Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0459 -- [Mac][OSX]
Mac OS X v10.5.7: Multiple Vulnerabilities
13 May 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache
ATS
BIND
CFNetwork
CoreGraphics
Cscope
CUPS
Disk Images
enscript
Flash Player plug-in
Help Viewer
iChat
International Components for Unicode
IPSec
Kerberos
Kernel
Launch Services
libxml
Net-SNMP
Network Time
Networking
shutdown
OpenSSL
PHP
QuickDraw Manager
ruby
Safari
Spotlight
system_cmds
telnet
WebKit
X11
Publisher: Apple
Operating System: Mac OS X
Mac OS X Server
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Access Confidential Data
Modify Arbitrary Files
Cross-site Scripting
Denial of Service
Cross-site Request Forgery
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0946 CVE-2009-0945 CVE-2009-0944
CVE-2009-0943 CVE-2009-0942 CVE-2009-0847
CVE-2009-0846 CVE-2009-0845 CVE-2009-0844
CVE-2009-0520 CVE-2009-0519 CVE-2009-0165
CVE-2009-0164 CVE-2009-0162 CVE-2009-0161
CVE-2009-0160 CVE-2009-0159 CVE-2009-0158
CVE-2009-0157 CVE-2009-0156 CVE-2009-0155
CVE-2009-0154 CVE-2009-0153 CVE-2009-0152
CVE-2009-0150 CVE-2009-0149 CVE-2009-0148
CVE-2009-0147 CVE-2009-0146 CVE-2009-0145
CVE-2009-0144 CVE-2009-0114 CVE-2009-0040
CVE-2009-0025 CVE-2009-0021 CVE-2009-0010
CVE-2008-5557 CVE-2008-5077 CVE-2008-4309
CVE-2008-3863 CVE-2008-3790 CVE-2008-3660
CVE-2008-3659 CVE-2008-3658 CVE-2008-3657
CVE-2008-3656 CVE-2008-3655 CVE-2008-3652
CVE-2008-3651 CVE-2008-3530 CVE-2008-3529
CVE-2008-3443 CVE-2008-2939 CVE-2008-2829
CVE-2008-2666 CVE-2008-2665 CVE-2008-2383
CVE-2008-2371 CVE-2008-1517 CVE-2008-1382
CVE-2008-0456 CVE-2007-2754 CVE-2006-0747
CVE-2004-1186 CVE-2004-1185 CVE-2004-1184
Ref: AL-2009.0015
AA-2009.0029
ESB-2009.0421
ESB-2009.0398
ESB-2009.0371
ESB-2009.0359
ESB-2009.0341
ESB-2009.0330
ESB-2009.0304
ESB-2009.0275
ESB-2009.0208
ESB-2009.0174
ESB-2009.0170
ESB-2009.0025
ESB-2009.0017
ESB-2009.0001
ESB-2008.1070
ESB-2008.0990
ESB-2008.0966
ESB-2008.0952
ESB-2008.0869
ESB-2008.0855
ESB-2008.0670
AA-2008.0254
AA-2008.0215
AA-2008.0168
AA-2008.0096
ESB-2007.0361
ESB-2006.0403
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2009-05-12 Security Update 2009-002 / Mac OS X v10.5.7
Security Update 2009-002 / Mac OS X v10.5.7 is now available and
addresses the following:
Apache
CVE-ID: CVE-2008-2939
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Visiting a malicious website via a proxy may result in
cross-site scripting
Description: An input validation issue exists in Apache's handling
of FTP proxy requests containing wildcard characters. Visiting a
malicious website via an Apache proxy may result in a cross-site
scripting attack. This update addresses the issue by applying the
Apache patch for version 2.0.63. Further information is available via
the Apache web site at http://httpd.apache.org/ Apache 2.0.x is only
shipped with Mac OS X Server v10.4.x systems. Mac OS X v10.5.x and
Mac OS X Server v10.5.x ship with Apache 2.2.x.
Apache
CVE-ID: CVE-2008-2939
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Visiting a malicious website via a proxy may result in
cross-site scripting
Description: An input validation issue exists in Apache 2.2.9's
handling of FTP proxy requests containing wildcard characters.
