APPLE-SA-2007-03-13 Mac OS X v10.4.9 and Security Update 2007-003
APPLE-SA-2007-03-13 Mac OS X v10.4.9 and Security Update 2007-003
- Subject: APPLE-SA-2007-03-13 Mac OS X v10.4.9 and Security Update 2007-003
- From: Apple Product Security <email@hidden>
- Date: Tue, 13 Mar 2007 13:10:54 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-03-13 Mac OS X v10.4.9 and Security Update 2007-003
Mac OS X v10.4.9 and Security Update 2007-003 are now available and
provide fixes for the following security issues. Mac OS X v10.4.9
also provides additional functionality changes, and information is
available in its release note.
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.4.9 or Security Update 2007-003.
ColorSync
CVE-ID: CVE-2007-0719
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted image with an embedded
ColorSync profile may lead to an unexpected application
termination or arbitrary code execution
Description: A stack buffer overflow exists in the handling of
embedded ColorSync profiles. By enticing a user to open a
maliciously-crafted image, an attacker can trigger the overflow,
which may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of ColorSync profiles. Credit
to Tom Ferris of Security-Protocols for reporting this issue.
CoreGraphics
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a malformed PDF Document may lead to an
application hang
Description: CoreGraphics has been updated to address the issue
described on the Month of Apple Bugs web site (MOAB-06-01-2007),
which may lead to an application hang.
Crash Reporter
CVE-ID: CVE-2007-0467
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Crash Reporter may allow a local admin user to obtain
system privileges
Description: Crash Reporter uses an admin-writable system
directory to store logs of processes that have been unexpectedly
terminated. A malicious process running as an admin can cause
these logs to be written to arbitrary files as root, which could
result in the execution of commands with elevated privileges.
This issue has been described on the Month of Apple Bugs web
site (MOAB-28-01-2007). This update addresses the issue by
performing additional validation prior to writing to log files.
CUPS
CVE-ID: CVE-2007-0720
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Remote attackers may cause a denial of service during
SSL negotiation
Description: A partially-negotiated SSL connection with the CUPS
service may prevent other requests from being served until the
connection is closed. This update addresses the issue by
implementing timeouts during SSL negotiation.
Disk Images
CVE-ID: CVE-2007-0721
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Mounting a maliciously-crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption vulnerability exists in
diskimages-helper. By enticing a user to open a maliciously-crafted
compressed disk image, an attacker could trigger this issue which
may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue by performing
additional validation of disk images.
Disk Images
CVE-ID: CVE-2007-0722
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Mounting a maliciously-crafted AppleSingleEncoding disk
image may lead to an unexpected application termination or
arbitrary code execution
Description: An integer overflow vulnerability exists in the
handler for AppleSingleEncoding disk images. By enticing a local
user to open a maliciously-crafted disk image, an attacker could
trigger the overflow which may lead to an unexpected application
termination or arbitrary code execution. This update addresses
the issue by performing additional validation of
AppleSingleEncoding disk images.
Disk Images
CVE-ID: CVE-2006-6061, CVE-2006-6062, CVE-2006-5679,
CVE-2007-0229, CVE-2007-0267, CVE-2007-0299
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Downloading a maliciously-crafted disk image may lead to
an unexpected system shutdown or arbitrary code execution
Description: Several vulnerabilities exist in the processing of
disk images that may lead to an unexpected termination of system
operations or arbitrary code execution. These have been
described on the Month of Kernel Bugs and Month of Apple Bugs
web sites (MOKB-03-11-2006, MOKB-20-11-2006, MOKB-21-11-2006,
MOAB-10-01-2007, MOAB-11-01-2007 and MOAB-12-01-2007). Since a
disk image may be automatically mounted when visiting web sites,
this allows a malicious web site to cause a denial of service.
This update addresses the issue by performing additional
validation of downloaded disk images prior to mounting them.
DS Plug-Ins
CVE-ID: CVE-2007-0723
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Unprivileged LDAP users may be able to change the local
root password
Description: An implementation flaw in DirectoryService allows
an unprivileged LDAP user to change the local root password. The
authentication mechanism in DirectoryService has been fixed to
address this issue.
