QuickTime 7.0.4 is available and delivers the following security
enhancements:
CVE-ID: CVE-2005-2340
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: A maliciously-crafted QTIF image may result in arbitrary code
execution
Description: By carefully crafting a corrupt QTIF image, an attacker
can trigger a heap buffer overflow that may result in arbitrary code
execution. This update addresses the issue by performing additional
validation of GIF images. Credit to Varun Uppal of Kanbay for
reporting this issue.
CVE-ID: CVE-2005-3707, CVE-2005-3708, CVE-2005-3709
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: Viewing a maliciously-crafted TGA image may result in
arbitrary code execution
Description: By carefully crafting a corrupt TGA image, an attacker
can trigger a buffer overflow, integer overflow, or integer underflow
that may result in a denial-of-service or arbitrary code execution.
This update addresses the issue by performing additional validation
of TGA images. Credit to Dejun Meng of Fortinet for reporting this
issue.
CVE-ID: CVE-2005-3710, CVE-2005-3711
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: Viewing a maliciously-crafted TIFF image may result in
arbitrary code execution
Description: By carefully crafting a corrupt TIFF image, an attacker
can trigger an integer overflow that may result in a
denial-of-service or arbitrary code execution. This update addresses
the issue by performing additional validation of TIFF images. Credit
to Dejun Meng of Fortinet for reporting this issue.
CVE-ID: CVE-2005-3713
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: A maliciously-crafted GIF image may result in arbitrary code
execution
Description: By carefully crafting a corrupt GIF image, an attacker
can trigger a heap buffer overflow that may result in arbitrary code
execution. This update addresses the issue by performing additional
validation of GIF images. Credit to Karl Lynn of eEye Digital
Security for reporting this issue.
CVE-ID: CVE-2005-4092
Available for: Mac OS X v10.3.9 and later, Windows XP/2000
Impact: A maliciously-crafted media file may result in arbitrary code
execution
Description: By carefully crafting a corrupt media file, an attacker
can trigger a heap buffer overflow that may result in arbitrary code
execution. This update addresses the issue by performing additional
validation of media files. Credit to Karl Lynn of eEye Digital
Security for reporting this issue.
QuickTime 7.0.4 may be obtained from the Software Update pane in
System Preferences, or from the Download tab in the QuickTime site
http://www.apple.com/quicktime/
For Mac OS X v10.3.9 or later
The download file is named: "QuickTimeInstallerX.dmg"
Its SHA-1 digest is: a605fc27d85b4c6b59ebbbc84ef553b37aa8fbca
For Windows 2000/XP
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 1f7d1942fec2c3c205079916dc47b254e508de4e
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
