Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0959 -- [OSX]
APPLE-SA-2008-10-09 Security Update 2008-007
10 October 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache
Certificates
ClamAV
ColorSync
CUPS
Finder
launchd
libxslt
MySQL Server
Networking
PHP
Postfix
PSNormalizer
QuickLook
rlogin
Script Editor
Single Sign-On
Tomcat
vim
Weblog
Publisher: Apple
Operating System: Mac OS X
Impact: Root Compromise
Execute Arbitrary Code/Commands
Increased Privileges
Overwrite Arbitrary Files
Cross-site Scripting
Denial of Service
Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2008-4215 CVE-2008-4214 CVE-2008-4212
CVE-2008-4211 CVE-2008-4101 CVE-2008-3914
CVE-2008-3913 CVE-2008-3912 CVE-2008-3647
CVE-2008-3646 CVE-2008-3645 CVE-2008-3643
CVE-2008-3642 CVE-2008-3641 CVE-2008-3432
CVE-2008-3294 CVE-2008-2938 CVE-2008-2712
CVE-2008-2371 CVE-2008-2370 CVE-2008-2364
CVE-2008-2079 CVE-2008-1947 CVE-2008-1767
CVE-2008-1678 CVE-2008-1389 CVE-2008-1232
CVE-2008-0674 CVE-2008-0227 CVE-2008-0226
CVE-2008-0002 CVE-2007-6420 CVE-2007-6286
CVE-2007-5969 CVE-2007-5461 CVE-2007-5342
CVE-2007-5333 CVE-2007-4850 CVE-2007-2691
Ref: AA-2008.0131
AA-2008.0185
ESB-2008.0524
AA-2008.0106
ESB-2008.0838
Original Bulletin: http://support.apple.com/kb/HT3216
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2008-10-09 Security Update 2008-007
Security Update 2008-007 is now available and addresses the following
issues:
Apache
CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364
Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: Multiple vulnerabilities in Apache 2.2.8
Description: Apache is updated to version 2.2.9 to address several
vulnerabilities, the most serious of which may lead to cross site
request forgery. Apache version 2 is not bundled with Mac OS X Client
systems prior to version 10.5. Apache version 2 is bundled with Mac
OS X Server v10.4.x systems, but is not active by default. Further
information is available via the Apache web site at
http://httpd.apache.org/
Certificates
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: Root certificates have been updated
Description: Several trusted certificates were added to the list of
system roots. Several existing certificates were updated to their
most recent version. The complete list of recognized system roots may
be viewed via the Keychain Access application.
ClamAV
CVE-ID: CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914
Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.5
Impact: Multiple vulnerabilities in ClamAV 0.93.3
Description: Multiple vulnerabilities exist in ClamAV 0.93.3, the
most serious of which may lead to arbitrary code execution. This
update addresses the issues by updating to ClamAV 0.94. ClamAV is not
bundled on Mac OS X Client systems. Further information is available
via the ClamAV website at http://www.clamav.net/
ColorSync
CVE-ID: CVE-2008-3642
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of images with
an embedded ICC profile. Opening a maliciously crafted image with an
embedded ICC profile may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of ICC profiles in images.
Credit: Apple.
CUPS
CVE-ID: CVE-2008-3641
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: A remote attacker may be able to cause arbitrary code
execution with the privileges of the 'lp' user
Description: A range checking issue exists in the Hewlett-Packard
Graphics Language (HPGL) filter, which may cause arbitrary memory to
be overwritten with controlled data. If Printer Sharing is enabled, a
remote attacker may be able to cause arbitrary code execution with
the privileges of the 'lp' user. If Printer Sharing is not enabled, a
local user may be able to obtain elevated privileges. This update
addresses the issue by performing additional bounds checking. Credit
to regenrecht working with TippingPoint's Zero Day Initiative for
reporting this issue.