Flash Player
CVE-ID: CVE-2006-5330
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Playing maliciously-crafted Flash content could allow an
HTTP request splitting attack
Description: Adobe Flash Player is updated to version 9.0.28.0
to fix a potential vulnerability that could allow HTTP request
splitting attacks. This issue is described as APSB06-18 on the
Adobe web site at http://www.adobe.com/support/security/
GNU Tar
CVE-ID: CVE-2006-0300, CVE-2006-6097
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Multiple vulnerabilities in GNU Tar, the most serious of
which is arbitrary code execution
Description: GNU Tar is updated from version 1.14 to 1.16.1.
Further information is available via the GNU web site at
http://www.gnu.org/software/tar/
HFS
CVE-ID: CVE-2007-0318
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Removing a file from a maliciously-crafted mounted
filesystem may lead to a denial of service
Description: An HFS+ filesystem in a mounted disk image can be
constructed to trigger a kernel panic when attempting to remove
a file from a mounted filesystem. This has been described on the
Month of Apple Bugs web site (MOAB-13-11-2006). This update
addresses the issue by performing additional validation of the
HFS+ filesystem.
HID Family
CVE-ID: CVE-2007-0724
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Console keyboard events are exposed to other users on
the local system
Description: Insufficient controls in the IOKit HID interface
allow any logged in user to capture console keystrokes,
including passwords and other sensitive information. This update
addresses the issue by limiting HID device events to processes
belonging to the current console user. Credit to Andrew Garber
of University of Victoria, Alex Harper, and Michael Evans for
reporting this issue.
ImageIO
CVE-ID: CVE-2007-1071
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted GIF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow vulnerability exists in the
process of handling GIF files. By enticing a user to open a
maliciously-crafted image, an attacker can trigger the overflow
which may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of GIF files. This issue does
not affect systems prior to Mac OS X v10.4. Credit to Tom Ferris
of Security-Protocols for reporting this issue.
ImageIO
CVE-ID: CVE-2007-0733
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted RAW Image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the process of
handling RAW images. By enticing a user to open a
maliciously-crafted image, an attacker can trigger the issue
which may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of RAW images. This issue does
not affect systems prior to Mac OS X v10.4. Credit to Luke
Church of the Computer Laboratory, University of Cambridge, for
reporting this issue.
Kernel
CVE-ID: CVE-2006-5836
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Malicious local users may be able to cause a denial of
service
Description: Using the fpathconf() system call on certain file
types will result in a kernel panic. This has been described on
the Month of Kernel Bugs web site (MOKB-09-11-2006). This update
addresses the issue through improved handling for all kernel
defined file types. Credit to Ilja van Sprundel for reporting
this issue.
Kernel
CVE-ID: CVE-2006-6129
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Executing a maliciously-crafted Universal Mach-O
binary may lead to an unexpected termination of system
operations or arbitrary code execution with elevated privileges
Description: An integer overflow vulnerability exists in the
loading of Universal Mach-O binaries. This could allow a
malicious local user to cause a kernel panic or to obtain system
privileges. This has been described on the Month of Kernel Bugs
web site (MOKB-26-11-2006). This update addresses the issue by
performing additional validation of Universal binaries.
Kernel
CVE-ID: CVE-2006-6173
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Executing a maliciously-crafted program may lead to a
system hang
Description: The shared_region_make_private_np() system call
allows a program to request a large allocation of kernel memory.
This could allow a malicious local user to cause a system hang.
This issue does not allow an integer overflow to occur, and it
cannot lead to arbitrary code execution. This issue has been
described on the Month of Kernel Bugs web site
(MOKB-28-11-2006). This update addresses the issue by additional
validation of the arguments passed to
shared_region_make_private_np().
MySQL Server
CVE-ID: CVE-2006-1516, CVE-2006-1517, CVE-2006-2753,
CVE-2006-3081, CVE-2006-4031, CVE-2006-4226, CVE-2006-3469
Available for: Mac OS X Server v10.4 through Mac OS X Server
v10.4.8
Impact: Multiple vulnerabilities in MySQL, the most serious of
which is arbitrary code execution
Description: MySQL is updated from version 4.1.13 to 4.1.22.
Further information is available via the MySQL web site at
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html
Networking
CVE-ID: CVE-2006-6130
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Malicious local users may be able to cause an unexpected
termination of system operations or execute arbitrary code with
elevated privileges
Description: A memory corruption issue exists in the AppleTalk
protocol handler. This could allow a malicious local user to
cause a kernel panic or gain system privileges. This has been
described on the Month of Kernel Bugs web site
(MOKB-27-11-2006). This update addresses the issue by performing
additional validation of the input data structures.
