site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-03-13 Mac OS X v10.4.9 and Security Update 2007-003 Mac OS X v10.4.9 and Security Update 2007-003 are now available and provide fixes for the following security issues. Mac OS X v10.4.9 also provides additional functionality changes, and information is available in its release note. The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.4.9 or Security Update 2007-003. ColorSync CVE-ID: CVE-2007-0719 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Viewing a maliciously-crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow exists in the handling of embedded ColorSync profiles. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles. Credit to Tom Ferris of Security-Protocols for reporting this issue. CoreGraphics Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Viewing a malformed PDF Document may lead to an application hang Description: CoreGraphics has been updated to address the issue described on the Month of Apple Bugs web site (MOAB-06-01-2007), which may lead to an application hang. Crash Reporter CVE-ID: CVE-2007-0467 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Crash Reporter may allow a local admin user to obtain system privileges Description: Crash Reporter uses an admin-writable system directory to store logs of processes that have been unexpectedly terminated. A malicious process running as an admin can cause these logs to be written to arbitrary files as root, which could result in the execution of commands with elevated privileges. This issue has been described on the Month of Apple Bugs web site (MOAB-28-01-2007). This update addresses the issue by performing additional validation prior to writing to log files. CUPS CVE-ID: CVE-2007-0720 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Remote attackers may cause a denial of service during SSL negotiation Description: A partially-negotiated SSL connection with the CUPS service may prevent other requests from being served until the connection is closed. This update addresses the issue by implementing timeouts during SSL negotiation. Disk Images CVE-ID: CVE-2007-0721 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Mounting a maliciously-crafted disk image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption vulnerability exists in diskimages-helper. By enticing a user to open a maliciously-crafted compressed disk image, an attacker could trigger this issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of disk images. Disk Images CVE-ID: CVE-2007-0722 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Mounting a maliciously-crafted AppleSingleEncoding disk image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow vulnerability exists in the handler for AppleSingleEncoding disk images. By enticing a local user to open a maliciously-crafted disk image, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of AppleSingleEncoding disk images. Disk Images CVE-ID: CVE-2006-6061, CVE-2006-6062, CVE-2006-5679, CVE-2007-0229, CVE-2007-0267, CVE-2007-0299 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Downloading a maliciously-crafted disk image may lead to an unexpected system shutdown or arbitrary code execution Description: Several vulnerabilities exist in the processing of disk images that may lead to an unexpected termination of system operations or arbitrary code execution. These have been described on the Month of Kernel Bugs and Month of Apple Bugs web sites (MOKB-03-11-2006, MOKB-20-11-2006, MOKB-21-11-2006, MOAB-10-01-2007, MOAB-11-01-2007 and MOAB-12-01-2007). Since a disk image may be automatically mounted when visiting web sites, this allows a malicious web site to cause a denial of service. This update addresses the issue by performing additional validation of downloaded disk images prior to mounting them. DS Plug-Ins CVE-ID: CVE-2007-0723 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Unprivileged LDAP users may be able to change the local root password Description: An implementation flaw in DirectoryService allows an unprivileged LDAP user to change the local root password. The authentication mechanism in DirectoryService has been fixed to address this issue. Flash Player CVE-ID: CVE-2006-5330 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Playing maliciously-crafted Flash content could allow an HTTP request splitting attack Description: Adobe Flash Player is updated to version 9.0.28.0 to fix a potential vulnerability that could allow HTTP request splitting attacks. This issue is described as APSB06-18 on the Adobe web site at http://www.adobe.com/support/security/ GNU Tar CVE-ID: CVE-2006-0300, CVE-2006-6097 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Multiple vulnerabilities in GNU Tar, the most serious of which is arbitrary code execution Description: GNU Tar is updated from version 1.14 to 1.16.1. Further information is available via the GNU web site at http://www.gnu.org/software/tar/ HFS CVE-ID: CVE-2007-0318 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Removing a file from a maliciously-crafted mounted filesystem may lead to a denial of service Description: An HFS+ filesystem in a mounted disk image can be constructed to trigger a kernel panic when attempting to remove a file from a mounted filesystem. This has been described on the Month of Apple Bugs web site (MOAB-13-11-2006). This update addresses the issue by performing additional validation of the HFS+ filesystem. HID Family CVE-ID: CVE-2007-0724 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Console keyboard events are exposed to other users on the local system Description: Insufficient controls in the IOKit HID interface allow any logged in user to capture console keystrokes, including passwords and other sensitive information. This update addresses the issue by limiting HID device events to processes belonging to the current console user. Credit to Andrew Garber of University of Victoria, Alex Harper, and Michael Evans for reporting this issue. ImageIO CVE-ID: CVE-2007-1071 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Viewing a maliciously-crafted GIF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow vulnerability exists in the process of handling GIF files. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of GIF files. This issue does not affect systems prior to Mac OS X v10.4. Credit to Tom Ferris of Security-Protocols for reporting this issue. ImageIO CVE-ID: CVE-2007-0733 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Viewing a maliciously-crafted RAW Image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the process of handling RAW images. By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of RAW images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Luke Church of the Computer Laboratory, University of Cambridge, for reporting this issue. Kernel CVE-ID: CVE-2006-5836 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Malicious local users may be able to cause a denial of service Description: Using the fpathconf() system call on certain file types will result in a kernel panic. This has been described on the Month of Kernel Bugs web site (MOKB-09-11-2006). This update addresses the issue through improved handling for all kernel defined file types. Credit to Ilja van Sprundel for reporting this issue. Kernel CVE-ID: CVE-2006-6129 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Executing a maliciously-crafted Universal Mach-O binary may lead to an unexpected termination of system operations or arbitrary code execution with elevated privileges Description: An integer overflow vulnerability exists in the loading of Universal Mach-O binaries. This could allow a malicious local user to cause a kernel panic or to obtain system privileges. This has been described on the Month of Kernel Bugs web site (MOKB-26-11-2006). This update addresses the issue by performing additional validation of Universal binaries. Kernel CVE-ID: CVE-2006-6173 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Executing a maliciously-crafted program may lead to a system hang Description: The shared_region_make_private_np() system call allows a program to request a large allocation of kernel memory. This could allow a malicious local user to cause a system hang. This issue does not allow an integer overflow to occur, and it cannot lead to arbitrary code execution. This issue has been described on the Month of Kernel Bugs web site (MOKB-28-11-2006). This update addresses the issue by additional validation of the arguments passed to shared_region_make_private_np(). MySQL Server CVE-ID: CVE-2006-1516, CVE-2006-1517, CVE-2006-2753, CVE-2006-3081, CVE-2006-4031, CVE-2006-4226, CVE-2006-3469 Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Multiple vulnerabilities in MySQL, the most serious of which is arbitrary code execution Description: MySQL is updated from version 4.1.13 to 4.1.22. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html Networking CVE-ID: CVE-2006-6130 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Malicious local users may be able to cause an unexpected termination of system operations or execute arbitrary code with elevated privileges Description: A memory corruption issue exists in the AppleTalk protocol handler. This could allow a malicious local user to cause a kernel panic or gain system privileges. This has been described on the Month of Kernel Bugs web site (MOKB-27-11-2006). This update addresses the issue by performing additional validation of the input data structures. Networking CVE-ID: CVE-2007-0236 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Maliciously-crafted AppleTalk requests may lead to a local denial of service or arbitrary code execution Description: A heap buffer overflow vulnerability exists in the AppleTalk protocol handler. By sending a maliciously-crafted request, a local user can trigger the overflow which may lead to a denial of service or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-14-01-2007). This update addresses the issue by performing additional validation of the input data. OpenSSH CVE-ID: CVE-2007-0726 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: A remote attacker can destroy established trust between SSH hosts by causing SSH Keys to be regenerated Description: SSH keys are created on a server when the first SSH connection is established. An attacker connecting to the server before SSH has finished creating the keys could force the keys then to be recreated. This could result in a denial of service against processes that rely on a trust relationship with the server. Systems that already have SSH enabled and have rebooted at least once are not vulnerable to this issue. This issue is addressed by improving the SSH key generation process. This issue is specific to the Apple implementation of OpenSSH. Credit to Jeff McCune of The Ohio State University for reporting this issue. OpenSSH CVE-ID: CVE-2006-0225, CVE-2006-4924, CVE-2006-5051, CVE-2006-5052 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Multiple vulnerabilities in OpenSSH, the most serious of which is arbitrary code execution Description: OpenSSH is updated to version 4.5. Further information is available via the OpenSSH web site at http:// www.openssh.org/txt/release-4.5. Printing CVE-ID: CVE-2007-0728 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: An unprivileged local user can overwrite arbitrary files with system privileges Description: Insecure file operations may occur during the initialization of a USB printer. An attacker may leverage this issue to create or overwrite arbitrary files on the system. This update addresses the issue by improving the printer initialization process. QuickDraw Manager CVE-ID: CVE-2007-0588 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Opening a