Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0282
Security Update 2010-002 / Mac OS X v10.6.3
30 March 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: AppKit
Application Firewall
AFP Server
Apache
ClamAV
CoreAudio
CoreMedia
CoreTypes
CUPS
curl
Cyrus IMAP
Cyrus SASL
DesktopServices
Disk Images
Directory Services
Event Monitor
Dovecot
Event Monitor
FreeRADIUS
FTP Server
iChat Server
ImageIO
Image RAW
Libsystem
Mail
Mailman
MySQL
perl
PHP
Podcast Producer
QuickTime
Ruby
SMB
Tomcatvim
Wiki Server
xar
OS Services
Password Server
Preferences
PS Normalizer
Server Admin
unzip
vim
X11
Publisher: Apple
Operating System: Mac OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Modify Arbitrary Files -- Remote with User Interaction
Cross-site Scripting -- Remote/Unauthenticated
Delete Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-0537 CVE-2010-0535 CVE-2010-0534
CVE-2010-0533 CVE-2010-0526 CVE-2010-0525
CVE-2010-0524 CVE-2010-0523 CVE-2010-0522
CVE-2010-0521 CVE-2010-0520 CVE-2010-0519
CVE-2010-0518 CVE-2010-0517 CVE-2010-0516
CVE-2010-0515 CVE-2010-0514 CVE-2010-0513
CVE-2010-0512 CVE-2010-0511 CVE-2010-0510
CVE-2010-0509 CVE-2010-0508 CVE-2010-0507
CVE-2010-0506 CVE-2010-0505 CVE-2010-0504
CVE-2010-0503 CVE-2010-0502 CVE-2010-0501
CVE-2010-0500 CVE-2010-0498 CVE-2010-0497
CVE-2010-0393 CVE-2010-0065 CVE-2010-0064
CVE-2010-0063 CVE-2010-0062 CVE-2010-0060
CVE-2010-0059 CVE-2010-0058 CVE-2010-0057
CVE-2010-0056 CVE-2010-0055 CVE-2010-0043
CVE-2010-0042 CVE-2010-0041 CVE-2009-4214
CVE-2009-4143 CVE-2009-4142 CVE-2009-4030
CVE-2009-4019 CVE-2009-4017 CVE-2009-3559
CVE-2009-3558 CVE-2009-3557 CVE-2009-3095
CVE-2009-3009 CVE-2009-2906 CVE-2009-2902
CVE-2009-2901 CVE-2009-2801 CVE-2009-2693
CVE-2009-2632 CVE-2009-2446 CVE-2009-2422
CVE-2009-2417 CVE-2009-2042 CVE-2009-1904
CVE-2009-0783 CVE-2009-0781 CVE-2009-0689
CVE-2009-0688 CVE-2009-0580 CVE-2009-0316
CVE-2009-0037 CVE-2009-0033 CVE-2008-7247
CVE-2008-5515 CVE-2008-5303 CVE-2008-5302
CVE-2008-4456 CVE-2008-4101 CVE-2008-2712
CVE-2008-0888 CVE-2008-0564 CVE-2006-1329
CVE-2003-0063
Reference: ESB-2010.0154
ESB-2010.0077
ASB-2009.1173
ASB-2009.1075
AL-2009.0040
AA-2009.0140
AA-2009.0139
ESB-2009.1186
ESB-2009.1095
ESB-2009.0559
ESB-2009.0530
ESB-2009.0211
ESB-2009.0198
ESB-2009.0196
ESB-2008.1085
ESB-2008.1072
ESB-2008.0959
ESB-2008.0282
ESB-2008.0279
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2010-03-29-1 Security Update 2010-002 / Mac OS X v10.6.3
Security Update 2010-002 / Mac OS X v10.6.3 is now available and
addresses the following:
AppKit
CVE-ID: CVE-2010-0056
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Spell checking a maliciously crafted document may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the spell checking feature
used by Cocoa applications. Spell checking a maliciously crafted
document may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
bounds checking. This issue does not affect Mac OS X v10.6 systems.
