-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                        ESB-2009.0147 -- [Mac][OSX]
               APPLE-SA-2009-02-12 Security Update 2009-001
                             13 February 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              AFP Server
                      Apple Pixlet Video
                      CarbonCore
                      CFNetwork
                      Certificate Assistant
                      ClamAV
                      CoreText
                      CUPS
                      DS Tools
                      fetchmail
                      Folder Manager
                      FSEvents
                      Network Time
                      perl
                      Printing
                      python
                      Remote Apple Events
                      Safari RSS
                      servermgrd
                      SMB
                      SquirrelMail
                      X11
                      XTerm
Publisher:            Apple
Operating System:     Mac OS X
                      Mac OS X Server 
Impact:               Increased Privileges
                      Execute Arbitrary Code/Commands
                      Modify Arbitrary Files
                      Denial of Service
                      Access Confidential Data
                      Inappropriate Access
                      Cross-site Scripting
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-0142 CVE-2009-0141 CVE-2009-0140
                      CVE-2009-0139 CVE-2009-0138 CVE-2009-0137
                      CVE-2009-0020 CVE-2009-0019 CVE-2009-0018
                      CVE-2009-0017 CVE-2009-0015 CVE-2009-0014
                      CVE-2009-0013 CVE-2009-0012 CVE-2009-0011
                      CVE-2009-0009 CVE-2008-5314 CVE-2008-5183
                      CVE-2008-5050 CVE-2008-5031 CVE-2008-4864
                      CVE-2008-3663 CVE-2008-3144 CVE-2008-3142
                      CVE-2008-2711 CVE-2008-2379 CVE-2008-2362
                      CVE-2008-2361 CVE-2008-2360 CVE-2008-2316
                      CVE-2008-2315 CVE-2008-1927 CVE-2008-1887
                      CVE-2008-1808 CVE-2008-1807 CVE-2008-1806
                      CVE-2008-1721 CVE-2008-1679 CVE-2008-1379
                      CVE-2008-1377 CVE-2007-4965 CVE-2007-4565
                      CVE-2007-1667 CVE-2007-1352 CVE-2007-1351
                      CVE-2006-3467 CVE-2006-1861

Ref:                  ESB-2009.0036
                      ESB-2009.0031
                      ESB-2008.1134
                      ESB-2008.1125
                      ESB-2008.1094
                      ESB-2008.1059
                      AA-2008.0136
                      ESB-2008.0929
                      ESB-2008.0874
                      ESB-2008.0797
                      ESB-2008.0774
                      ESB-2008.0742
                      ESB-2008.0602
                      ESB-2008.0406
                      ESB-2007.0995
                      ESB-2007.0721
                      ESB-2007.0219
                      ESB-2007.0218
                      ESB-2006.0479
                      ESB-2006.0403

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2009-02-12 Security Update 2009-001

Security Update 2009-001 is now available and addresses the
following:

AFP Server
CVE-ID:  CVE-2009-0142
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  A user with the ability to connect to AFP Server may be a
able to trigger a denial of service
Description:  A race condition in AFP Server may lead to an infinite
loop. Enumerating files on an AFP server may lead to a denial of
service. This update addresses the issue through improved file
enumeration logic. This issue only affects systems running Mac OS X
v10.5.6.

Apple Pixlet Video
CVE-ID:  CVE-2009-0009
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exist in the handling of
movie files using the Pixlet codec. Opening a maliciously crafted
movie file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking. Credit: Apple.

CarbonCore
CVE-ID:  CVE-2009-0020
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Opening a file with a maliciously crafted resource fork may
lead to an unexpected application termination or arbitrary code
execution
Description:  A memory corruption issue exits in Resource Manager's
handling of resource forks. Opening a file with a maliciously crafted
resource fork may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved validation of resource forks. Credit: Apple.

CFNetwork
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Restores proper operation of cookies with null expiration
times
Description:  This update addresses a non-security regression
introduced in Mac OS X 10.5.6. Cookies may not be properly set if a
web site attempts to set a session cookie by supplying a null value
in the "expires" field, rather than omitting the field. This update
addresses the issue by ignoring the "expires" field if it has a null
value.