Networking
CVE-ID: CVE-2007-0236
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Maliciously-crafted AppleTalk requests may lead to a
local denial of service or arbitrary code execution
Description: A heap buffer overflow vulnerability exists in the
AppleTalk protocol handler. By sending a maliciously-crafted
request, a local user can trigger the overflow which may lead to
a denial of service or arbitrary code execution. This has been
described on the Month of Apple Bugs web site (MOAB-14-01-2007).
This update addresses the issue by performing additional
validation of the input data.
OpenSSH
CVE-ID: CVE-2007-0726
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: A remote attacker can destroy established trust between
SSH hosts by causing SSH Keys to be regenerated
Description: SSH keys are created on a server when the first SSH
connection is established. An attacker connecting to the server
before SSH has finished creating the keys could force the keys
then to be recreated. This could result in a denial of service
against processes that rely on a trust relationship with the
server. Systems that already have SSH enabled and have rebooted
at least once are not vulnerable to this issue. This issue is
addressed by improving the SSH key generation process. This
issue is specific to the Apple implementation of OpenSSH. Credit
to Jeff McCune of The Ohio State University for reporting this
issue.
OpenSSH
CVE-ID: CVE-2006-0225, CVE-2006-4924, CVE-2006-5051,
CVE-2006-5052
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Multiple vulnerabilities in OpenSSH, the most serious of
which is arbitrary code execution
Description: OpenSSH is updated to version 4.5. Further
information is available via the OpenSSH web site at http://
www.openssh.org/txt/release-4.5.
Printing
CVE-ID: CVE-2007-0728
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: An unprivileged local user can overwrite arbitrary files
with system privileges
Description: Insecure file operations may occur during the
initialization of a USB printer. An attacker may leverage this
issue to create or overwrite arbitrary files on the system. This
update addresses the issue by improving the printer
initialization process.
QuickDraw Manager
CVE-ID: CVE-2007-0588
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Opening a maliciously-crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow vulnerability exists in
QuickDraw's PICT image processing. By enticing a user to open a
maliciously-crafted image, an attacker can trigger the overflow
which may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of PICT files. Credit to Tom
Ferris of Security-Protocols and Mike Price of McAfee AVERT Labs
for reporting this issue.
QuickDraw Manager
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Opening a malformed PICT image may lead to an unexpected
application termination
Description: QuickDraw Manager has been updated to address the
issue described on the Month of Apple Bugs web site
(MOAB-23-01-2007), which may lead to an unexpected application
termination. This issue does not lead to arbitrary code
execution.
servermgrd
CVE-ID: CVE-2007-0730
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: Remote attackers may be able to access Server Manager
without valid credentials
Description: An issue in Server Manager's validation of
authentication credentials could allow a remote attacker to
alter the system configuration. This update addresses the issue
by additional validation of authentication credentials.
SMB File Server
CVE-ID: CVE-2007-0731
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: A user with write access to an SMB share may be able to
cause a denial of service or arbitrary code execution
Description: A stack buffer overflow vulnerability exists in an
Apple-specific Samba module. A file with an overly-long ACL
could trigger the overflow, which may lead to a denial of
service or arbitary code execution. This update addresses the
issue by performing additional validation of ACLs. This issue
does not affect systems prior to Mac OS X v10.4. Credit to
Cameron Kay of Massey University, New Zealand for reporting this
issue.
Software Update
CVE-ID: CVE-2007-0463
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and
Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Opening a maliciously-crafted Software Update Catalog
file may lead to an unexpected application termination or
arbitrary code execution
Description: A format string vulnerability exists in the
Software Update application. By enticing a user to download and
open a Software Update Catalog file, an attacker can trigger the
vulnerability which may lead to an unexpected application
termination or arbitrary code execution. This has been described
on the Month of Apple Bugs web site (MOAB-24-01-2007). This
update addresses the issue by removing document bindings for
Software Update Catalogs. This issue does not affect systems
prior to Mac OS X v10.4. Credit to Kevin Finisterre of
DigitalMunition for reporting this issue.
