site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-09-06 iTunes 7.4 iTunes 7.4 is now available and addresses the following security issue: CVE-ID: CVE-2007-3752 Available for: Mac OS X v10.3.9, Mac OS X v10.4.7 or later, Windows XP /Vista Impact: Opening a maliciously crafted music file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow exists in iTunes when processing album cover art. By enticing a user to open a maliciously crafted music file, an attacker may trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing proper bounds checking. Credit to David Thiel of iSEC Partners for reporting this issue. iTunes 7.4 may be obtained from: http://www.apple.com/itunes/download/ For Mac OS X: The download file is named: "iTunes7.4.dmg" Its SHA-1 digest is: 4422396fee3323cceab7d0ae83f47f7bedb21033 For Windows XP / Vista: The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: fefe391446a8d8010d0a26e9819e893a76319da6 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.3 (Build 2932) iQEVAwUBRuAa5sgAoqu4Rp5tAQhhzQf+IUsBvtyevgAgy7aVXIOWfeojovkHOEvP 0oABybIxL1nNAJHnWGvVJPyc/04dhiUZxa+PFzwsBEU43ahFJDZ62/qRBWX9+AQo W6sybcD0iGggNwPAtXwVvKF6ye7Y0h++UfE6dHcpLvAefmawsCuWy3wZ7a/6LmO9 lW75hn8wQZRxzNFDKqRjCSGJhzu0FOc9YMrutRmvlP9nxNbuvHJwjOTprOhlvGhQ M3Mls3sPrUZNgxcUmceJFYNNNquMOEj4C5pWF+QpIqh3D0gt8/dpfawI7kPDHlyo PAQhZLKE2pGG7yIxbDjaflYHFMxwGrVf6+KkyRz98inKwjT+6o80wA== =pxHm -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com