Visiting a malicious website via an Apache proxy may result in a
cross-site scripting attack. This update addresses the issue by
updating Apache to version 2.2.11. Further information is available
via the Apache web site at http://httpd.apache.org/
Apache
CVE-ID: CVE-2008-0456
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Web sites that allow users to control the name of a served
file may be vulnerable to HTTP response injection
Description: A request forgery issue exists in Apache. Apache does
not escape filenames when negotiating the correct content type to
send to a remote browser. A user who can publish files with specially
crafted names to a web site can substitute their own response for any
web page hosted on the system. This update addresses the issue by
escaping filenames in content negotiation responses.
ATS
CVE-ID: CVE-2009-0154
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Viewing or downloading a document containing a maliciously
crafted embedded CFF font may lead to arbitrary code execution
Description: A heap buffer overflow exists in Apple Type Services'
handling of Compact Font Format (CFF) fonts. Viewing or downloading a
document containing a maliciously crafted embedded CFF font may lead
to arbitrary code execution. This update addresses the issue through
improved bounds checking. Credit to Charlie Miller of Independent
Security Evaluators working with TippingPoint's Zero Day Initiative
for reporting this issue.
BIND
CVE-ID: CVE-2009-0025
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: BIND is susceptible to a spoofing attack if configured to
use DNSSEC
Description: BIND incorrectly checks the return value of the OpenSSL
DSA_do_verify function. On systems using the DNS Security Extensions
(DNSSEC) protocol, a maliciously crafted DSA certificate could bypass
the validation, which may lead to a spoofing attack. By default,
DNSSEC is not enabled. This update addresses the issue by updating
BIND to version 9.3.6-P1 on Mac OS X v10.4, and version 9.4.3-P1 for
Mac OS X v10.5 systems. Further information is available via the ISC
web site at https://www.isc.org/
CFNetwork
CVE-ID: CVE-2009-0144
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Applications that use CFNetwork may send secure cookies in
unencrypted HTTP requests
Description: An implementation issue exists in CFNetwork's parsing
of Set-Cookie headers, which may result in certain cookies being
unexpectedly sent over a non-encrypted connection. This issue affects
non-RFC compliant Set-Cookie headers that are accepted for
compatibility reasons. This may result in applications that use
CFNetwork, such as Safari, sending sensitive information in
unencrypted HTTP requests. This update addresses the issue through
improved parsing of Set-Cookie headers. This issue does not affect
systems prior to Mac OS X v10.5. Credit to Andrew Mortensen of the
University of Michigan for reporting this issue.
CFNetwork
CVE-ID: CVE-2009-0157
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of overly
long HTTP headers in CFNetwork. Visiting a malicious website may lead
to an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of HTTP headers. This issue does not affect systems prior to Mac OS X
v10.5. Credit to Moritz Jodeit of n.runs AG for reporting this issue.
CoreGraphics
CVE-ID: CVE-2009-0145
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in
CoreGraphics' handling of PDF files. Opening a maliciously crafted
PDF file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issues through
improved bounds and error checking.
CoreGraphics
CVE-ID: CVE-2009-0155
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer underflow in CoreGraphics' handling of PDF
files may result in a heap buffer overflow. Opening a maliciously
crafted PDF file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking. This issue does not affect systems prior to
Mac OS X v10.5. Credit to Barry K. Nathan for reporting this issue.
CoreGraphics
CVE-ID: CVE-2009-0146, CVE-2009-0147, CVE-2009-0165
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Viewing or downloading a PDF file containing a maliciously
crafted JBIG2 stream may lead to an unexpected application
termination or arbitrary code execution
Description: Multiple heap buffer overflows exist in CoreGraphics'
handling of PDF files containing JBIG2 streams. Viewing or
downloading a PDF file containing a maliciously crafted JBIG2 stream
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to Apple, Alin Rad Pop of Secunia Research, and Will
Dormann of CERT/CC for reporting this issue.
Cscope
CVE-ID: CVE-2009-0148
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Processing a maliciously crafted source file with Cscope may
lead to an unexpected application termination or arbitrary code
execution
Description: A stack buffer overflow exists in Cscope's handling of
long file system path names. Using Cscope to process a maliciously
crafted source file may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved bounds checking.
CUPS
CVE-ID: CVE-2009-0164
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Visiting a maliciously crafted web site may lead to
unauthorized access of the Web Interface of CUPS
Description: Under certain circumstances, the Web Interface of CUPS
1.3.9 and earlier may be accessible to attackers through DNS
rebinding attacks. In the default configuration, this may allow a
maliciously crafted website to start and stop printers, and access
information about printers and jobs. This update addresses the issue
by performing additional validation of the Host header. Credit:
Apple.
