Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0667 Mac OS X v10.6.8 and Security Update 2011-004 24 June 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mac OS X 10.6.7 and prior Mac OS X Server 10.6.7 and prior Mac OS X 10.5.8 and prior Mac OS X Server 10.5.8 and prior Publisher: Apple Operating System: Mac OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Overwrite Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Read-only Data Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-1132 CVE-2011-0719 CVE-2011-0715 CVE-2011-0213 CVE-2011-0212 CVE-2011-0211 CVE-2011-0210 CVE-2011-0209 CVE-2011-0208 CVE-2011-0207 CVE-2011-0206 CVE-2011-0205 CVE-2011-0204 CVE-2011-0203 CVE-2011-0202 CVE-2011-0201 CVE-2011-0200 CVE-2011-0199 CVE-2011-0198 CVE-2011-0197 CVE-2011-0196 CVE-2011-0195 CVE-2011-0014 CVE-2010-4651 CVE-2010-4180 CVE-2010-3864 CVE-2010-3838 CVE-2010-3837 CVE-2010-3836 CVE-2010-3835 CVE-2010-3834 CVE-2010-3833 CVE-2010-3790 CVE-2010-3682 CVE-2010-3677 CVE-2010-3069 CVE-2010-2632 CVE-2010-0740 CVE-2009-3245 Reference: ESB-2011.0439 ESB-2011.0314 ESB-2011.0255 ESB-2011.0169 ESB-2010.1107 ESB-2010.1048.2 ESB-2010.1039.2 ESB-2010.0835 ESB-2010.0274 Original Bulletin: http://support.apple.com/kb/HT4723 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-06-23-1 Mac OS X v10.6.8 and Security Update 2011-004 Mac OS X v10.6.8 and Security Update 2011-004 are now available and address the following: AirPort Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: When connected to Wi-Fi, an attacker on the same network may be able to cause a system reset Description: An out of bounds memory read issue existed in the handling of Wi-Fi frames. When connected to Wi-Fi, an attacker on the same network may be able to cause a system reset. This issue does not affect Mac OS X v10.6 CVE-ID CVE-2011-0196 App Store Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: The user's AppleID password may be logged to a local file Description: In certain circumstances, App Store may log the user's AppleID password to a file that is not readable by other users on the system. This issue is addressed through improved handling of credentials. CVE-ID CVE-2011-0197 : Paul Nelson ATS Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution Description: A heap buffer overflow issue existed in the handling of TrueType fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. CVE-ID CVE-2011-0198 : Harry Sintonen, Marc Schoenefeld of the Red Hat Security Response Team Certificate Trust Policy Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: An error handling issue existed in the Certificate Trust Policy. If an Extended Validation (EV) certificate has no OCSP URL, and CRL checking is enabled, the CRL will not be checked and a revoked certificate may be accepted as valid. This issue is mitigated as most EV certificates specify an OCSP URL. CVE-ID CVE-2011-0199 : Chris Hawk and Wan-Teh Chang of Google ColorSync Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day Initiative CoreFoundation Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution Description: An off-by-one buffer overflow issue existed in the handling of CFStrings. Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0201 : Harry Sintonen CoreGraphics Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in the handling of Type 1 fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. CVE-ID CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert of the Google Security Team FTP Server Available for: Mac OS X Server v10.6 through v10.6.7 Impact: A person with FTP access may list files on the system Description: A path validation issue existed in xftpd. A person with FTP access may perform a recursive directory listing starting from the root, including directories that are not shared for FTP. The listing will eventually include any file that would be accessible to the FTP user. The contents of files are not disclosed. This issue is addressed through improved path validation. This issue only affects Mac OS X Server systems. CVE-ID CVE-2011-0203 : team karlkani ImageIO Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure ImageIO Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow issue existed in ImageIO's handling of JPEG2000 images. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0205 : Harry Sintonen International Components for Unicode Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ICU's handling of uppercase strings. Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0206 : David Bienvenu of Mozilla Kernel Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: A local user may be able to cause a system reset Description: A null dereference issue existed in the handling of IPV6 socket options. A local user may be able to cause a system reset. CVE-ID CVE-2011-1132 : Thomas Clement of Intego Libsystem Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Applications which use the glob(3) API may be vulnerable to a denial of service Description: Applications which use the glob(3) API may be vulnerable to a denial of service. If the glob pattern comes from untrusted input, the application may hang or use excessive CPU resources. This issue is addressed through improved validation of glob patterns. CVE-ID CVE-2010-2632 : Maksymilian Arciemowicz libxslt Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap Description: libxslt's implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers. CVE-ID CVE-2011-0195 : Chris Evans of the Google Chrome Security Team MobileMe Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: An attacker with a privileged network position may read a user's MobileMe email aliases Description: When communicating with MobileMe to determine a user's email aliases, Mail will make requests over HTTP. As a result, an attacker with a privileged network position may read a user's MobileMe email aliases. This issue is addressed by using SSL to access the user's email aliases. CVE-ID CVE-2011-0207 : Aaron Sigel of vtty.com MySQL Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6 through v10.6.7 Impact: Multiple vulnerabilities in MySQL 5.0.91 Description: MySQL is updated to version 5.0.92 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. MySQL is only provided with Mac OS X Server systems. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/5.0/en/news-5-0-92.html CVE-ID CVE-2010-3677 CVE-2010-3682 CVE-2010-3833 CVE-2010-3834 CVE-2010-3835 CVE-2010-3836 CVE-2010-3837 CVE-2010-3838 OpenSSL Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Multiple vulnerabilities in OpenSSL Description: Multiple vulnerabilities existed in OpenSSL, the most serious of which may lead to arbitrary code execution. These issues are addressed by updating OpenSSL to version 0.9.8r. CVE-ID CVE-2009-3245 CVE-2010-0740 CVE-2010-3864 CVE-2010-4180 CVE-2011-0014 patch Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Running patch on a maliciously crafted patch file may cause arbitrary files to be created or overwritten Description: A directory traversal issue existed in GNU patch. Running patch on a maliciously crafted patch file may cause arbitrary files to be created or overwritten. This issue is addressed through improved validation of patch files. CVE-ID CVE-2010-4651 QuickLook Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in QuickLook's handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.6. CVE-ID CVE-2011-0208 : Tobias Klein working with iDefense VCP QuickTime Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Viewing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in QuickTime's handling of RIFF WAV files. Viewing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0209 : Luigi Auriemma working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in QuickTime's handling of sample tables in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0210 : Honggang Ren of Fortinet's FortiGuard Labs QuickTime Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in QuickTime's handling of movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0211 : Luigi Auriemma working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Viewing a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in QuickTime's handling of PICT images. Viewing a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2010-3790 : Subreption LLC working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in QuickTime's handling of JPEG files. Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0213 : Luigi Auriemma working with iDefense Samba Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8 Impact: If SMB file sharing is enabled, a remote attacker may cause a denial of service or arbitrary code execution Description: A stack buffer overflow existed in Samba's handling of Windows Security IDs. If SMB file sharing is enabled, a remote attacker may cause a denial of service or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X 10.6.7. CVE-ID CVE-2010-3069 Samba Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: If SMB file sharing is enabled, a remote attacker may cause a denial of service or arbitrary code execution Description: A memory corruption issue existed in Samba's handling of file descriptors. If SMB file sharing is enabled, a remote attacker may cause a denial of service or arbitrary code execution. CVE-ID CVE-2011-0719 : Volker Lendecke of SerNet servermgrd Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6 through v10.6.7 Impact: A remote attacker may be able to read arbitrary files from the system Description: An XML External Entity issue exists in servermgrd's handling of XML-RPC requests. This issue is addressed by removing servermgrd's XML-RPC interface. This issue only affects Mac OS X Server systems. CVE-ID CVE-2011-0212 : Apple subversion Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7 Impact: If an http based Subversion server is configured, a remote attacker may be able to cause a denial of service Description: A null dereference issue existed in Subversion's handling of lock tokens sent over HTTP. If an http based Subversion server is configured, a remote attacker may be able to cause a denial of service. For Mac OS X v10.6 systems, Subversion is updated to version 1.6.6. For Mac OS X v10.5.8 systems, the issue is addressed through additional validation of lock tokens. Further information is available via the Subversion web site at http://subversion.tigris.org/ CVE-ID CVE-2011-0715 Mac OS X v10.6.8 and Security Update 2011-004 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2011-004 or Mac OS X v10.6.8. For Mac OS X v10.6.7 The download file is named: MacOSXUpd10.6.8.dmg Its SHA-1 digest is: fee3d708be1cef09185eb9f6bfad1884efb3f0fc For Mac OS X v10.6 - v10.6.6 The download file is named: MacOSXUpdCombo10.6.8.dmg Its SHA-1 digest is: 7e22a53b62bf16f44fbba4042606af91888335cf For Mac OS X Server v10.6.7 The download file is named: MacOSXServerUpd10.6.8.dmg Its SHA-1 digest is: 34e8d742635d11fe483b2ca63cbd2df4fe6bd42a For Mac OS X Server v10.6 - v10.6.6 The download file is named: MacOSXServerUpdCombo10.6.8.dmg Its SHA-1 digest is: 123bebedc91e9483c7e44e671bf27fda34821b1f For Mac OS X v10.5.8 The download file is named: SecUpd2011-004.dmg Its SHA-1 digest is: 2d8967d783c08c4d7904c0138f5ea6fb0056a2f0 For Mac OS X Server v10.5.8 The download file is named: SecUpdSrvr2011-004.dmg Its SHA-1 digest is: 9fe192900feb5808307aa0329f1d0df430f536f6 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJOAlYiAAoJEGnF2JsdZQeeiGsIAIDU2sKXKIaUHadzEloq02qw Vj+P5oYg4/4+gPmW2C0rQNHg0j50TD7LRk7Fc8SZrIAqMuXId2dX9Ti64g32vqHY OZscBG89verNEcyfFAE18jmZdmzu9XxtqGnm2Sa8KXqzNeR44Lpj0hVyaj/yNrHi tp16bYd0txZyAzHiNxtkAG7q5X5yM5lXd1J3+QItDxfUvS7DMV4CRSoxh8wwVa8L LLDdlWw4zS4caKa2i1oqTHoAoqX5VBiYjyK45Ctl2Zi8wcUZorqVQVl+7sskD6sY lwQ1DTpcc9eY8X/F/lctvFCEuxoeZMwXHoBmyVlV6k7vgXLjqoe6+/K8RBTJr9g= =rFKZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTgPWXe4yVqjM2NGpAQLJxhAAkLLWK4lwDfnSaH9knfoi2UCjYlGMjDby wLERo373ZHKdDns1LGxu3hu85wg9TLwKcDJ/d4vs7ySLOs7BW7JlmrS3YElnbuoG DL/J3WpWsasILcUWQVO1VBtpCuIM7eduhXUT4jcuXXRo7SqHaqTJoe2NHjwebYlx 1XiCKlaSfRuI/z8eVeQmQMzrJzhPkIzn5SI6yoG48QOhn4Ch5YH3WCfUT/iCN7na CIiqPLEWigdnTl3jwtUMyL+cuUMbLwLBEGK4VUnyWi7vab843PtaaUoUOZ5Cw8Is fRTiv188NJzLOJMfqsdaUBiUmSs8KBp0r8J4nSf3+4wLr05JxaPxBsyan6f3qP7Q mhokCz/ojSfphyRj6pb2AiBb8WyTiIJUTWpZ7MTsYpW1S7i78tC4Q9Vx/4qF5j0t DlvOgsnWvyaYwlsVnSIMJHrXJk2JWn4kMaquO+QecL+edHEqsDQazGYD8X0tKERV snrBxfCP4qx+wj9eABdHXny2Mb0P3pySqYMAKbrmhpZgLExfhFqNRzs9q8aqEYPc X+ptZiZ0SX2k17Q3e9iXRhrQJL8HoU5IhPMzCC+7Km6d3CQ2MDESItQ90YtBaQIX HnEAzr+6q5bJp6epdKZe+3G8uUBli1YtBRKGvr9R1nxaPDcwhvMNoG+zokZtUwJx OZI3QGt/Xkw= =kVBu -----END PGP SIGNATURE-----