-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                        ESB-2008.1123 -- [Mac][OSX]
                Security Update 2008-008 / Mac OS X v10.5.6
                             16 December 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              ATS
                      BOM
                      CoreGraphics
                      CoreServices
                      CoreTypes
                      Flash Player
                      Kernel
                      Libsystem
                      Managed Client
                      network_cmds
                      Podcast Producer
                      UDF
Publisher:            Apple
Operating System:     Mac OS X 10.5 to 10.5.5
                      Mac OS X 10.4.11
Impact:               Execute Arbitrary Code/Commands
                      Increased Privileges
                      Access Privileged Data
                      Access Confidential Data
                      Modify Arbitrary Files
                      Cross-site Scripting
                      Denial of Service
                      Provide Misleading Information
                      Reduced Security
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-4824 CVE-2008-4823 CVE-2008-4822
                      CVE-2008-4821 CVE-2008-4820 CVE-2008-4819
                      CVE-2008-4818 CVE-2008-4237 CVE-2008-4236
                      CVE-2008-4234 CVE-2008-4224 CVE-2008-4223
                      CVE-2008-4222 CVE-2008-4221 CVE-2008-4220
                      CVE-2008-4219 CVE-2008-4218 CVE-2008-4217
                      CVE-2008-3623 CVE-2008-3170 CVE-2008-1391

Ref:                  ESB-2008.1028

Original Bulletin:    http://support.apple.com/kb/HT3338

Comment: Note that this does not address AL-2008.0128.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2008-12-15 Security Update 2008-008 / Mac OS X v10.5.6

Security Update 2008-008 / Mac OS X v10.5.6 is now available and
addresses the following issues:

ATS
CVE-ID:  CVE-2008-4236
Available for:  Mac OS X v10.5 through v10.5.5,
Mac OS X Server v10.5 through v10.5.5
Impact:  Viewing or downloading a PDF file containing a maliciously
crafted embedded font may lead to a denial of service
Description:  An infinite loop may occur in the Apple Type Services
server's handling of embedded fonts in PDF files. Viewing or
downloading a PDF file containing a maliciously crafted embedded font
may lead to a denial of service. This update addresses the issue by
performing additional validation of embedded fonts. This issue does
not affect systems prior to Mac OS X v10.5. Credit to Michael Samarin
and Mikko Vihonen of Futurice Ltd. for reporting this issue.

BOM
CVE-ID:  CVE-2008-4217
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact:  Downloading or viewing a maliciously crafted CPIO archive
may lead to arbitrary code execution or unexpected application
termination
Description:  A signedness issue exists in BOM's handling of CPIO
headers which may result in a stack buffer overflow. Downloading or
viewing a maliciously crafted CPIO archive may lead to arbitrary code
execution or unexpected application termination. This update
addresses the issue by performing additional validation of CPIO
headers. Credit: Apple.

CoreGraphics
CVE-ID:  CVE-2008-3623
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact:  Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in the handling of color
spaces within CoreGraphics. Viewing a maliciously crafted image may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit: Apple.

CoreServices
CVE-ID:  CVE-2008-3170
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact:  Visiting a maliciously crafted website may lead to the
disclosure of user credentials
Description:  Safari allows web sites to set cookies for country-
specific top-level domains, which may allow a remote attacker to
perform a session fixation attack and hijack a user's credentials.
This update addresses the issue by performing additional validation
of domain names. Credit to Alexander Clauss of iCab.de for reporting
this issue.

CoreTypes
CVE-ID:  CVE-2008-4234
Available for:  Mac OS X v10.5 through v10.5.5,
Mac OS X Server v10.5 through v10.5.5
Impact:  Attempting to launch unsafe downloaded content may not lead
to a warning
Description:  Mac OS X provides the Download Validation capability to
indicate potentially unsafe files. Applications such as Safari and
others use Download Validation to help warn users prior to launching
files marked as potentially unsafe. This update adds to the list of
potentially unsafe types. It adds the content type for files that
have executable permissions and no specific application association.
These files are potentially unsafe as they will launch in Terminal
and their content will be executed as commands. While these files are
not automatically launched, if manually opened they could lead to the
execution of arbitrary code. This issue does not affect systems prior
to Mac OS X v10.5.