sudo
CVE-ID: CVE-2005-2959
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4
through Mac OS X Server v10.4.8
Impact: A local user with sudo access to a bash script can run
arbitrary commands with elevated privileges
Description: A user-modified sudo configuration could allow
environment variables to be passed through to the program
running as a privileged user. If sudo is configured to allow an
otherwise unprivileged user to execute a given bash script with
elevated privileges, the user may be able to execute arbitrary
code with elevated privileges. Systems with the default sudo
configuration are not vulnerable to this issue. This issue has
been addressed by updating sudo to 1.6.8p12. Further information
is available via the sudo web site at
http://www.sudo.ws/sudo/current.html
WebLog
CVE-ID: CVE-2006-4829
Available for: Mac OS X Server v10.4 through Mac OS X Server
v10.4.8
Impact: A remote attacker can conduct cross-site scripting
attacks through Blojsom
Description: A cross-site scripting vulnerability exists in
Blojsom. This allows remote attackers to inject JavaScript into
blog content that will execute in the domain of the Blojsom
server. This update addresses the issue by performing additional
validation of the user input. This issue does not affect systems
prior to Mac OS X v10.4.
Mac OS X v10.4.9 and Security Update 2007-003 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.4.9 or Security Update 2007-003.
For Mac OS X v10.3.9
The download file is named: "SecUpd2007-003Pan.dmg"
Its SHA-1 digest is: 5b6cf9b8a9d0a9afc5d9196f2e54380e5dd6d9b6
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2007-003Pan.dmg"
Its SHA-1 digest is: 89d57e9a5faa24e82a5991184468a611bc0bc0bc
For Mac OS X v10.4.8 (PowerPC)
The download file is named: "MacOSXUpd10.4.9PPC.dmg"
Its SHA-1 digest is: 380b0db5c8978a025cfc9b19e46845a51608d5be
For Mac OS X v10.4 (PowerPC) through v10.4.7 (PowerPC)
The download file is named: "MacOSXUpdCombo10.4.9PPC.dmg"
Its SHA-1 digest is: 32af8d8aacac4d696a339f3e11074f2f436c1772
For Mac OS X v10.4.8 (Intel)
The download file is named: "MacOSXUpd10.4.9Intel.dmg"
Its SHA-1 digest is: 80ce586b1f5640bd2fc191354013890b8f0c47dd
For Mac OS X v10.4.4 (Intel) through v10.4.7 (Intel)
The download file is named: "MacOSXUpdCombo10.4.9Intel.dmg"
Its SHA-1 digest is: 29c7a75a0ed2af9ed1f510e8a5c591c8dfeb9605
For Mac OS X Server v10.4.8 (PowerPC)
The download file is named: "MacOSXServerUpd10.4.9PPC.dmg"
Its SHA-1 digest is: 5c1ba866d515c476eae55a1dbfc7dd8226804bba
For Mac OS X Server v10.4 through v10.4.7 (PowerPC)
The download file is named: "MacOSXSrvrCombo10.4.9PPC.dmg"
Its SHA-1 digest is: 7b0df34abb43aace52e6298dbe2c3de24760745d
For Mac OS X Server v10.4.8 (Universal)
The download file is named: "MacOSXServerUpd10.4.9Univ.dmg"
Its SHA-1 digest is: 9c448563e8195f561ebac2f8d15ce4bf1c6d48f5
For Mac OS X Server v10.4.7 (Universal)
The download file is named: "MacOSXSrvrCombo10.4.9Univ.dmg"
Its SHA-1 digest is: 494e2949f101399a9691f138952f03331063bcf0
Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRfbjjYmzP5/bU5rtAQi9qgf/XCyQI4JuD16Y1+hw5jgbT4swr2xHLAcn
JsuCXCTZstXc2+9hQmOU8RX3lOgzSgNtif7OoVfkN2iqGqwYDl/hTQiTMicndazT
1OF97ke0WKm+8TY2uuYK7HxHrAWhPNXehq4anKHua/4b8jrho4yBEPgYp7jJxZ/T
pNk5LVIAcW7rUMrzjRTG440MiajGWZOUhoVP2U12QHmTYY+NsCUUWMod2RwobYkT
T74Y8f557bHD1fK8W4w2+YHSByfO6hPmIshSirbehAfqOpsvNmDMsUX05wP1Os1R
XPKwlkotQDTDjaccW8SUc6Wiz2nn/5zEd5fjJr4/YjqqhS6KWQpmAA==
=DZvH
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden