site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2008-01-15 QuickTime 7.4 QuickTime 7.4 is now available and addresses the following issues: QuickTime CVE-ID: CVE-2008-0031 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in QuickTime's handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Sorenson 3 video files. Credit to Joe Schottman of Virginia Tech for reporting this issue. QuickTime CVE-ID: CVE-2008-0032 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in QuickTime's handling of Macintosh Resource records in movie files. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of movie files. Credit to Jun Mao of VeriSign iDefense Labs for reporting this issue. QuickTime CVE-ID: CVE-2008-0033 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in QuickTime's parsing of Image Descriptor (IDSC) atoms. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Image Descriptor atoms in movie files. Credit to Cody Pierce of TippingPoint DVLabs for reporting this issue. QuickTime CVE-ID: CVE-2008-0036 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by terminating decoding when the result would extend beyond the end of the destination buffer. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue. QuickTime 7.4 may be obtained from the Software Update application, or from the Apple Downloads site: http://www.apple.com/support/downloads/ For Mac OS X v10.5 The download file is named: "QuickTime740_Leopard.dmg" Its SHA-1 digest is: c81d8a1578ede770f313a402112d3c90377cea32 For Mac OS X v10.4.9 or later The download file is named: "QuickTime740_Tiger.dmg" Its SHA-1 digest is: a07f2780211cef4d255ef63c43f22355bfffa98d For Mac OS X v10.3.9 The download file is named: "QuickTime740_Panther.dmg" Its SHA-1 digest is: 1b93e41d8409a01c0926527e145efbd7dee13abe For Windows Vista, XP SP2 The download file is named: "QuickTime740Installer.exe" Its SHA-1 digest is: 155043f6fdde3b5f5700b44fc522766c35406bd Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: 9.7.0.1012 wsBVAwUBR40jsMgAoqu4Rp5tAQikqQf/ZNlrwM5g45XAeIL03BYvewkmsUM+pNvA Cib6H7gBFkmRNIoW1VmD9aDoV88kHAuH3qN2c2EuDGpvTyiwYd9J2lvGpoUj4iob UNGxPoUrPQw3rNOCNfoB/EiF94h2SJiP3PrKVSC/0oETaEbuF7qCn8OzVSyXAf3m +LOX87q3y4x/5V06K+pdfMaCjoMnzkiuG8tIfasHn40ismHOQr/X9MyDC5uvXC1Q Sw+COpDlG4ogR40I22hcw+Rer11VimiilnAiXAKWW0sQ0SSk5JsASotXbiFZF7t8 pzwF31T/p9P/lrco9amlP5Cyx0Uc2F0oWLg781vGjDcptcptH5FHNQ== =Cp3I -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com