Credit: Apple.
Application Firewall
CVE-ID: CVE-2009-2801
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Certain rules in the Application Firewall may become
inactive after restart
Description: A timing issue in the Application Firewall may cause
certain rules to become inactive after reboot. The issue is addressed
through improved handling of Firewall rules. This issue does not
affect Mac OS X v10.6 systems. Credit to Michael Kisor of
OrganicOrb.com for reporting this issue.
AFP Server
CVE-ID: CVE-2010-0057
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: When guest access is disabled, a remote user may be able to
mount AFP shares as a guest
Description: An access control issue in AFP Server may allow a
remote user to mount AFP shares as a guest, even if guest access is
disabled. This issue is addressed through improved access control
checks. Credit: Apple.
AFP Server
CVE-ID: CVE-2010-0533
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote user with guest access to an AFP share may access
the contents of world-readable files outside the Public share
Description: A directory traversal issue exists in the path
validation for AFP shares. A remote user may enumerate the parent
directory of the share root, and read or write files within that
directory that are accessible to the 'nobody' user. This issue is
addressed through improved handling of file paths. Credit to Patrik
Karlsson of cqure.net for reporting this issue.
Apache
CVE-ID: CVE-2009-3095
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to bypass access control
restrictions
Description: An input validation issue exists in Apache's handling
of proxied FTP requests. A remote attacker with the ability to issue
requests through the proxy may be able to bypass access control
restrictions specified in the Apache configuration. This issue is
addressed by updating Apache to version 2.2.14.
ClamAV
CVE-ID: CVE-2010-0058
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: ClamAV virus definitions may not receive updates
Description: A configuration issue introduced in Security Update
2009-005 prevents freshclam from running. This may prevent virus
definitions from being updated. This issue is addressed by updating
freshclam's launchd plist ProgramArguments key values. This issue
does not affect Mac OS X v10.6 systems. Credit to Bayard Bell, Wil
Shipley of Delicious Monster, and David Ferrero of Zion Software, LLC
for reporting this issue.
CoreAudio
CVE-ID: CVE-2010-0059
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
QDM2 encoded audio content. Playing maliciously crafted audio content
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to an anonymous researcher working with TippingPoint's Zero
Day Initiative for reporting this issue.
CoreAudio
CVE-ID: CVE-2010-0060
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
QDMC encoded audio content. Playing maliciously crafted audio content
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to an anonymous researcher working with TippingPoint's Zero
Day Initiative for reporting this issue.
CoreMedia
CVE-ID: CVE-2010-0062
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in CoreMedia's handling
of H.263 encoded movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed by performing additional
validation of H.263 encoded movie files. Credit to Damian Put working
with TippingPoint's Zero Day Initiative for reporting this issue.
CoreTypes
CVE-ID: CVE-2010-0063
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Users are not warned before opening certain potentially
unsafe content types
Description: This update adds .ibplugin and .url to the system's
list of content types that will be flagged as potentially unsafe
under certain circumstances, such as when they are downloaded from a
web page. While these content types are not automatically launched,
if manually opened they could lead to the execution of a malicious
JavaScript payload or arbitrary code execution. This update improves
the system's ability to notify users before handling content types
used by Safari. Credit to Clint Ruoho of Laconic Security for
reporting this issue.
CUPS
CVE-ID: CVE-2010-0393
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A local user may be able to obtain system privileges
Description: A format string issue exists in the lppasswd CUPS
utility. This may allow a local user to obtain system privileges. Mac
OS X v10.6 systems are only affected if the setuid bit has been set
on the binary. This issue is addressed by using default directories
when running as a setuid process. Credit to Ronald Volgers for
reporting this issue.
curl
CVE-ID: CVE-2009-2417
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A man-in-the-middle attacker may be able to impersonate a
trusted server
Description: A canonicalization issue exists in curl's handling of
NULL characters in the subject's Common Name (CN) field of X.509
certificates. This may lead to man-in-the-middle attacks against
users of the curl command line tool, or applications using libcurl.
This issue is addressed through improved handling of NULL characters.
curl
CVE-ID: CVE-2009-0037
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Using curl with -L may allow a remote attacker to read or
write local files
Description: curl will follow HTTP and HTTPS redirects when used
with the -L option. When curl follows a redirect, it allows file://
URLs. This may allow a remote attacker to access local files. This
issue is addressed through improved validation of redirects. This
issue does not affect Mac OS X v10.6 systems. Credit to Daniel
Stenberg of Haxx AB for reporting this issue.
Cyrus IMAP
CVE-ID: CVE-2009-2632
Available for: Mac OS X Server v10.5.8
Impact: A local user may be able to obtain the privileges of the
Cyrus user
Description: A buffer overflow exists in the handling of sieve
scripts. By running a maliciously crafted sieve script, a local user
may be able to obtain the privileges of the Cyrus user. This issue is
addressed through improved bounds checking. This issue does not
affect Mac OS X v10.6 systems.
Cyrus SASL
CVE-ID: CVE-2009-0688
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: An unauthenticated remote attacker may cause unexpected
application termination or arbitrary code execution
Description: A buffer overflow exists in the Cyrus SASL
authentication module. Using Cyrus SASL authentication may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. This issue does
not affect Mac OS X v10.6 systems.
DesktopServices
CVE-ID: CVE-2010-0064
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Items copied in the Finder may be assigned an unexpected
file owner
Description: When performing an authenticated copy in the Finder,
original file ownership may be unexpectedly copied. This update
addresses the issue by ensuring that copied files are owned by the
user performing the copy. This issue does not affect systems prior to
Mac OS X v10.6. Credit to Gerrit DeWitt of Auburn University (Auburn,
AL) for reporting this issue.
DesktopServices
CVE-ID: CVE-2010-0537
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may gain access to user data via a multi-
stage attack
Description: A path resolution issue in DesktopServices is
vulnerable to a multi-stage attack. A remote attacker must first
entice the user to mount an arbitrarily named share, which may be
done via a URL scheme. When saving a file using the default save
panel in any application, and using "Go to folder" or dragging
folders to the save panel, the data may be unexpectedly saved to the
malicious share. This issue is addressed through improved path
resolution. This issue does not affect systems prior to Mac OS X
v10.6. Credit to Sidney San Martin working with DeepTech, Inc. for
reporting this issue.
Disk Images
CVE-ID: CVE-2010-0065
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Mounting a maliciously crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
bzip2 compressed disk images. Mounting a maliciously crafted disk
image may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed through improved bounds
checking. Credit: Apple.
Disk Images
CVE-ID: CVE-2010-0497
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Mounting a maliciously crafted disk image may lead to
arbitrary code execution
Description: A design issue exists in the handling of internet
enabled disk images. Mounting an internet enabled disk image
containing a package file type will open it rather than revealing it
in the Finder. This file quarantine feature helps to mitigate this
issue by providing a warning dialog for unsafe file types. This issue
is addressed through improved handling of package file types on
internet enabled disk images. Credit to Brian Mastenbrook working
with TippingPoint's Zero Day Initiative for reporting this issue.
Directory Services
CVE-ID: CVE-2010-0498
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A local user may obtain system privileges
Description: An authorization issue in Directory Services' handling
of record names may allow a local user to obtain system privileges.
This issue is addressed through improved authorization checks.
Credit: Apple.
Dovecot
CVE-ID: CVE-2010-0535
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: An authenticated user may be able to send and receive mail
even if the user is not on the SACL of users who are permitted to do
so
Description: An access control issue exists in Dovecot when Kerberos
authentication is enabled. This may allow an authenticated user to
send and receive mail even if the user is not on the service access
control list (SACL) of users who are permitted to do so. This issue
is addressed through improved access control checks. This issue does
not affect systems prior to Mac OS X v10.6.
Event Monitor
CVE-ID: CVE-2010-0500
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may cause arbitrary systems to be added to
the firewall blacklist
Description: A reverse DNS lookup is performed on remote ssh clients
that fail to authenticate. A plist injection issue exists in the
handling of resolved DNS names. This may allow a remote attacker to
cause arbitrary systems to be added to the firewall blacklist. This
issue is addressed by properly escaping resolved DNS names. Credit:
Apple.
FreeRADIUS
CVE-ID: CVE-2010-0524
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may obtain access to a network via RADIUS
authentication
Description: A certificate authentication issue exists in the
default Mac OS X configuration of the FreeRADIUS server. A remote
attacker may use EAP-TLS with an arbitrary valid certificate to
authenticate and connect to a network configured to use FreeRADIUS
for authentication. This issue is addressed by disabling support for
EAP-TLS in the configuration. RADIUS clients should use EAP-TTLS
instead. This issue only affects Mac OS X Server systems. Credit to
Chris Linstruth of Qnet for reporting this issue.
FTP Server
CVE-ID: CVE-2010-0501
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: Users may be able to retrieve files outside the FTP root
directory
Description: A directory traversal issue exists in FTP Server. This
may allow a user to retrieve files outside the FTP root directory.
This issue is addressed through improved handling of file names. This
issue only affects Mac OS X Server systems. Credit: Apple.
iChat Server
CVE-ID: CVE-2006-1329
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to cause a denial of service
Description: An implementation issue exists in jabberd's handling of
SASL negotiation. A remote attacker may be able to terminate the
operation of jabberd. This issue is addressed through improved
handling of SASL negotiation. This issue only affects Mac OS X Server
systems.
iChat Server
CVE-ID: CVE-2010-0502
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: Chat messages may not be logged
Description: A design issue exists in iChat Server's support for
configurable group chat logging. iChat Server only logs messages with
certain message types. This may allow a remote user to send a message
through the server without it being logged. The issue is addressed by
removing the capability to disable group chat logs, and logging all
messages that are sent through the server. This issue only affects
Mac OS X Server systems. Credit: Apple.
iChat Server
CVE-ID: CVE-2010-0503
Available for: Mac OS X Server v10.5.8
Impact: An authenticated user may be able to cause an unexpected
application termination or arbitrary code execution
Description: A use-after-free issue exists in iChat Server. An
authenticated user may be able to cause an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. This issue only affects
Mac OS X Server systems, and does not affect versions 10.6 or later.
iChat Server
CVE-ID: CVE-2010-0504
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: An authenticated user may be able to cause an unexpected
application termination or arbitrary code execution
Description: Multiple stack buffer overflow issues exist in iChat
Server. An authenticated user may be able to cause an unexpected
application termination or arbitrary code execution. These issues are
addressed through improved memory management. These issues only
affect Mac OS X Server systems. Credit: Apple.
ImageIO
CVE-ID: CVE-2010-0505
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of JP2
images. Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to Chris
Ries of Carnegie Mellon University Computing Service, and researcher
"85319bb6e6ab398b334509c50afce5259d42756e" working with
TippingPoint's Zero Day Initiative for reporting this issue.
ImageIO
CVE-ID: CVE-2010-0041
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Visiting a maliciously crafted website may result in sending
data from Safari's memory to the website
Description: An uninitialized memory access issue exists in
ImageIO's handling of BMP images. Visiting a maliciously crafted
website may result in sending data from Safari's memory to the
website. This issue is addressed through improved memory
initialization and additional validation of BMP images. Credit to
Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue.
ImageIO
CVE-ID: CVE-2010-0042
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Visiting a maliciously crafted website may result in sending
data from Safari's memory to the website
Description: An uninitialized memory access issue exists in
ImageIO's handling of TIFF images. Visiting a maliciously crafted
website may result in sending data from Safari's memory to the
website. This issue is addressed through improved memory
initialization and additional validation of TIFF images. Credit to
Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue.