Flash Player Plug-in
CVE-ID:  CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821,
CVE-2008-4822, CVE-2008-4823, CVE-2008-4824
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact:  Multiple vulnerabilities in Adobe Flash Player plug-in
Description:  Multiple issues exist in the Adobe Flash Player plug-
in, the most serious of which may lead to arbitrary code execution
when viewing a maliciously crafted web site. The issues are addressed
by updating the Flash Player plug-in to version 9.0.151.0. Further
information is available via the Adobe web site at
http://www.adobe.com/support/security/bulletins/apsb08-20.html

Kernel
CVE-ID:  CVE-2008-4218
Available for:  Mac OS X v10.5 through v10.5.5,
Mac OS X Server v10.5 through v10.5.5
Impact:  A local user may obtain system privileges
Description:  Integer overflow issues exist within the i386_set_ldt
and i386_get_ldt system calls, which may allow a local user to
execute arbitrary code with system privileges. This update addresses
the issues through improved bounds checking. These issues do not
affect PowerPC systems. Credit to Richard Vaneeden of IOActive, Inc.
for reporting these issues.

Kernel
CVE-ID:  CVE-2008-4219
Available for:  Mac OS X v10.5 through v10.5.5,
Mac OS X Server v10.5 through v10.5.5
Impact:  Running an executable that links dynamic libraries on an NFS
share may lead to an unexpected system shutdown
Description:  An infinite loop may occur when a program located on an
NFS share receives an exception. This may lead to an unexpected
system shutdown. This update addresses the issue through improved
handling of exceptions. Credit to Ben Loer of Princeton University
for reporting this issue.

Libsystem
CVE-ID:  CVE-2008-4220
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact:  Applications that use the inet_net_pton API may be
vulnerable to arbitrary code execution or an unexpected application
termination
Description:  An integer overflow exists in Libsystem's inet_net_pton
API, which may lead to arbitrary code execution or the unexpected
termination of the application using the API. This update addresses
the issue through improved bounds checking. This API is not normally
called with untrusted data, and no exploitable cases of this issue
are known. This update is provided to help mitigate potential attacks
against any application using this API.

Libsystem
CVE-ID:  CVE-2008-4221
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact:  Applications that use the strptime API may be vulnerable to
arbitrary code execution or unexpected application termination
Description:  A memory corruption issue exists in Libsystem's
strptime API. Parsing a maliciously crafted date string may lead to
arbitrary code execution or unexpected application termination. This
update addresses the issue through improved memory allocation.
Credit: Apple.

Libsystem
CVE-ID:  CVE-2008-1391
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact:  Applications that use the strfmon API may be exposed to an
unexpected application termination or arbitrary code execution
Description:  Multiple integer overflows exist in Libsystem's strfmon
implementation. An application calling strfmon with large values of
certain integer fields in the format string argument may unexpectedly
terminate or lead to arbitrary code execution. This update addresses
the issues through improved bounds checking.

Managed Client
CVE-ID:  CVE-2008-4237
Available for:  Mac OS X v10.5 through v10.5.5,
Mac OS X Server v10.5 through v10.5.5
Impact:  The managed screen saver settings are not applied
Description:  The method by which the software on a managed client
system installs per-host configuration information does not always
correctly identify the system. On a misidentified system, per-host
settings are not applied, including the screen saver lock. This
update addresses the issue by having Managed Client use the correct
system identification. This issue does not affect systems with built-
in Ethernet. Credit to John Barnes of ESRI, and Trevor Lalish-Menagh
of Tamman Technologies, Inc. for reporting this issue.

network_cmds
CVE-ID:  CVE-2008-4222
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact:  A remote attacker may be able to cause a denial of service
if Internet Sharing is enabled
Description:  An infinite loop may occur in the handling of TCP
packets in natd. By sending a maliciously crafted TCP packet, a
remote attacker may be able to cause a denial of service if Internet
Sharing is enabled. This update addresses the issue by performing
additional validation of TCP packets. Credit to Alex Rosenberg of
Ohmantics, and Gary Teter of Paizo Publishing for reporting this
issue.

