APPLE-SA-2005-11-04 QuickTime 7.0.3
APPLE-SA-2005-11-04 QuickTime 7.0.3
- Subject: APPLE-SA-2005-11-04 QuickTime 7.0.3
- From: Apple Product Security <email@hidden>
- Date: Fri, 4 Nov 2005 09:51:43 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2005-11-04 QuickTime 7.0.3
QuickTime 7.0.3 delivers the following security enhancements:
CVE-ID: CVE-2005-2753
Available for: Mac OS X v10.3.9 or later, Windows 2000/XP
Impact: An integer overflow may be exploitable via remotely
originated content
Description: A sign extension of an embedded "Pascal" style string
could result in a very large memory copy. The update treats the
string as having unsigned length. Credit to Piotr Bania
(email@hidden) for reporting this issue.
CVE-ID: CVE-2005-2754
Available for: Mac OS X v10.3.9 or later, Windows 2000/XP
Impact: An integer overflow may be exploitable via remotely
originated content
Description: Improper movie attributes could result in a very large
memory copy. The update checks for a valid non-zero size before
copying. Credit to Piotr Bania (email@hidden) for reporting
this issue.
CVE-ID: CVE-2005-2755
Available for: Mac OS X v10.3.9 or later, Windows 2000/XP
Impact: A denial of service against any application loading
remotely-originated content
Description: A missing movie attribute is interpreted as an
extension, but the absence of the extension is not flagged as an
error, resulting in a de-reference of a NULL pointer. The update
requires either the movie attribute or the extension to be present
for a well-formed movie. Credit to Piotr Bania
(email@hidden) for reporting this issue.
CVE-ID: CVE-2005-2756
Available for: Mac OS X v10.3.9 or later, Windows 2000/XP
Impact: Compressed PICT data may overwrite application memory from
remotely originated content
Description: Expansion of compressed PICT data could exceed the size
of the destination buffer. The update prevents decompressed data
from exceeding the destination buffer size. Credit to Piotr Bania
(email@hidden) for reporting this issue.
QuickTime 7.0.3 may be obtained from the Software Update pane in
System Preferences, or from the Download tab in the QuickTime site
http://www.apple.com/quicktime/
For Mac OS X v10.3.9 or later
The download file is named: "QuickTimeInstallerX.dmg"
Its SHA-1 digest is: 7e08669fe822c44d53f125e5c73bd65009c43e29
For Windows 2000/XP
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 56bc7f7d8f293e703fb3801cb07ec16aaaad20c5
Information will also be posted to the Apple Product Security
web site: http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)
iQEVAwUBQ2ufToHaV5ucd/HdAQLnNQf9H01iKdIceozvnWYfHFbZP2cw2cCBdGni
HWvZbsigLEWV+tXgjKUHzzcL+Z02r7m148h6kNHB0CnUqH0Y/M1/2Y7s5YzjsLOY
x/iHVU6fPSheYu2BUVWRfRrrTBsVzInZu/5OixiBiXEVKvqki9ca37WcmN/7G1HU
5qmq/u9Ho0P+0Nnllfsu5JfdAvEprxW5uj4KVdgIqA14N4D9fh+9ZVOUdU692qSP
lVIlEa571j9rLSlCNgLYWMZm08R101YAB5HJDgLXXtBpxV9GEe99rchxtjq8Q4Jt
Lp01qSPMLHE+xnNVHtGYUIOqB/u9gb2+/QlmDlFbVAMnkxfHfuD20g==
=5T9F
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden