site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2008-12-15 Security Update 2008-008 / Mac OS X v10.5.6 Security Update 2008-008 / Mac OS X v10.5.6 is now available and addresses the following issues: ATS CVE-ID: CVE-2008-4236 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Viewing or downloading a PDF file containing a maliciously crafted embedded font may lead to a denial of service Description: An infinite loop may occur in the Apple Type Services server's handling of embedded fonts in PDF files. Viewing or downloading a PDF file containing a maliciously crafted embedded font may lead to a denial of service. This update addresses the issue by performing additional validation of embedded fonts. This issue does not affect systems prior to Mac OS X v10.5. Credit to Michael Samarin and Mikko Vihonen of Futurice Ltd. for reporting this issue. BOM CVE-ID: CVE-2008-4217 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Downloading or viewing a maliciously crafted CPIO archive may lead to arbitrary code execution or unexpected application termination Description: A signedness issue exists in BOM's handling of CPIO headers which may result in a stack buffer overflow. Downloading or viewing a maliciously crafted CPIO archive may lead to arbitrary code execution or unexpected application termination. This update addresses the issue by performing additional validation of CPIO headers. Credit: Apple. CoreGraphics CVE-ID: CVE-2008-3623 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in the handling of color spaces within CoreGraphics. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple. CoreServices CVE-ID: CVE-2008-3170 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Visiting a maliciously crafted website may lead to the disclosure of user credentials Description: Safari allows web sites to set cookies for country- specific top-level domains, which may allow a remote attacker to perform a session fixation attack and hijack a user's credentials. This update addresses the issue by performing additional validation of domain names. Credit to Alexander Clauss of iCab.de for reporting this issue. CoreTypes CVE-ID: CVE-2008-4234 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Attempting to launch unsafe downloaded content may not lead to a warning Description: Mac OS X provides the Download Validation capability to indicate potentially unsafe files. Applications such as Safari and others use Download Validation to help warn users prior to launching files marked as potentially unsafe. This update adds to the list of potentially unsafe types. It adds the content type for files that have executable permissions and no specific application association. These files are potentially unsafe as they will launch in Terminal and their content will be executed as commands. While these files are not automatically launched, if manually opened they could lead to the execution of arbitrary code. This issue does not affect systems prior to Mac OS X v10.5. Flash Player Plug-in CVE-ID: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823, CVE-2008-4824 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Multiple vulnerabilities in Adobe Flash Player plug-in Description: Multiple issues exist in the Adobe Flash Player plug- in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 9.0.151.0. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb08-20.html Kernel CVE-ID: CVE-2008-4218 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: A local user may obtain system privileges Description: Integer overflow issues exist within the i386_set_ldt and i386_get_ldt system calls, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issues through improved bounds checking. These issues do not affect PowerPC systems. Credit to Richard Vaneeden of IOActive, Inc. for reporting these issues. Kernel CVE-ID: CVE-2008-4219 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Running an executable that links dynamic libraries on an NFS share may lead to an unexpected system shutdown Description: An infinite loop may occur when a program located on an NFS share receives an exception. This may lead to an unexpected system shutdown. This update addresses the issue through improved handling of exceptions. Credit to Ben Loer of Princeton University for reporting this issue. Libsystem CVE-ID: CVE-2008-4220 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Applications that use the inet_net_pton API may be vulnerable to arbitrary code execution or an unexpected application termination Description: An integer overflow exists in Libsystem's inet_net_pton API, which may lead to arbitrary code execution or the unexpected termination of the application using the API. This update addresses the issue through improved bounds checking. This API is not normally called with untrusted data, and no exploitable cases of this issue are known. This update is provided to help mitigate potential attacks against any application using this API. Libsystem CVE-ID: CVE-2008-4221 