CFNetwork
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Restores proper operation of session cookies across
applications
Description:  This update addresses a non-security regression
introduced in Mac OS X 10.5.6. CFNetwork may fail to save cookies to
disk if multiple open applications attempt to set session cookies.
This update addresses the issue by ensuring that each application
stores its session cookies separately.

Certificate Assistant
CVE-ID:  CVE-2009-0011
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  A local user may manipulate files with the privileges of
another user running Certificate Assistant
Description:  An insecure file operation exists in Certificate
Assistant's handling of temporary files. This could allow a local
user to overwrite files with the privileges of another user who is
running Certificate Assistant. This update addresses the issue
through improved handling of temporary files. This issue does not
affect systems prior to Mac OS X v10.5. Credit: Apple.

ClamAV
CVE-ID:  CVE-2008-5050, CVE-2008-5314
Available for:  Mac OS X Server v10.4.11, Mac OS X Server v10.5.6
Impact:  Multiple vulnerabilities in ClamAV 0.94
Description:  Multiple vulnerabilities exist in ClamAV 0.94, the most
serious of which may lead to arbitrary code execution. This update
addresses the issues by updating ClamAV to version 0.94.2. ClamAV is
distributed only with Mac OS X Server systems. Further information is
available via the ClamAV website at http://www.clamav.net/

CoreText
CVE-ID:  CVE-2009-0012
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Viewing maliciously crafted Unicode content may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow may occur when processing
Unicode strings in CoreText. Using CoreText to handle maliciously
crafted Unicode strings, such as when viewing a maliciously crafted
web page, may result in an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking. This issue does not affect systems prior to
Mac OS X v10.5. Credit to Rosyna of Unsanity for reporting this
issue.

CUPS
CVE-ID:  CVE-2008-5183
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination
Description:  Exceeding the maximum number of RSS subscriptions
results in a null pointer dereference in the CUPS web interface. This
may lead to an unexpected application termination when visiting a
maliciously crafted website. In order to trigger this issue, valid
user credentials must either be known by the attacker or cached in
the user's web browser. CUPS will be automatically restarted after
this issue is triggered. This update addresses the issue by properly
handling the number of RSS subscriptions. This issue does not affect
systems prior to Mac OS X v10.5.

DS Tools
CVE-ID:  CVE-2009-0013
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Passwords supplied to dscl are exposed to other local users
Description:  The dscl command-line tool required that passwords be
passed to it in its arguments, potentially exposing the passwords to
other local users. Passwords exposed include those for users and
administrators. This update makes the password parameter optional,
and dscl will prompt for the password if needed. Credit: Apple.

fetchmail
CVE-ID:  CVE-2007-4565, CVE-2008-2711
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Multiple vulnerabilities in fetchmail 6.3.8
Description:  Multiple vulnerabilities exist in fetchmail 6.3.8, the
most serious of which may lead to a denial of service. This update
addresses the issues by updating to version 6.3.9. Further
information is available via the fetchmail web site at
http://fetchmail.berlios.de/

Folder Manager
CVE-ID:  CVE-2009-0014
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Other local users may access the Downloads folder
Description:  A default permissions issue exists in Folder Manager.
When a user deletes their Downloads folder and Folder Manager
recreates it, the folder is created with read permissions for
everyone. This update addresses the issue by having Folder Manager
limit permissions so that the folder is accessible only to the user.
This issue only affects applications using Folder Manager. This issue
does not affect systems prior to Mac OS X v10.5. Credit to Graham
Perrin of CENTRIM, University of Brighton for reporting this issue.

FSEvents
CVE-ID:  CVE-2009-0015
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Using the FSEvents framework, a local user may be able to
see filesystem activity that would otherwise not be available
Description:  A credential management issue exists in fseventsd. By
using the FSEvents framework, a local user may be able to see
filesystem activity that would otherwise not be available. This
includes the name of a directory which the user would not otherwise
be able to see, and the detection of activity in the directory at a
given time. This update addresses the issue through improved
credential validation in fseventsd. This issue does not affect
systems prior to Mac OS X v10.5. Credit to Mark Dalrymple for
reporting this issue.

