4 For Mac OS X Server v10.5 - v10.5.1 The download file is named: "MacOSXServerUpdCombo10.5.3.dmg" Its SHA-1 digest is: fdb2187d19ce21caecd3c3ba6b6fa6f65c9c3a4f For Mac OS X v10.4.11 (Intel) The download file is named: "SecUpd2008-003Intel.dmg" Its SHA-1 digest is: 8f84d2f757c2fb277b139f72ef501dc894620e97 For Mac OS X v10.4.11 (PowerPC) The download file is named: "SecUpd2008-003PPC.dmg" Its SHA-1 digest is: 51e98d988c5bb09d4b1052199d90a9d65af7c8e7 For Mac OS X Server v10.4.11 (Universal) The download file is named: "SecUpdSrvr2008-003Univ.dmg" Its SHA-1 digest is: 337a05956b5a6e962b286a91beee9eb217a0175c For Mac OS X Server v10.4.11 (PowerPC) The download file is named: "SecUpdSrvr2008-003PPC.dmg" Its SHA-1 digest is: 94cab2b4e5d26a284c5d91d0fe4dc20b4e9cfc97 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: 9.7.0.1012 wsBVAwUBSD3jX3kodeiKZIkBAQhb6AgAwkjFq67NbZHBAE6dPYWZA6znZu5cv4wg 0lV0S2/BJ+lWwzwOcPrpEXAvVtv0TM4r4/vudd0QrFrpav0gAJotYJj/Ge8utevx 8TSqp7oOpSF4e4k67P61wY6N3f4/mSlBan0iL+UT1hUwK4ADJPRy3UI17hrN+eYW +4JioCK71ILL8ndnjdmPnbDjZZr6ayvBCMlgopQZWWthWSNOj5saUGGw/8oQOlt8 hAkD+9RgFu4KdsVuK14O3WQ6Rou+PAgWOq9wel9S16UHjPa3ruy4zbYbiHDY6Owe RR24opLOW5xhg9JwuFEuCqdnIBG4asb79wJ59y0VV4ninijEJElWpA== =erRU - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSD3voih9+71yA2DNAQJHSAP/e2w+pUEjsidNCVwvGtdfB9wpHrKakmoN Y/bWUdDdSGdnA3uNmTzaoxQbZJchVRQQ16JlHYKGk+ODRRV1z9ullVMOaT1OGHvQ EWr6W74fXxvRw7plOwzcFDH+gO2lY2PBrZKCIrXcs3zY4gsprMjGuzvQetEblJ9M UsHXgZo+l94= =DIWF -----END PGP SIGNATURE-----