ImageIO
CVE-ID: CVE-2010-0043
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
TIFF images. Processing a maliciously crafted TIFF image may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory handling. This issue
does not affect systems prior to Mac OS X v10.6. Credit to Gus
Mueller of Flying Meat for reporting this issue.
Image RAW
CVE-ID: CVE-2010-0506
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing a maliciously crafted NEF image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in Image RAW's handling of NEF
images. Viewing a maliciously crafted NEF image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. This issue does
not affect Mac OS X v10.6 systems. Credit: Apple.
Image RAW
CVE-ID: CVE-2010-0507
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted PEF image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in Image RAW's handling of PEF
images. Viewing a maliciously crafted PEF image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to Chris
Ries of Carnegie Mellon University Computing Services for reporting
this issue.
Libsystem
CVE-ID: CVE-2009-0689
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Applications that convert untrusted data between binary
floating point and text may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow exists in the floating point binary
to text conversion code within Libsystem. An attacker who can cause
an application to convert a floating point value into a long string,
or to parse a maliciously crafted string as a floating point value,
may be able to cause an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
bounds checking. Credit to Maksymilian Arciemowicz of
SecurityReason.com for reporting this issue.
Mail
CVE-ID: CVE-2010-0508
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Rules associated with a deleted mail account remain in
effect
Description: When a mail account is deleted, user-defined filter
rules associated with that account remain active. This may result in
unexpected actions. This issue is addressed by disabling associated
rules when a mail account is deleted.
Mail
CVE-ID: CVE-2010-0525
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Mail may use a weaker encryption key for outgoing email
Description: A logic issue exists in Mail's handling of encryption
certificates. When multiple certificates for the recipient exist in
the keychain, Mail may select an encryption key that is not intended
for encipherment. This may lead to a security issue if the chosen key
is weaker than expected. This issue is addressed by ensuring that the
key usage extension within certificates is evaluated when selecting a
mail encryption key. Credit to Paul Suh of ps Enable, Inc. for
reporting this issue.
Mailman
CVE-ID: CVE-2008-0564
Available for: Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in Mailman 2.1.9
Description: Multiple cross-site scripting issues exist in Mailman
2.1.9. These issues are addressed by updating Mailman to version
2.1.13. Further information is available via the Mailman site at
http://mail.python.org/pipermail/mailman-
announce/2009-January/000128.html These issues only affect Mac OS X
Server systems, and do not affect versions 10.6 or later.
MySQL
CVE-ID: CVE-2008-4456, CVE-2008-7247, CVE-2009-2446, CVE-2009-4019,
CVE-2009-4030
Available for: Mac OS X Server v10.6 through v10.6.2
Impact: Multiple vulnerabilities in MySQL 5.0.82
Description: MySQL is updated to version 5.0.88 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. These issues only affect Mac OS X Server systems. Further
information is available via the MySQL web site at
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html
OS Services
CVE-ID: CVE-2010-0509
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A local user may be able to obtain elevated privileges
Description: A privilege escalation issue exists in SFLServer, as it
runs as group 'wheel' and accesses files in users' home directories.
This issue is addressed through improved privilege management. Credit
to Kevin Finisterre of DigitalMunition for reporting this issue.
Password Server
CVE-ID: CVE-2010-0510
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to log in with an outdated
password
Description: An implementation issue in Password Server's handling
of replication may cause passwords to not be replicated. A remote
attacker may be able to log in to a system using an outdated
password. This issue is addressed through improved handling of
password replication. This issue only affects Mac OS X Server
systems. Credit to Jack Johnson of Anchorage School District for
reporting this issue.
perl
CVE-ID: CVE-2008-5302, CVE-2008-5303
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A local user may cause arbitrary files to be deleted
Description: Multiple race condition issues exist in the rmtree
function of the perl module File::Path. A local user with write
access to a directory that is being deleted may cause arbitrary files
to be removed with the privileges of the perl process. This issue is
addressed through improved handling of symbolic links. This issue
does not affect Mac OS X v10.6 systems.
PHP
CVE-ID: CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4017
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Multiple vulnerabilities in PHP 5.3.0
Description: PHP is updated to version 5.3.1 to address multiple
vulnerabilities, the most serious of which may lead to arbitary code
execution. Further information is available via the PHP website at
http://www.php.net/
PHP
CVE-ID: CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4142,
CVE-2009-4143
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in PHP 5.2.11
Description: PHP is updated to version 5.2.12 to address multiple
vulnerabilities, the most serious of which may lead to cross-site
scripting. Further information is available via the PHP website at
http://www.php.net/
Podcast Producer
CVE-ID: CVE-2010-0511
Available for: Mac OS X Server v10.6 through v10.6.2
Impact: An unauthorized user may be able to access a Podcast
Composer workflow
Description: When a Podcast Composer workflow is overwritten, the
access restrictions are removed. This may allow an unauthorized user
to access a Podcast Composer workflow. This issue is addressed
through improved handling of workflow access restrictions. Podcast
Composer was introduced in Mac OS X Server v10.6.
Preferences
CVE-ID: CVE-2010-0512
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: A network user may be able to bypass system login
restrictions
Description: An implementation issue exists in the handling of
system login restrictions for network accounts. If the network
accounts allowed to log in to the system at the Login Window are
identified by group membership only, the restriction will not be
enforced, and all network users will be allowed to log in to the
system. The issue is addressed through improved group restriction
management in the Accounts preference pane. This issue only affects
systems configured to use a network account server, and does not
affect systems prior to Mac OS X v10.6. Credit to Christopher D.
Grieb of University of Michigan MSIS for reporting this issue.
PS Normalizer
CVE-ID: CVE-2010-0513
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted PostScript file may lead to an
unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of
PostScript files. Viewing a maliciously crafted PostScript file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of PostScript files. On Mac OS X v10.6 systems this issue
is mitigated by the -fstack-protector compiler flag. Credit: Apple.
QuickTime
CVE-ID: CVE-2010-0062
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of H.263 encoded movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed by performing additional
validation of H.263 encoded movie files. Credit to Damian Put working
with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0514
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of H.261
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of H.261 encoded movie files. Credit to Will Dormann of
the CERT/CC for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0515
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption in the handling of H.264 encoded
movie files. Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed by performing additional validation of H.264
encoded movie files.
QuickTime
CVE-ID: CVE-2010-0516
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow in the handling of RLE encoded
movie files. Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed by performing additional validation of RLE encoded
movie files. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0517
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow in the handling of M-JPEG
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of M-JPEG encoded movie files. Credit to Damian Put
working with TippingPoint's Zero Day Initiative for reporting this
issue.
QuickTime
CVE-ID: CVE-2010-0518
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
Sorenson encoded movie files. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This issue is addressed by performing additional
validation of Sorenson encoded movie files. Credit to Will Dormann of
the CERT/CC for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0519
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow exists in the handling of FlashPix
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to an anonymous researcher working with TippingPoint's Zero
Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0520
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of FLC
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of FLC encoded movie files. Credit to Moritz Jodeit of
n.runs AG, working with TippingPoint's Zero Day Initiative, and
Nicols Joly of VUPEN Security for reporting this issue.
QuickTime
CVE-ID: CVE-2010-0526
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of MPEG
encoded movie files. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed by performing additional
validation of MPEG encoded movie files. Credit to an anonymous
researcher working with TippingPoint's Zero Day Initiative for
reporting this issue.
Ruby
CVE-ID: CVE-2009-2422, CVE-2009-3009, CVE-2009-4214
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Multiple issues in Ruby on Rails
Description: Multiple vulnerabilities exist in Ruby on Rails, the
most serious of which may lead to cross-site scripting. On Mac OS X
v10.6 systems, these issues are addressed by updating Ruby on Rails
to version 2.3.5. Mac OS X v10.5 systems are affected only by
CVE-2009-4214, and this issue is addressed through improved
validation of arguments to strip_tags.