Network Time
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  The Network Time service configuration has been updated
Description:  As a proactive security measure, this update changes
the default configuration for the Network Time service. System time
and version information will no longer be available in the default
ntpd configuration. On Mac OS X v10.4.11 systems, the new
configuration takes effect after a system restart when Network Time
service is enabled.

perl
CVE-ID:  CVE-2008-1927
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Using regular expressions containing UTF-8 characters may
lead to an unexpected application termination or arbitrary code
execution
Description:  A memory corruption issue exists in the handling of
certain UTF-8 characters in regular expressions. Parsing maliciously
crafted regular expressions may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of regular expressions.

Printing
CVE-ID:  CVE-2009-0017
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  A local user may obtain system privileges
Description:  An error handling issue exists in csregprinter, which
may result in a heap buffer overflow. This may allow a local user to
obtain system privileges. This update addresses the issue through
improved error handling. Credit to Lars Haulin for reporting this
issue.

python
CVE-ID:  CVE-2008-1679, CVE-2008-1721, CVE-2008-1887, CVE-2008-2315,
CVE-2008-2316, CVE-2008-3142, CVE-2008-3144, CVE-2008-4864,
CVE-2007-4965, CVE-2008-5031
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Multiple vulnerabilities in python
Description:  Multiple vulnerabilities exist in python, the most
serious of which may lead to arbitrary code execution. This update
addresses the issues by applying patches from the python project.

Remote Apple Events
CVE-ID:  CVE-2009-0018
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Sending Remote Apple events may lead to the disclosure of
sensitive information
Description:  An uninitialized buffer issue exists in the Remote
Apple Events server, which may lead to disclosure of memory contents
to network clients. This update addresses the issue through proper
memory initialization. Credit: Apple.

Remote Apple Events
CVE-ID:  CVE-2009-0019
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Enabling Remote Apple Events may lead to an unexpected
application termination or the disclosure of sensitive information
Description:  An out-of-bounds memory access exits in Remote Apple
Events. Enabling Remote Apple Events may lead to an unexpected
application termination or the disclosure of sensitive information to
network clients. This update addresses the issue through improved
bounds checking. Credit: Apple.

Safari RSS
CVE-ID:  CVE-2009-0137
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Accessing a maliciously crafted feed: URL may lead to
arbitrary code execution
Description:  Multiple input validation issues exist in Safari's
handling of feed: URLs. The issues allow execution of arbitrary
JavaScript in the local security zone. This update addresses the
issues through improved handling of embedded JavaScript within feed:
URLs. Credit to Clint Ruoho of Laconic Security, Billy Rios of
Microsoft, and Brian Mastenbrook for reporting these issues.

servermgrd
CVE-ID:  CVE-2009-0138
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Remote attackers may be able to access Server Manager
without valid credentials
Description:  An issue in Server Manager's validation of
authentication credentials could allow a remote attacker to alter the
system configuration. This update addresses the issue through
additional validation of authentication credentials. This issue does
not affect systems prior to Mac OS X v10.5. Credit: Apple.

SMB
CVE-ID:  CVE-2009-0139
Available for:  Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Connecting to a maliciously crafted SMB file system may lead
to an unexpected system shutdown or arbitrary code execution with
system privileges
Description:  An integer overflow in SMB File System may result in a
heap buffer overflow. Connecting to a maliciously crafted SMB file
system may lead to an unexpected system shutdown or arbitrary code
execution with system privileges. This update addresses the issue
through improved bounds checking. This issue does not affect systems
prior to Mac OS X v10.5. Credit: Apple.

SMB
CVE-ID:  CVE-2009-0140
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Connecting to a maliciously crafted SMB file server may lead
to an unexpected system shutdown
Description:  A memory exhaustion issue exists in the SMB File
System's handling of file system names. Connecting to a maliciously
crafted SMB file server may lead to an unexpected system shutdown.
This update addresses the issue by limiting the amount of memory
allocated by the client for file system names. Credit: Apple.

