site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-06-08 Security Update 2005-006 Security Update 2005-006 is now available and delivers the following security enhancements: AFP Server CVE-ID: CAN-2005-1721 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: A buffer overflow in support for legacy clients could permit the running of arbitrary code Description: The Mac OS X AFP Server supports a number of legacy clients. A buffer overflow in the support for one of these clients could permit the running of arbitrary code. This update modifies the AFP Server to correct this buffer overflow. This issue does not affect systems prior to Mac OS X 10.4. AFP Server CVE-ID: CAN-2005-1720 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: On an AFP server using an ACL enabled volume for storage, the copying of a file with POSIX-only permissions can leave an ACL attached Description: When copying a local file to an AFP Server that is using an ACL enabled volume for storage, a temporary ACL is attached to the remote object during the copy process. This ACL can be left behind if the file copy was into a directory that was not using ACLs. The ACL that is left behind could cause confusion as it will override the POSIX file permissions for the file owner. The ACL does not permit other users to access the file. This update modifies the AFP Server so that it correctly removes the ACL that is used for copying the file. This issue does not affect systems prior to Mac OS X 10.4. Bluetooth CVE-ID: CAN-2005-1333 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1, Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Directory traversal via Bluetooth object exchange Description: Due to insufficient input checking, the Bluetooth object exchange services could be used to access files outside of the default file exchange directory. This update provides an additional security improvement over the previous release by adding enhanced filtering for path-delimiting characters. Credit to kf_lists[at]digitalmunition[dot]com for reporting this issue. CoreGraphics CVE-ID: CAN-2005-1722 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: Applications using either PDFKit or CoreGraphics to render poorly formed PDF documents could abort due to a NULL pointer dereference. Description: If a poorly-formed PDF document is passed to PDFKit or CoreGraphics for rendering, the rending engine will detect an error and stop processing. As part of the cleanup process, a check for a NULL pointer was omitted. This omission can cause an application that handles PDF documents to abort - requiring that the application be restarted. CoreGraphics is updated to correctly handle the cleanup of poorly-formed PDF documents. This issue does not affect systems prior to Mac OS X 10.4. Credit to Chris Evans for reporting this issue. CoreGraphics CVE-ID: CAN-2005-1726 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: Console users can gain root privileges Description: The CoreGraphics Window Server is updated to disallow unprivileged users from launching commands into root sessions. This issue does not affect systems prior to Mac OS X v10.4. Folder Permissions CVE-ID: CAN-2005-1727 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: Potential file race condition via world- and group-writable permissions on two directories Description: Secure folder permissions are applied to protect the system's cache folder and the Dashboard system widgets. This exposure does not exist in systems prior to Mac OS X v10.4. Credit to Michael Haller at info@cilly.com for reporting this issue. launchd CVE-ID: CAN-2005-1725 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: The setuid program launchd can allow local privilege escalation Description: A vulnerability in launchd allows local users to gain ownership of arbitrary files. The launchd command is updated to safely change ownership of files. Credit to Neil Archibald of Suresec LTD for reporting this issue. This issue does not affect systems prior to Mac OS X v10.4. LaunchServices CVE-ID: CAN-2005-1723 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: File extensions and mime types marked as unsafe but not mapped to an Apple UTI could bypass download safety checks Description: Mac OS X 10.4 contains a database of known unsafe file extensions and mime types. If an addition to the database of unsafe types was made, without a corresponding Apple UTI (Uniform Type Identifier), then a query on certain forms of the file extension or mime type would not be marked as unsafe. All entries in the current unsafe type database are mapped to an Apple UTI. This update corrects the query code to correctly identify unsafe file extensions and mime types regardless of the presence of an Apple UTI. This issue does not affect systems prior to Mac OS X 10.4. MCX Client CVE-ID: CAN-2005-1728 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: Portable Home Directory credentials may be available to local system users Description: MCX Client is updated to not log portable home directory mounting credentials. This issue does not affect systems prior to Mac OS X v10.4. NFS CVE-ID: CAN-2005-1724 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: An NFS export restricted using -network / -mask flags will export to "everyone" Description: The use of -network and -mask on a filesystem listed in the NFS exports file would result in that filesystem being exported to "everyone". This update modifies the NFS exporting code to correctly set the network and mask parameters. This issue does not affect systems prior to Mac OS X 10.4. PHP CVE-ID: CAN-2005-0524, CAN-2005-0525, CAN-2005-1042, CAN-2005-1043 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1, Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Multiple vulnerabilities in PHP, including remote denial of service and execution of arbitrary code Description: PHP is updated to version 4.3.11 to address several issues. The PHP release announcement for version 4.3.11 is located at http://www.php.net/release_4_3_11.php VPN CVE-ID: CAN-2005-1343 Available for: Mac OS X v10.4.1, Mac OS X Server v10.4.1 Impact: A local user can obtain root privileges if the system is being used as a VPN server Description: A buffer overflow in "vpnd" could be used by a local user to obtain root privileges if the system is configured as a VPN server. This problem does not occur on systems that are configured as a VPN client. This issue cannot be exploited remotely. This update prevents the buffer overflow from occurring. This issue was fixed for Mac OS X v10.3.9 via Security Update 2005-005. Credit to Pieter de Boer of the master SNB at the Universiteit van Amsterdam (UvA) for reporting this issue. Security Update 2005-006 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.1 and Mac OS X Server v10.4.1 The download file is named: "SecUpd2005-006Ti.dmg" Its SHA-1 digest is: 89e432a13fc3de743b9444e2a33f3e989ceccdb4 For Mac OS X v10.3.9 and Mac OS X Server v10.3.9 The download file is named: "SecUpd2005-006Pan.dmg" Its SHA-1 digest is: f897fbac3e12f9191356a06247b46f42a1d7312a Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.0 (Build 2001) iQEVAwUBQqdPOIHaV5ucd/HdAQKDbgf/f7gg3seJ+fg4eIlToY5E/hJ7wO3gjUAd mbfza+SgX2wKciGh7hPU7tPvYTRk6s49W/AKcrKcvOaoW7X0rCAwJCMh2iAhGbNg vmxLeuWJ3oORhQN+2eGxppohtH/DZwqh6P2Ds7jbTBrDaeZcAZk2aDKpvKUJ8T6w p5dzOCp6aB3IU1+tHJ5uW7CLlBizFuwLoLq3Mg7Od9yj+c4Oejbm+KF5Y4sJsACO IoD04FUDsne7zhHMC6URMPfvYT+ClaC5eRyJlUuFzVoXVIgA+PrT1hscbGmyam0i RyoCJD8EtE+keEe6BI3BIMys4+cESpBZK2fYb31c/LPqhodpTzmXGg== =cmzm -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com