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Applications that use the strptime API may be vulnerable to arbitrary code execution or unexpected application termination Description: A memory corruption issue exists in Libsystem's strptime API. Parsing a maliciously crafted date string may lead to arbitrary code execution or unexpected application termination. This update addresses the issue through improved memory allocation. Credit: Apple. Libsystem CVE-ID: CVE-2008-1391 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Applications that use the strfmon API may be exposed to an unexpected application termination or arbitrary code execution Description: Multiple integer overflows exist in Libsystem's strfmon implementation. An application calling strfmon with large values of certain integer fields in the format string argument may unexpectedly terminate or lead to arbitrary code execution. This update addresses the issues through improved bounds checking. Managed Client CVE-ID: CVE-2008-4237 Available for: Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: The managed screen saver settings are not applied Description: The method by which the software on a managed client system installs per-host configuration information does not always correctly identify the system. On a misidentified system, per-host settings are not applied, including the screen saver lock. This update addresses the issue by having Managed Client use the correct system identification. This issue does not affect systems with built- in Ethernet. Credit to John Barnes of ESRI, and Trevor Lalish-Menagh of Tamman Technologies, Inc. for reporting this issue. network_cmds CVE-ID: CVE-2008-4222 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: A remote attacker may be able to cause a denial of service if Internet Sharing is enabled Description: An infinite loop may occur in the handling of TCP packets in natd. By sending a maliciously crafted TCP packet, a remote attacker may be able to cause a denial of service if Internet Sharing is enabled. This update addresses the issue by performing additional validation of TCP packets. Credit to Alex Rosenberg of Ohmantics, and Gary Teter of Paizo Publishing for reporting this issue. Podcast Producer CVE-ID: CVE-2008-4223 Available for: Mac OS X Server v10.5 through v10.5.5 Impact: A remote attacker may be able to access the administrative functions of Podcast Producer Description: An authentication bypass issue exists in the Podcast Producer server, which may allow an unauthorized user to access administrative functions in the server. This update addresses the issue through improved handling of access restrictions. Podcast Producer was introduced in Mac OS X Server v10.5. UDF CVE-ID: CVE-2008-4224 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.5, Mac OS X Server v10.5 through v10.5.5 Impact: Opening an ISO file may lead to an unexpected system shutdown Description: An input validation issue exists in the handling of malformed UDF volumes. Opening a maliciously crafted ISO file may lead to an unexpected system shutdown. This update addresses the issue through improved input validation. Credit to Mauro Notarianni of PCAX Solutions for reporting this issue. Security Update 2008-008 and Mac OS X v10.5.6 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2008-008 or Mac OS X v10.5.6. For Mac OS X v10.5.5 The download file is named: "MacOSXUpd10.5.6.dmg" Its SHA-1 digest is: 684f67524a92b4314a4bdd52498fb3b6af8f9ded For Mac OS X v10.5 - v10.5.4 The download file is named: "MacOSXUpdCombo10.5.6.dmg" Its SHA-1 digest is: 09de4ac2c5591ab75d51ef37dc70f9e5630150d4 For Mac OS X Server v10.5.5 The download file is named: "MacOSXServerUpd10.5.6.dmg" Its SHA-1 digest is: bd14ab94b9bcc896da1613ac761171b54286bcac For Mac OS X Server v10.5 - v10.5.4 The download file is named: "MacOSXServerUpdCombo10.5.6.dmg" Its SHA-1 digest is: e20d8d458be3ec51b0083ff823ce27def00dbca7 For Mac OS X v10.4.11 (Intel) The download file is named: "SecUpd2008-008Intel.dmg" Its SHA-1 digest is: 651e592fad1bd158a76459a81d2ebede1f3bedea For Mac OS X v10.4.11 (PowerPC) The download file is named: "SecUpd2008-008PPC.dmg" Its SHA-1 digest is: 9bb2aa7fcc924715b6442e808fc778789f359906 For Mac OS X Server v10.4.11 (Universal) The download file is named: "SecUpdSrvr2008-008Univ.dmg" Its SHA-1 digest is: 21702064037150cdeb9d708304ee91eb254c7371 For Mac OS X Server v10.4.11 (PowerPC) The download file is named: "SecUpdSrvr2008-008PPC.dmg" Its SHA-1 digest is: d0e4720051ea27b8edf0ab2a124d6e9f0e16534c Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJJRoLMAAoJEHkodeiKZIkB64kIAKWDMSDEqM/NEmMpkdIqNzcb eZT1iPzXMgJPka04kmZismqN5+FHXa47+w/QYntp9uF+FxX+3aw/ip6v/sQ6Mm15 9wmfFgCddbas04g/9JjCh+UgOHUiUKOHmBElROwoLcJNAZBPgMsTQMZYQSqRTwWI 9+Nqqr7ajZvujo6ajIIQp/Lv48PIWZw/sI2CJzKS0zt5u7ctFvAJUjKaKsXZKvei /0bqcIRCy/TGjB+yI4p30OZVup/IAp21tFaaRBc+lWHZ2bvCSQ7ZpwlLJtlL/FOC jSZoVhNwYJPH2v+cG5mZ6aX2ntZgU2FD6mZyzsrUcS7fpG5fnxgU4lEnX55ntME= =pIcv -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com