SquirrelMail
CVE-ID:  CVE-2008-2379, CVE-2008-3663
Available for:  Mac OS X Server v10.4.11, Mac OS X Server v10.5.6
Impact:  Multiple vulnerabilities in SquirrelMail
Description:  SquirrelMail is updated to version 1.4.17 to address
several vulnerabilities, the most serious of which is a cross-site
scripting issue. Further information is available via the
SquirrelMail web site at http://www.SquirrelMail.org/

X11
CVE-ID:  CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361,
CVE-2008-2362
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Multiple vulnerabilities in X11 server
Description:  Multiple vulnerabilities exist in X11 server. The most
serious of these may lead to arbitrary code execution with the
privileges of the user running the X11 server, if the attacker can
authenticate to the X11 server. This update addresses the issues by
applying the updated X.Org patches. Further information is available
via the X.Org website at http://www.x.org/wiki/Development/Security

X11
CVE-ID:  CVE-2006-1861, CVE-2006-3467, CVE-2007-1351, CVE-2008-1806,
CVE-2008-1807, CVE-2008-1808
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Multiple vulnerabilities in FreeType v2.1.4
Description:  Multiple vulnerabilities exist in FreeType v2.1.4, the
most serious of which may lead to arbitrary code execution when
processing a maliciously crafted font. This update addresses the
issues by incorporating the security fixes from version 2.3.6 of
FreeType. Further information is available via the FreeType site at
http://www.freetype.org/ The issues are already addressed in systems
running Mac OS X v10.5.6.

X11
CVE-ID:  CVE-2007-1351, CVE-2007-1352, CVE-2007-1667
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Multiple vulnerabilities in LibX11
Description:  Multiple vulnerabilities exist in LibX11, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. This update addresses the issues by
applying the updated X.Org patches. Further information is available
via the X.Org website at http://www.x.org/wiki/Development/Security
These issues do not affect systems running Mac OS X v10.5 or later.

XTerm
CVE-ID:  CVE-2009-0141
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  A local user may send information directly to another user's
Xterm
Description:  A permissions issue exists in Xterm. When used with
luit, Xterm creates tty devices accessible by everyone. This update
addresses the issue by having Xterm limit the permissions so tty
devices are accessible only by the user.


Security Update 2009-001 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.5.6
The download file is named: "SecUpd2009-001.dmg"
Its SHA-1 digest is: 08d8e962e2687f01b3cdc4cb386ef4e44992a1e0

For Mac OS X Server 10.5.6
The download file is named: "SecUpdSrvr2009-001.dmg"
Its SHA-1 digest is: b44344f918cbf15266cde2c989c443e455ccd88f

For Mac OS X v10.4.11 (Intel)
The download file is named:  "SecUpd2009-001Intel.dmg"
Its SHA-1 digest is: e1e1a09d9543fe1a1acc759c5ed11dde58f84e0e

For Mac OS X v10.4.11 (PPC)
The download file is named:  "SecUpd2009-001PPC.dmg"
Its SHA-1 digest is: a9158bed12fa6650634bc8f972a7990cddb765d9

For Mac OS X Server v10.4.11 (Universal)
The download file is named:  "SecUpdSrvr2009-001Univ.dmg"
Its SHA-1 digest is: 6b056d47bbf2566cda7908590fc2ccd0ab4b889f

For Mac OS X Server v10.4.11 (PPC)
The download file is named:  "SecUpdSrvr2009-001PPC.dmg"
Its SHA-1 digest is: a9f97ba89b8acc6927779859bbec3787d1fb3b2a

Information will also be posted to the Apple Security Updates
web site:  http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJJlHtiAAoJEHkodeiKZIkBAnwIAKRYw4T4EejrgOPJ1DbrNv6N
SNrMCXPW+l+fhUJ9zXUjwXTKiPRlXsBcdoGs96G4CRzsHku2bY6QOTliSPuqxD2d
VS3Hdk1D4d9im8HNKqPlkx3vgrvTbbAh7PHp9xgZPhsVjVt/UWOUf5u008c3LA14
9+Ta9vg0WR63Thzulc0QzzBMocSe4Q9tckNN1EycWMvz4HBoo1AqBb5etMx+DyCj
RQF2TOOKHOFuC38vFig4VFeKbXlWIj3zd+DcuG/IugXbFYh11bQLSz5dMAXWxbCy
QGYy+8OBXYh4Oj7hdUSkAlDJgkjGjMlBlV0Fl62t0jKazofPSsFtPeUWGzfLb8I=
=VDvA
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFJlL+LNVH5XJJInbgRAlpvAJ48gjXY4Ia//k4NusIGuqjHofPKYQCfTtC1
h0fMlrWXeQy77ZTzZXhyqCg=
=3qJ5
-----END PGP SIGNATURE-----