Disk Images
CVE-ID: CVE-2009-0150
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Mounting a maliciously crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of disk
images. Mounting a maliciously crafted sparse disk image may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking.
This issue does not affect systems prior to Mac OS X v10.5. Credit to
Tiller Beauchamp of IOActive for reporting this issue.
Disk Images
CVE-ID: CVE-2009-0149
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Mounting a maliciously crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in the handling
of disk images. Mounting a maliciously crafted sparse disk image may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit: Apple.
enscript
CVE-ID: CVE-2004-1184, CVE-2004-1185, CVE-2004-1186, CVE-2008-3863
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Multiple vulnerabilities in enscript
Description: enscript is updated to version 1.6.4 to address several
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the gnu web site at
http://www.gnu.org/software/enscript/
Flash Player plug-in
CVE-ID: CVE-2009-0519, CVE-2009-0520, CVE-2009-0114
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Multiple vulnerabilities in Adobe Flash Player plug-in
Description: Multiple issues exist in the Adobe Flash Player plug-
in, the most serious of which may lead to arbitrary code execution
when viewing a maliciously crafted web site. The issues are addressed
by updating the Flash Player plug-in on Mac OS v10.5.x systems to
version 10.0.22.87, and to version 9.0.159.0 on Mac OS X v10.4.11
systems. Further information is available via the Adobe web site at
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Help Viewer
CVE-ID: CVE-2009-0942
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Accessing a maliciously crafted "help:" URL may lead to
arbitrary code execution
Description: Help Viewer loads Cascading Style Sheets referenced in
URL parameters without validating that the referenced style sheets
are located within a registered help book. A malicious "help:" URL
may be used to invoke arbitrary AppleScript files, which may lead to
arbitrary code execution. This update addresses the issue through
improved validation of file system paths when loading stylesheets.
Credit to Brian Mastenbrook for reporting this issue.
Help Viewer
CVE-ID: CVE-2009-0943
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Accessing a maliciously crafted "help:" URL may lead to
arbitrary code execution
Description: Help Viewer does not validate that full paths to HTML
documents are within registered help books. A malicious "help:" URL
may be used to invoke arbitrary AppleScript files, which may lead to
arbitrary code execution. This update addresses the issue through
improved validation of "help:" URLs. Credit to Brian Mastenbrook for
reporting this issue.
iChat
CVE-ID: CVE-2009-0152
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: iChat AIM communications configured for SSL may downgrade to
plaintext
Description: iChat supports Secure Sockets Layer (SSL) for AOL
Instant Messenger and Jabber accounts. iChat automatically disables
SSL for AOL Instant Messenger accounts when it is unable to connect,
and sends subsequent communications in plain text until SSL is
manually re-enabled. A remote attacker with the ability to observe
network traffic from an affected system may obtain the contents of
AOL Instant Messenger conversations. This update addresses the issue
by changing the behavior of iChat to always attempt to use SSL, and
to use less secure channels only if the "Require SSL" preference is
not enabled. This issue does not affect systems prior to Mac OS X
v10.5, as they do not support SSL for iChat accounts.
International Components for Unicode
CVE-ID: CVE-2009-0153
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Maliciously crafted content may bypass website filters and
result in cross-site scripting
Description: An implementation issue exists in ICU's handling of
certain character encodings. Using ICU to convert invalid byte
sequences to Unicode may result in over-consumption, where trailing
bytes are considered part of the original character. This may be
leveraged by an attacker to bypass filters on websites that attempt
to mitigate cross-site scripting. This update addresses the issue
through improved handling of invalid byte sequences. This issue does
not affect systems prior to Mac OS X v10.5. Credit to Chris Weber of
Casaba Security for reporting this issue.
IPSec
CVE-ID: CVE-2008-3651, CVE-2008-3652
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Multiple vulnerabilities in the racoon daemon may lead to a
denial of service
Description: Multiple memory leaks exist in the racoon daemon in
ipsec-tools before 0.7.1, which may lead to a denial of service. This
update addresses the issues through improved memory management.
