APPLE-SA-2007-03-13 iPhoto 6.0.6

• Subject: APPLE-SA-2007-03-13 iPhoto 6.0.6
• From: Apple Product Security <email@hidden>
• Date: Tue, 13 Mar 2007 13:11:01 -0700
• Delivered-to: email@hidden
• Delivered-to: email@hidden

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-03-13 iPhoto 6.0.6

iPhoto 6.0.6 is now available and fixes the following security issue:

CVE-ID:  CVE-2007-0051
Available for:  Mac OS X version 10.3.9, and Mac OS X version
10.4.3 or later
Impact:  Subscribing to a maliciously-crafted photocast may lead
to arbitrary code execution
Description:  A format string vulnerability exists in iPhoto. By
enticing a user to subscribe to a maliciously-crafted photocast,
a remote attacker can trigger the vulnerability which may lead
to arbitrary code execution. This has been described on the
Month of Apple Bugs web site (MOAB-04-01-2007). This update
addresses the issue by performing additional validation while
handling photocast subscriptions. Credit to Kevin Finisterre of
DigitalMunition for reporting this issue.

iPhoto 6.0.6 may be obtained from the Software Update pane in
System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The download file is named:  "iPhoto_606.dmg"
Its SHA-1 digest is:  18cb8a943cc65b56299dbea38eeb5b8434bff0ab

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRfbjT4mzP5/bU5rtAQiMQwf/UqE+sU3Nx7pPq2m/NXgWA6nXvuF+7Xl4
rl8ziXornSXjaPxEW3P1Ri2u1tY2/6J2mcC5E+c6IaI771CAfvAH2SsHrD2Q394/
FnLWP0vEI1nn8PmcBbWRZWeWKwHZJAJ6Xau9l0rpw/ULYTKWsJQEEhhcj4rhWFqR
LMintNsezjH/bNyBVCetVQxQQajZIF2KKqqWJUefZuwlq/g3vpx6njIwFqu3CLin
+MiXG5uDNtwm2yK9Jku1AxNk3xcl75gbHbZ2qSPh8sMTvAzqZrT2auREvkAR8OyA
sfMUz3EjubFO0uxbxc973P3EURiGocbBx9IUJF9pu+7bh0YkFG75Pw==
=Mv/S
-----END PGP SIGNATURE-----

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/email@hidden

• Prev by Date: APPLE-SA-2007-03-13 Mac OS X v10.4.9 and Security Update 2007-003
• Previous by thread: APPLE-SA-2007-03-13 Mac OS X v10.4.9 and Security Update 2007-003
• Index(es):
  • Date
  • Thread