site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-11-04 QuickTime 7.0.3 QuickTime 7.0.3 delivers the following security enhancements: CVE-ID: CVE-2005-2753 Available for: Mac OS X v10.3.9 or later, Windows 2000/XP Impact: An integer overflow may be exploitable via remotely originated content Description: A sign extension of an embedded "Pascal" style string could result in a very large memory copy. The update treats the string as having unsigned length. Credit to Piotr Bania (bania.piotr@gmail.com) for reporting this issue. CVE-ID: CVE-2005-2754 Available for: Mac OS X v10.3.9 or later, Windows 2000/XP Impact: An integer overflow may be exploitable via remotely originated content Description: Improper movie attributes could result in a very large memory copy. The update checks for a valid non-zero size before copying. Credit to Piotr Bania (bania.piotr@gmail.com) for reporting this issue. CVE-ID: CVE-2005-2755 Available for: Mac OS X v10.3.9 or later, Windows 2000/XP Impact: A denial of service against any application loading remotely-originated content Description: A missing movie attribute is interpreted as an extension, but the absence of the extension is not flagged as an error, resulting in a de-reference of a NULL pointer. The update requires either the movie attribute or the extension to be present for a well-formed movie. Credit to Piotr Bania (bania.piotr@gmail.com) for reporting this issue. CVE-ID: CVE-2005-2756 Available for: Mac OS X v10.3.9 or later, Windows 2000/XP Impact: Compressed PICT data may overwrite application memory from remotely originated content Description: Expansion of compressed PICT data could exceed the size of the destination buffer. The update prevents decompressed data from exceeding the destination buffer size. Credit to Piotr Bania (bania.piotr@gmail.com) for reporting this issue. QuickTime 7.0.3 may be obtained from the Software Update pane in System Preferences, or from the Download tab in the QuickTime site http://www.apple.com/quicktime/ For Mac OS X v10.3.9 or later The download file is named: "QuickTimeInstallerX.dmg" Its SHA-1 digest is: 7e08669fe822c44d53f125e5c73bd65009c43e29 For Windows 2000/XP The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 56bc7f7d8f293e703fb3801cb07ec16aaaad20c5 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.2 (Build 2425) iQEVAwUBQ2ufToHaV5ucd/HdAQLnNQf9H01iKdIceozvnWYfHFbZP2cw2cCBdGni HWvZbsigLEWV+tXgjKUHzzcL+Z02r7m148h6kNHB0CnUqH0Y/M1/2Y7s5YzjsLOY x/iHVU6fPSheYu2BUVWRfRrrTBsVzInZu/5OixiBiXEVKvqki9ca37WcmN/7G1HU 5qmq/u9Ho0P+0Nnllfsu5JfdAvEprxW5uj4KVdgIqA14N4D9fh+9ZVOUdU692qSP lVIlEa571j9rLSlCNgLYWMZm08R101YAB5HJDgLXXtBpxV9GEe99rchxtjq8Q4Jt Lp01qSPMLHE+xnNVHtGYUIOqB/u9gb2+/QlmDlFbVAMnkxfHfuD20g== =5T9F -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com