Kerberos
CVE-ID: CVE-2009-0845
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Processing a maliciously crafted authentication packet may
lead to a denial of service of a Kerberos-enabled program
Description: A null pointer dereference issue exists in the Kerberos
SPNEGO support. Processing a maliciously crafted authentication
packet may lead to a denial of service of a Kerberos-enabled program.
This update addresses the issue by adding a check for a null pointer.
This issue does not affect systems prior to Mac OS X v10.5.
Kerberos
CVE-ID: CVE-2009-0846, CVE-2009-0847
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Processing a maliciously crafted ASN.1 encoded message may
lead to a denial of service of a Kerberos-enabled program or
arbitrary code execution
Description: Multiple memory corruption issues exist in Kerberos'
handling of ASN.1 encoded messages. Processing a maliciously crafted
ASN.1 encoded message may lead to a denial of service of a Kerberos-
enabled program or arbitrary code execution. Further information on
the issues and the patches applied is available via the MIT Kerberos
website at http://web.mit.edu/Kerberos/
Kerberos
CVE-ID: CVE-2009-0844
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Processing a maliciously crafted Kerberos data packet may
lead to a denial of service of a Kerberos-enabled program
Description: An out-of-bounds memory access exists in Kerberos.
Processing a maliciously crafted Kerberos data packet may lead to a
denial of service of a Kerberos-enabled program. This update
addresses the issue through improved bounds checking. This issue does
not affect systems prior to Mac OS X v10.5. Credit: Apple.
Kernel
CVE-ID: CVE-2008-1517
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: A local user may obtain system privileges
Description: An unchecked index issue exists in the kernel's
handling of workqueues, which may lead to an unexpected system
shutdown or arbitrary code execution with Kernel privileges. This
update addresses the issue through improved index checking. Credit to
an anonymous researcher working with Verisign iDefense VCP for
reporting this issue.
Launch Services
CVE-ID: CVE-2009-0156
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Downloading a maliciously crafted Mach-O executable may
cause Finder to repeatedly terminate and relaunch
Description: An out-of-bounds memory read access exists in Launch
Services. Downloading a maliciously crafted Mach-O executable may
cause the Finder to repeatedly terminate and relaunch. This update
addresses the issue through improved bounds checking.
libxml
CVE-ID: CVE-2008-3529
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in libxml's handling of
long entity names. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking.
Net-SNMP
CVE-ID: CVE-2008-4309
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: A remote attacker may terminate the operation of the SNMP
service
Description: An integer overflow exists in the
netsnmp_create_subtree_cache function. By sending a maliciously
crafted SNMPv3 packet, an attacker may cause the SNMP server to
terminate, denying service to legitimate clients. This update
addresses the issue by applying the Net-SNMP patches on Mac OS X
v10.4.11 systems, and by updating net_snmp to version 5.4.2.1 on Mac
OS X v10.5.x systems. The SNMP service is not enabled by default on
Mac OS X or Mac OS X Server.
Network Time
CVE-ID: CVE-2009-0021
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Network Time is susceptible to a spoofing attack if NTP
authentication is enabled
Description: The ntpd daemon incorrectly checks the return value of
the OpenSSL EVP_VerifyFinal function. On systems using NTPv4
authentication, this may allow a maliciously crafted signature to
bypass the cryptographic signature validation, which may lead to a
time spoofing attack. By default, NTP authentication is not enabled.
This update addresses the issue by properly checking the return value
of the EVP_VerifyFinal function.
Network Time
CVE-ID: CVE-2009-0159
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Using the ntpq command to request peer information from a
malicious remote time server may lead to an unexpected application
termination or arbitrary code execution
Description: A stack buffer overflow exists in the ntpq program.
When the ntpq program is used to request peer information from a
remote time server, a maliciously crafted response may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit:
Apple.
Networking
CVE-ID: CVE-2008-3530
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: A remote user may be able to cause an unexpected system
shutdown
Description: When IPv6 support is enabled, IPv6 nodes use ICMPv6 to
report errors encountered while processing packets. An implementation
issue in the handling of incoming ICMPv6 "Packet Too Big" messages
may cause an unexpected system shutdown. This update addresses the
issue through improved handling of ICMPv6 messages.
OpenSSL
CVE-ID: CVE-2008-5077
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: A man-in-the-middle attacker may be able to impersonate a
trusted server or user in applications using OpenSSL for SSL
certificate verification
Description: Several functions within the OpenSSL library
incorrectly check the result value of the EVP_VerifyFinal function. A
man-in-the-middle attacker may be able to impersonate a trusted
server or user in applications using OpenSSL for SSL certificate
verification for DSA and ECDSA keys. This update addresses the issue
by properly checking the return value of the EVP_VerifyFinal
function.