Podcast Producer
CVE-ID:  CVE-2008-4223
Available for:  Mac OS X Server v10.5 through v10.5.5
Impact:  A remote attacker may be able to access the administrative
functions of Podcast Producer
Description:  An authentication bypass issue exists in the Podcast
Producer server, which may allow an unauthorized user to access
administrative functions in the server. This update addresses the
issue through improved handling of access restrictions. Podcast
Producer was introduced in Mac OS X Server v10.5.

UDF
CVE-ID:  CVE-2008-4224
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5
Impact:  Opening an ISO file may lead to an unexpected system
shutdown
Description:  An input validation issue exists in the handling of
malformed UDF volumes. Opening a maliciously crafted ISO file may
lead to an unexpected system shutdown. This update addresses the
issue through improved input validation. Credit to Mauro Notarianni
of PCAX Solutions for reporting this issue.

Security Update 2008-008 and Mac OS X v10.5.6 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2008-008 or Mac OS X v10.5.6.

For Mac OS X v10.5.5
The download file is named: "MacOSXUpd10.5.6.dmg"
Its SHA-1 digest is: 684f67524a92b4314a4bdd52498fb3b6af8f9ded

For Mac OS X v10.5 - v10.5.4
The download file is named: "MacOSXUpdCombo10.5.6.dmg"
Its SHA-1 digest is: 09de4ac2c5591ab75d51ef37dc70f9e5630150d4

For Mac OS X Server v10.5.5
The download file is named: "MacOSXServerUpd10.5.6.dmg"
Its SHA-1 digest is: bd14ab94b9bcc896da1613ac761171b54286bcac

For Mac OS X Server v10.5 - v10.5.4
The download file is named: "MacOSXServerUpdCombo10.5.6.dmg"
Its SHA-1 digest is: e20d8d458be3ec51b0083ff823ce27def00dbca7

For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-008Intel.dmg"
Its SHA-1 digest is: 651e592fad1bd158a76459a81d2ebede1f3bedea

For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-008PPC.dmg"
Its SHA-1 digest is: 9bb2aa7fcc924715b6442e808fc778789f359906

For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-008Univ.dmg"
Its SHA-1 digest is: 21702064037150cdeb9d708304ee91eb254c7371

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-008PPC.dmg"
Its SHA-1 digest is: d0e4720051ea27b8edf0ab2a124d6e9f0e16534c

Information will also be posted to the Apple Security Updates
web site:  http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJJRoLMAAoJEHkodeiKZIkB64kIAKWDMSDEqM/NEmMpkdIqNzcb
eZT1iPzXMgJPka04kmZismqN5+FHXa47+w/QYntp9uF+FxX+3aw/ip6v/sQ6Mm15
9wmfFgCddbas04g/9JjCh+UgOHUiUKOHmBElROwoLcJNAZBPgMsTQMZYQSqRTwWI
9+Nqqr7ajZvujo6ajIIQp/Lv48PIWZw/sI2CJzKS0zt5u7ctFvAJUjKaKsXZKvei
/0bqcIRCy/TGjB+yI4p30OZVup/IAp21tFaaRBc+lWHZ2bvCSQ7ZpwlLJtlL/FOC
jSZoVhNwYJPH2v+cG5mZ6aX2ntZgU2FD6mZyzsrUcS7fpG5fnxgU4lEnX55ntME=
=pIcv
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSUboeCh9+71yA2DNAQKwbQP+JEgXkLKUFTHW/AjyVU49VrMiKgCrjiA/
P08DnPdgdzEpMTVe/+exuikIPrTP9Q8+U37Md9ziJecIPDO2p/tlvYtTnY5XiaPN
VRvnjnxW66RS9/1P6GD1ARWpzMv/ZDIvS9jPYq62K50Xa+Uc9KeIo+LabgmQcdok
CYAZ5i/PbiY=
=8uOu
-----END PGP SIGNATURE-----