maliciously-crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow vulnerability exists in QuickDraw's PICT image processing. By enticing a user to open a maliciously-crafted image, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT files. Credit to Tom Ferris of Security-Protocols and Mike Price of McAfee AVERT Labs for reporting this issue. QuickDraw Manager Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Opening a malformed PICT image may lead to an unexpected application termination Description: QuickDraw Manager has been updated to address the issue described on the Month of Apple Bugs web site (MOAB-23-01-2007), which may lead to an unexpected application termination. This issue does not lead to arbitrary code execution. servermgrd CVE-ID: CVE-2007-0730 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Remote attackers may be able to access Server Manager without valid credentials Description: An issue in Server Manager's validation of authentication credentials could allow a remote attacker to alter the system configuration. This update addresses the issue by additional validation of authentication credentials. SMB File Server CVE-ID: CVE-2007-0731 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: A user with write access to an SMB share may be able to cause a denial of service or arbitrary code execution Description: A stack buffer overflow vulnerability exists in an Apple-specific Samba module. A file with an overly-long ACL could trigger the overflow, which may lead to a denial of service or arbitary code execution. This update addresses the issue by performing additional validation of ACLs. This issue does not affect systems prior to Mac OS X v10.4. Credit to Cameron Kay of Massey University, New Zealand for reporting this issue. Software Update CVE-ID: CVE-2007-0463 Available for: Mac OS X v10.4 through Mac OS X v10.4.8, and Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: Opening a maliciously-crafted Software Update Catalog file may lead to an unexpected application termination or arbitrary code execution Description: A format string vulnerability exists in the Software Update application. By enticing a user to download and open a Software Update Catalog file, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-24-01-2007). This update addresses the issue by removing document bindings for Software Update Catalogs. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue. sudo CVE-ID: CVE-2005-2959 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: A local user with sudo access to a bash script can run arbitrary commands with elevated privileges Description: A user-modified sudo configuration could allow environment variables to be passed through to the program running as a privileged user. If sudo is configured to allow an otherwise unprivileged user to execute a given bash script with elevated privileges, the user may be able to execute arbitrary code with elevated privileges. Systems with the default sudo configuration are not vulnerable to this issue. This issue has been addressed by updating sudo to 1.6.8p12. Further information is available via the sudo web site at http://www.sudo.ws/sudo/current.html WebLog CVE-ID: CVE-2006-4829 Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.8 Impact: A remote attacker can conduct cross-site scripting attacks through Blojsom Description: A cross-site scripting vulnerability exists in Blojsom. This allows remote attackers to inject JavaScript into blog content that will execute in the domain of the Blojsom server. This update addresses the issue by performing additional validation of the user input. This issue does not affect systems prior to Mac OS X v10.4. Mac OS X v10.4.9 and Security Update 2007-003 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.4.9 or Security Update 2007-003. For Mac OS X v10.3.9 The download file is named: "SecUpd2007-003Pan.dmg" Its SHA-1 digest is: 5b6cf9b8a9d0a9afc5d9196f2e54380e5dd6d9b6 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2007-003Pan.dmg" Its SHA-1 digest is: 89d57e9a5faa24e82a5991184468a611bc0bc0bc For Mac OS X v10.4.8 (PowerPC) The download file is named: "MacOSXUpd10.4.9PPC.dmg" Its SHA-1 digest is: 380b0db5c8978a025cfc9b19e46845a51608d5be For Mac OS X v10.4 (PowerPC) through v10.4.7 (PowerPC) The download file is named: "MacOSXUpdCombo10.4.9PPC.dmg" Its SHA-1 digest is: 32af8d8aacac4d696a339f3e11074f2f436c1772 For Mac OS X v10.4.8 (Intel) The download file is named: "MacOSXUpd10.4.9Intel.dmg" Its SHA-1 digest is: 80ce586b1f5640bd2fc191354013890b8f0c47dd For Mac OS X v10.4.4 (Intel) through v10.4.7 (Intel) The download file is named: "MacOSXUpdCombo10.4.9Intel.dmg" Its SHA-1 digest is: 29c7a75a0ed2af9ed1f510e8a5c591c8dfeb9605 For Mac OS X Server v10.4.8 (PowerPC) The download file is named: "MacOSXServerUpd10.4.9PPC.dmg" Its SHA-1 digest is: 5c1ba866d515c476eae55a1dbfc7dd8226804bba For Mac OS X Server v10.4 through v10.4.7 (PowerPC) The download file is named: "MacOSXSrvrCombo10.4.9PPC.dmg" Its SHA-1 digest is: 7b0df34abb43aace52e6298dbe2c3de24760745d For Mac OS X Server v10.4.8 (Universal) The download file is named: "MacOSXServerUpd10.4.9Univ.dmg" Its SHA-1 digest is: 9c448563e8195f561ebac2f8d15ce4bf1c6d48f5 For Mac OS X Server v10.4.7 (Universal) The download file is named: "MacOSXSrvrCombo10.4.9Univ.dmg" Its SHA-1 digest is: 494e2949f101399a9691f138952f03331063bcf0 Information will also be posted to the Apple Security Updates web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRfbjjYmzP5/bU5rtAQi9qgf/XCyQI4JuD16Y1+hw5jgbT4swr2xHLAcn JsuCXCTZstXc2+9hQmOU8RX3lOgzSgNtif7OoVfkN2iqGqwYDl/hTQiTMicndazT 1OF97ke0WKm+8TY2uuYK7HxHrAWhPNXehq4anKHua/4b8jrho4yBEPgYp7jJxZ/T pNk5LVIAcW7rUMrzjRTG440MiajGWZOUhoVP2U12QHmTYY+NsCUUWMod2RwobYkT T74Y8f557bHD1fK8W4w2+YHSByfO6hPmIshSirbehAfqOpsvNmDMsUX05wP1Os1R XPKwlkotQDTDjaccW8SUc6Wiz2nn/5zEd5fjJr4/YjqqhS6KWQpmAA== =DZvH -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com