PHP
CVE-ID: CVE-2008-3659, CVE-2008-2829, CVE-2008-3660, CVE-2008-2666,
CVE-2008-2371, CVE-2008-2665, CVE-2008-3658, CVE-2008-5557
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Multiple vulnerabilities in PHP 5.2.6
Description: PHP is updated to version 5.2.8 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP website at
http://www.php.net/
QuickDraw Manager
CVE-ID: CVE-2009-0160
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickDraw's
handling of PICT images. Opening a maliciously crafted PICT image may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of PICT images. Credit: Apple.
QuickDraw Manager
CVE-ID: CVE-2009-0010
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer underflow in the handling of PICT images may
result in a heap buffer overflow. Opening a maliciously crafted PICT
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue by performing
additional validation of PICT images. Credit to Damian Put and
Sebastian Apelt working with TippingPoint's Zero Day Initiative, and
Chris Ries of Carnegie Mellon University Computing Services for
reporting this issue.
ruby
CVE-ID: CVE-2008-3443, CVE-2008-3655, CVE-2008-3656, CVE-2008-3657,
CVE-2008-3790
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Multiple vulnerabilities in Ruby 1.8.6
Description: Multiple vulnerabilities exist in Ruby 1.8.6. This
update addresses the issues by updating Ruby to version 1.8.6-p287.
Further information is available via the Ruby web site at http://www
.ruby-lang.org/en/security/
ruby
CVE-ID: CVE-2009-0161
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Ruby programs may accept revoked certificates
Description: An incomplete error check exists in Ruby's use of the
OpenSSL library. The OpenSSL::OCSP Ruby module may interpret an
invalid response as an OCSP validation of the certificate. This
update addresses the issue through improved error checking while
verifying OCSP responses.
Safari
CVE-ID: CVE-2009-0162
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Accessing a maliciously crafted "feed:" URL may lead to
arbitrary code execution
Description: Multiple input validation issues exist in Safari's
handling of "feed:" URLs. Accessing a maliciously crafted "feed:" URL
may lead to the execution of arbitrary JavaScript. This update
addresses the issues by performing additional validation of "feed:"
URLs. These issues do not affect systems prior to Mac OS X v10.5.
Credit to Billy Rios and Microsoft Vulnerability Research (MSVR), and
Alfredo Melloni for reporting these issues.
Spotlight
CVE-ID: CVE-2009-0944
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues exist in the Mac OS X
Microsoft Office Spotlight Importer. Downloading a maliciously
crafted Microsoft Office file may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of Microsoft Office files.
system_cmds
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: The "login" command always runs the default shell with
normal priority
Description: The "login" command starts an interactive shell after a
local user is authenticated. The priority level for the interactive
shell is reset to the system default, which can cause the shell to
run with an unexpectedly high priority. This update addresses the
issue by respecting the priority setting of the calling process if
the caller is the superuser or the user who was successfully logged
in.
telnet
CVE-ID: CVE-2009-0158
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Connecting to a TELNET server with a very long canonical
name in its DNS address record may lead to an unexpected application
termination or arbitrary code execution
Description: A stack buffer overflow exists in telnet command.
Connecting to a TELNET server with a very long canonical name in its
DNS address record may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved bounds checking. Credit: Apple.
WebKit
CVE-ID: CVE-2009-0945
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A memory corruption issue exists in WebKit's handling
of SVGList objects. Visiting a maliciously crafted website may lead
to arbitrary code execution. This update addresses the issue through
improved bounds checking. For Mac OS X v10.4.11 and Mac OS X Server
v10.4.11, updating to Safari 3.2.3 will address this issue. Credit to
Nils working with TippingPoint's Zero Day Initiative for reporting
this issue.
X11
CVE-ID: CVE-2006-0747, CVE-2007-2754
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Multiple vulnerabilities in FreeType v2.1.4
Description: Multiple vulnerabilities exist in FreeType v2.1.4, the
most serious of which may lead to arbitrary code execution when
processing a maliciously crafted font. This update addresses the
issues by updating FreeType to version 2.3.8. Further information is
available via the FreeType site at http://www.freetype.org/ The
issues are already addressed in systems running Mac OS X v10.5.6.