Ruby
CVE-ID: CVE-2009-1904
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Running a Ruby script that uses untrusted input to
initialize a BigDecimal object may lead to an unexpected application
termination
Description: A stack exhaustion issue exists in Ruby's handling of
BigDecimal objects with very large values. Running a Ruby script that
uses untrusted input to initialize a BigDecimal object may lead to an
unexpected application termination. For Mac OS X v10.6 systems, this
issue is addressed by updating Ruby to version 1.8.7-p173. For Mac OS
v10.5 systems, this issue is addressed by updating Ruby to version
1.8.6-p369.
Server Admin
CVE-ID: CVE-2010-0521
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may extract information from Open
Directory
Description: A design issue exists in the handling of authenticated
directory binding. A remote attacker may be able to anonymously
extract information from Open Directory, even if the "Require
authenticated binding between directory and clients" option is
enabled. The issue is addressed by removing this configuration
option. This issue only affects Mac OS X Server systems. Credit to
Scott Gruby of Gruby Solutions, and Mathias Haack of GRAVIS
Computervertriebsgesellschaft mbH for reporting this issue.
Server Admin
CVE-ID: CVE-2010-0522
Available for: Mac OS X Server v10.5.8
Impact: A former administrator may have unauthorized access to
screen sharing
Description: A user who is removed from the 'admin' group may still
connect to the server using screen sharing. This issue is addressed
through improved handling of administrator privileges. This issue
only affects Mac OS X Server systems, and does not affect version
10.6 or later. Credit: Apple.
SMB
CVE-ID: CVE-2009-2906
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: A remote attacker may be able to cause a denial of service
Description: An infinite loop issue exists in Samba's handling of
SMB 'oplock' break notifications. A remote attacker may be able to
trigger an infinite loop in smbd, causing it to consume excessive CPU
resources. The issue is addressed through improved handling of
'oplock' break notifications.
Tomcat
CVE-ID: CVE-2009-0580, CVE-2009-0033, CVE-2009-0783, CVE-2008-5515,
CVE-2009-0781, CVE-2009-2901, CVE-2009-2902, CVE-2009-2693
Available for: Mac OS X Server v10.5.8,
Mac OS X Server v10.6 through v10.6.2
Impact: Multiple vulnerabilities in Tomcat 6.0.18
Description: Tomcat is updated to version 6.0.24 to address multiple
vulnerabilities, the most serious of which may lead to a cross site
scripting attack. Tomcat is only provided on Mac OS X Server systems.
Further information is available via the Tomcat site at
http://tomcat.apache.org/
unzip
CVE-ID: CVE-2008-0888
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Extracting maliciously crafted zip files using the unzip
command tool may lead to an unexpected application termination or
code execution
Description: An uninitialized pointer issue exists is the handling
of zip files. Extracting maliciously crafted zip files using the
unzip command tool may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed by performing
additional validation of zip files. This issue does not affect Mac OS
X v10.6 systems.
vim
CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2009-0316
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in vim 7.0
Description: Multiple vulnerabilities exist in vim 7.0, the most
serious of which may lead to arbitrary code execution when working
with maliciously crafted files. These issues are addressed by
updating to vim 7.2.102. These issues do not affect Mac OS X v10.6
systems. Further information is available via the vim website at
http://www.vim.org/
Wiki Server
CVE-ID: CVE-2010-0523
Available for: Mac OS X Server v10.5.8
Impact: Uploading a maliciously crafted applet may lead to the
disclosure of sensitive information
Description: Wiki Server allows users to upload active content such
as Java applets. A remote attacker may obtain sensitive information
by uploading a maliciously crafted applet and directing a Wiki Server
user to view it. The issue is addressed by restricting the file types
that may be uploaded to the Wiki Server. This issue only affects Mac
OS X Server systems, and does not affect versions 10.6 or later.
Wiki Server
CVE-ID: CVE-2010-0534
Available for: Mac OS X v10.6 through v10.6.2,
Mac OS X Server v10.6 through v10.6.2
Impact: An authenticated user may bypass weblog creation
restrictions
Description: Wiki Server supports service access control lists
(SACLs), allowing an administrator to control the publication of
content. Wiki Server fails to consult the weblog SACL during the
creation of a user's weblog. This may allow an authenticated user to
publish content to the Wiki Server, even though publication should be
disallowed by the service ACL. This issue does not affect systems
prior to Mac OS X v10.6.
X11
CVE-ID: CVE-2009-2042
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Viewing a maliciously crafted image may lead to the
disclosure of sensitive information
Description: libpng is updated to version 1.2.37 to address an issue
that may result in the disclosure of sensitive information. Further
information is available via the libpng site at
http://www.libpng.org/pub/png/libpng.html
X11
CVE-ID: CVE-2003-0063
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2
Impact: Displaying maliciously crafted data within an xterm terminal
may lead to arbitrary code execution
Description: The xterm program supports a command sequence to change
the window title, and to print the window title to the terminal. The
information returned is provided to the terminal as though it were
keyboard input from the user. Within an xterm terminal, displaying
maliciously crafted data containing such sequences may result in
command injection. The issue is addressed by disabling the affected
command sequence.
xar
CVE-ID: CVE-2010-0055
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A modified package may appear as validly signed
Description: A design issue exists in xar when validating a package
signature. This may allow a modified package to appear as validly
signed. This issue is fixed through improved package signature
validation. This issue does not affect Mac OS X v10.6 systems.
Credit: Apple.
Security Update 2010-002 / Mac OS X v10.6.3 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2010-002 or Mac OS X v10.6.3.
For Mac OS X v10.6.2
The download file is named: MacOSXUpd10.6.3.dmg
Its SHA-1 digest is: d3a310c02fcd8199fe55b11c801659974b3d3ab3
For Mac OS X v10.6 and v10.6.1
The download file is named: MacOSXUpdCombo10.6.3.dmg
Its SHA-1 digest is: 72c12635cf83ab6fe028ddf81b0af7357853f736
For Mac OS X Server v10.6.2
The download file is named: MacOSXServerUpd10.6.3.dmg
Its SHA-1 digest is: 7375540ba74774a93551c0a2281b3f661bb57608
For Mac OS X Server v10.6 and v10.6.1
The download file is named: MacOSXServerUpdCombo10.6.3.dmg
Its SHA-1 digest is: 1c844309397f6cf54dc928a2fc57835865c0a768
For Mac OS X v10.5.8
The download file is named: SecUpd2010-002Leo.dmg
Its SHA-1 digest is: 4f5f212c09f8275a0593b826c226875d2a48e0a6
For Mac OS X Server v10.5.8
The download file is named: SecUpdSrvr2010-002Leo.dmg
Its SHA-1 digest is: 7a5f9d9580c98dcaf2a21bad4877bb16acf500b0
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJLsNg3AAoJEHkodeiKZIkBEnEH/ja9Op75ccNhU366K5MifiPT
iYF36PE7nPhyYLUpBJpsBgXea2rIXzMnjHzv0pzBwDl3faGJ+KQTMgDmrwvDwsfD
TdO0BL4USyxCVWRAQQaKWlKdJb87iBv7YFGmJzxQvuO5RPwSFuhpgZI9+42pRtRF
zS1k8MYxAfbm/RqlMyttNlWWtj4XOQvK5P/aB7b/VhimARcRAvJLVApMaNObAlZx
GEHJ5iQVcOluMmCm+DmfUfWkUp7Gj58fjBicQ3nWPd5dbtE2yHvTEgcC9eMwgMF9
ngdDa/VkU1Y73I3gB99RtPfRxg7uedH9HRBlhMqJdP2O6oLfMEifFw5mwpc4+ek=
=g/Pu
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLsVzK/iFOrG6YcBERAqg1AJ46Wl5naOvUGOqFw3SlEHUjun9qGwCggL0U
XHqnY/FWK/d5JEih5fEOxco=
=XIxY
-----END PGP SIGNATURE-----