site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2008-11-10 iLife Support 8.3.1 iLife Support 8.3.1 is now available and addresses the following security issues: ImageIO CVE-ID: CVE-2008-2327 Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: Multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of TIFF images. These issues are already addressed in systems running Mac OS X v10.5.5. Credit: Apple. ImageIO CVE-ID: CVE-2008-2332 Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exits in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of TIFF images. This issue is already addressed in systems running Mac OS X v10.5.5. Credit to Robert Swiecki of Google Security Team for reporting this issue. ImageIO CVE-ID: CVE-2008-3608 Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11 Impact: Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of ICC profiles. This issue is already addressed in systems running Mac OS X v10.5.5. Credit: Apple. iLife Support 8.3.1 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: "iLifeSupport.dmg" Its SHA-1 digest is: 2911f4608c3c69eb8056a5bf6d5186a4f403517d Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJJGJr6AAoJEHkodeiKZIkBPZcIAJIzbTPZeVCbe4wUKuOu26mW ZlylDN5w109B12PWuwnJqbbGmiPIvf7Sp+ydEtTcxskeie8Vg/9Z+k+Z/LLmUsob 6Y8TGSQL9InCH1BxQqrhYcP7CJFhXwpnu4zqOYr5fzQURLyTqHoASQmm0SQb62lG +xnEgMBcX7T82iqqnU08e79hN1VEYQf1Q5BQg+6urgDu5dbUifsHM/Etw8p8Wjle c3n3kh/9wwvWExSD1E7ffrWUHdj79cZEw7RixomHK3KyoVt6VIg9mN1K4W51tcWH V+IEBUuQfz40iedmtq1RsTISeA2+7AirS2Yr2p8ozcP46rNKLk0qAVje/NImfBY= =/hZ6 -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com