X11
CVE-ID: CVE-2008-2383
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Displaying maliciously crafted data within an xterm terminal
may lead to arbitrary code execution
Description: The xterm program supports a command sequence known as
DECRQSS that can be used to return information about the current
terminal. The information returned is sent as terminal input similar
to keyboard input by a user. Within an xterm terminal, displaying
maliciously crafted data containing such sequences may result in
command injection. This update addresses the issue by performing
additional validation of the output data. This issue does not affect
systems prior to Mac OS X v10.5.
X11
CVE-ID: CVE-2008-1382, CVE-2009-0040
Available for: Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact: Multiple vulnerabilities in libpng version 1.2.26
Description: Multiple vulnerabilities exist in libpng version
1.2.26, the most serious of which may lead to arbitrary code
execution. This update addresses the issues by updating libpng to
version 1.2.35. Further information is available via the libpng
website at http://www.libpng.org/pub/png/libpng.html These issues do
not affect systems prior to Mac OS X v10.5.
X11
CVE-ID: CVE-2009-0946
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Multiple vulnerabilities in FreeType v2.3.8
Description: Multiple integer overflows exist in FreeType v2.3.8,
which may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issues through improved
bounds checking. Credit to Tavis Ormandy of the Google Security Team
for reporting these issues.
Security Update 2009-002 / Mac OS X v10.5.7 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2009-002 or Mac OS X v10.5.7.
For Mac OS X v10.5.6
The download file is named: MacOSXUpd10.5.7.dmg
Its SHA-1 digest is: 0173995ad572f2bc11d802671136e5e5c1afe116
For Mac OS X v10.5 - v10.5.5
The download file is named: MacOSXUpdCombo10.5.7.dmg
Its SHA-1 digest is: 646fd1ac31c679c6a5aebe8ac74f190ab774cd38
For Mac OS X Server v10.5.6
The download file is named: MacOSXServerUpd10.5.7.dmg
Its SHA-1 digest is: 476b1f7c0e91eb8974eee84d9ee0f064964dce6d
For Mac OS X Server v10.5 - v10.5.5
The download file is named: MacOSXServerUpdCombo10.5.7.dmg
Its SHA-1 digest is: 20230891a42cb78ca38019527b708ef1549f61ae
For Mac OS X v10.4.11 (Intel)
The download file is named: SecUpd2009-002Intel.dmg
Its SHA-1 digest is: fc0143380efaf4aa7f320d1e2a84528c8e41a000
For Mac OS X v10.4.11 (PowerPC)
The download file is named: SecUpd2009-002PPC.dmg
Its SHA-1 digest is: 9e9b69c18450a1fa81484d7366a67ae97cfc52c7
For Mac OS X Server v10.4.11 (Universal)
The download file is named: SecUpdSrvr2009-002Univ.dmg
Its SHA-1 digest is: f0048c912ae939c1b5c95db5e843b4ee6cf60c21
For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: SecUpdSrvr2009-002PPC.dmg
Its SHA-1 digest is: 525d90cc0d5bc00edd3f9a44e8447492a962f571
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJKCbEJAAoJEHkodeiKZIkBFNEH/RjDCqrv552IAZ0JP5fDnlmq
c94WzlqT2Bg4EpeYv4Q2iTODjMNuCce+mo6WvYjiSK6hKUuKBmrspZVsnrDCUxLg
iXBMyoLAiu9O6YqnAtYt/7aeu1nIsVjL7cs7pJvWHCU1vj+ob+gptKHtufsjgT8/
R0KY0tYz4p2cBfTT/2Z/w9wPKJlHALE7IATEqKvvReohZse98zamkNHcRfvdcVqk
7weZcg80RQPK4wxWSU2OiUMU1Xl4DMCb51Ym0Nc/8YC5OjCndpdfEd7JqDjWP+ai
SRovqUV+z4OA8IZCtfLkCXzMgbz4lCD8JEo8ac1jChqEoHRLH4VjCluboc1Bsks=
=oIVW
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKEN4mNVH5XJJInbgRAnmyAJ9KfpaKz6dpwC9N3zRh8n8LmWFV1gCfUnvv
DtSYShSCelxld76Fko/Ts60=
=6ZXY
-----END PGP SIGNATURE-----