Finder
CVE-ID: CVE-2008-3643
Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: A file on the Desktop may lead to a denial of service
Description: An error recovery issue exists in Finder. A maliciously
crafted file on the Desktop which causes Finder to unexpectedly
terminate when generating its icon will cause Finder to continually
terminate and restart. Until the file is removed, the user account is
not accessible via Finder's user interface. This update addresses the
issue by generating icons in a separate process. This issue does not
affect systems prior to Mac OS X v10.5. Credit to Sergio 'shadown'
Alvarez of n.runs AG for reporting this issue.
launchd
Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: Applications may fail to enter a sandbox when requested
Description: This update addresses an issue introduced in Mac OS X
v10.5.5. An implementation issue in launchd may cause an
application's request to enter a sandbox to fail. This issue does not
affect programs that use the documented sandbox_init API. This update
addresses the issue by providing an updated version of launchd. This
issue does not affect systems prior to Mac OS X v10.5.5.
libxslt
CVE-ID: CVE-2008-1767
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: Processing an XML document may lead to an unexpected
application termination or arbitrary code execution
Description: A heap buffer overflow issue exists in the libxslt
library. Viewing a maliciously crafted HTML page may lead to an
unexpected application termination or arbitrary code execution.
Further information on the patch applied is available via
http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of
Outpost24 AB, and Chris Evans of Google Security Team for reporting
this issue.
MySQL Server
CVE-ID: CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227,
CVE-2008-2079
Available for: Mac OS X Server v10.5.5
Impact: Multiple vulnerabilities in MySQL 5.0.45
Description: MySQL is updated to version 5.0.67 to address several
vulnerabilities, the most serious of which may lead to arbitrary code
execution. These issues only affect Mac OS X Server systems. Further
information is available via the MySQL web site at
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.html
Networking
CVE-ID: CVE-2008-3645
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: A local user may obtain system privileges
Description: A heap buffer overflow exists in the local IPC
component of configd's EAPOLController plugin, which may allow a
local user to obtain system privileges. This update addresses the
issue through improved bounds checking. Credit: Apple.
PHP
CVE-ID: CVE-2007-4850, CVE-2008-0674, CVE-2008-2371
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X Server v10.5.5
Impact: Multiple vulnerabilities in PHP 4.4.8
Description: PHP is updated to version 4.4.9 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP website at
http://www.php.net/ These issues only affect systems running Mac OS X
v10.4.x, Mac OS X Server v10.4.x, or Mac OS X Server v10.5.x.
Postfix
CVE-ID: CVE-2008-3646
Available for: Mac OS X v10.5.5
Impact: A remote attacker may be able to send mail directly to local
users
Description: An issue exists in the Postfix configuration files. For
a period of one minute after a local command-line tool sends mail,
postfix is accessible from the network. During this time, a remote
entity who could connect to the SMTP port may send mail to local
users and otherwise use the SMTP protocol. This issue does not cause
the system to be an open mail relay. This issue is addressed by
modifying the Postfix configuration to prevent SMTP connections from
remote machines. This issue does not affect systems prior to Mac OS X
v10.5 and does not affect Mac OS X Server. Credit to Pelle Johansson
for reporting this issue.
PSNormalizer
CVE-ID: CVE-2008-3647
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: Viewing a maliciously crafted PostScript file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in PSNormalizer's handling of
the bounding box comment in PostScript files. Viewing a maliciously
crafted PostScript file may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of PostScript files.
Credit: Apple.
QuickLook
CVE-ID: CVE-2008-4211
Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: Downloading or viewing a maliciously crafted Microsoft Excel
file may lead to an unexpected application termination or arbitrary
code execution
Description: A signedness issue exists in QuickLook's handling of
columns in Microsoft Excel files may result in an out-of-bounds
memory access. Downloading or viewing a maliciously crafted Microsoft
Excel file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of Microsoft Excel files. This issue
does not affect systems prior to Mac OS X v10.5. Credit: Apple.
rlogin
CVE-ID: CVE-2008-4212
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: Systems that have been manually configured to use rlogin and
host.equiv may unexpectedly permit root login
Description: The manpage for the configuration file hosts.equiv
indicates that entries do not apply to root. However, an
implementation issue in rlogind causes these entries to also apply to
root. This update addresses the issue by properly disallowing rlogin
from the root user if the remote system is in hosts.equiv. The rlogin
service is not enabled by default in Mac OS X, and must be manually
configured in order to be enabled. Credit to Ralf Meyer for reporting
this issue.
Script Editor
CVE-ID: CVE-2008-4214
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: A local user may gain the privileges of another user that is
using Script Editor
Description: An insecure file operation issue exists in the Script
Editor application when opening application scripting dictionaries. A
local user can cause the scripting dictionary to be written to an
arbitrary path accessible by the user that is running the
application. This update addresses the issue by creating the
temporary file in a secure location. Credit: Apple.
Single Sign-On
Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: The sso_util command now accepts passwords from a file
Description: The sso_util command now accepts passwords from a file
named in the SSO_PASSWD_PATH environment variable. This enables
automated scripts to use sso_util more securely.
Tomcat
CVE-ID: CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947,
CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342,
CVE-2007-5461
Available for: Mac OS X Server v10.5.5
Impact: Multiple vulnerabilities in Tomcat 6.0.14
Description: Tomcat on Mac OS X v10.5 systems is updated to version
6.0.18 to address several vulnerabilities, the most serious of which
may lead to a cross site scripting attack. These issues only affect
Mac OS X Server systems. Further information is available via the
Tomcat site at http://tomcat.apache.org/
vim
CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432,
CVE-2008-3294
Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5
Impact: Multiple vulnerabilities in vim 7.0
Description: Multiple vulnerabilities exist in vim 7.0, the most
serious of which may lead to arbitrary code execution when working
with maliciously crafted files. This update addresses the issues by
updating to vim 7.2.0.22. Further information is available via the
vim website at http://www.vim.org/
Weblog
CVE-ID: CVE-2008-4215
Available for: Mac OS X Server v10.4.11
Impact: Access control on weblog postings may not be enforced
Description: An unchecked error condition exists in the weblog
server. Adding a user with multiple short names to the access control
list for a weblog posting may cause the Weblog server to not enforce
the access control. This issue is addressed by improving the way
access control lists are saved. This issue only affects systems
running Mac OS X Server v10.4. Credit: Apple.
Security Update 2008-007 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.5.5
The download file is named: "SecUpd2008-007.dmg"
Its SHA-1 digest is: 2e2489a223d13e9d7b9928735b6693ab0cbe6e00
For Mac OS X Server v10.5.5
The download file is named: "SecUpdSrvr2008-007.dmg"
Its SHA-1 digest is: 62db4a0d0688bc047fcf391a20e23e1a72ae292c
For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-007Intel.dmg"
Its SHA-1 digest is: 810167ffc3480a897f0b3ef62fdaaed2cfd77f1a
For Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2008-007PPC.dmg"
Its SHA-1 digest is: 2e1253241cec2999c8754db40816f801ad80ad8b
For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-007Univ.dmg"
Its SHA-1 digest is: 7c71ffd314d7412dcb73746151d4fd7c32749415
For Mac OS X Server v10.4.11 (PPC)
The download file is named: "SecUpdSrvr2008-007PPC.dmg"
Its SHA-1 digest is: be0868a142a9e2a6e93d42c3208ca9585a25cc6d
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJI7lTeAAoJEHkodeiKZIkBqp4H/0n8D36/4cgsBRKbNRiglvwN
PVFPlH28DweLx745x9s+XzspIPquHQuJ4TjHRNz+5AQG4+0rQgwKRpIHONBEI8S9
fb2CtPBg7vMbv4zoDCK7jvDye4pVfRjsHcrB59dioVBOV0QIAiH6GwjNjXIXJCBH
AVyVELm3Ups0icOKzmyRz0lQ8lNT16PyAXwvoHoMCkzibeMJDyF+22JENEOvKd60
UYcrg/XF1pRhQ4m40Dj4GeNyPg98izt26QiBSYdQuYMJHcbALu53KJs19114kn8B
8ZRAiZgJEPCbEdzmERAzjQmSHV0Oi73t7QT5VgvYvBtIzoJiXbvQG1mTgWlJJB4=
=kH5f
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSO6zCCh9+71yA2DNAQIBVgP6Ao1E3VeizJF5ah+svlQzfh+ZEOdfz7PI
4iQYkLV1HXCALu9CgviTD3E1B417NvczJ09/om1VMutJtJnrif2vg4gDOa6qtTwg
N0BkY/v/LU3CQ182z+LJqK2AP4FMcrGE+lVqv9eMzVQN3VCTbKOfs4zP3vbB7YaH
jFMAUcUPHO8=
=rV5w
-----END PGP SIGNATURE-----