APPLE-SA-2006-08-01 Security Update 2006-004
APPLE-SA-2006-08-01 Security Update 2006-004
- Subject: APPLE-SA-2006-08-01 Security Update 2006-004
- From: Apple Product Security <email@hidden>
- Date: Tue, 1 Aug 2006 13:25:09 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2006-08-01 Security Update 2006-004
Security Update 2006-004 is now available and addresses the following
issues:
AFP Server
CVE-ID: CVE-2006-1472
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: When file sharing is enabled, file and folder items may
be disclosed to unauthorized users
Description: An issue in the AFP server allows search results to
include files and folders for which the user performing the
search has no access. This may lead to information disclosure if
the names themselves are sensitive information. If the
permissions of the items allow it, the contents may also be
accessible. This update addresses the issue in Mac OS X v10.3.9
by ensuring that search results only include items for which the
user is authorized. For Mac OS X v10.4 systems, the issue was
addressed in Mac OS X v10.4.7.
AFP Server
CVE-ID: CVE-2006-1473
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: When file sharing is enabled, authenticated users may
cause a crash or arbitrary code execution
Description: The AFP server contains an integer overflow that
can be triggered by an authenticated user. A malicious user with
access to the AFP server may be able to cause a denial of
service attack or aribtrary code execution with system
privileges. The AFP server is not enabled by default on Mac OS
X. This update addresses the issue by performing additional
validation. Credit to Dino Dai Zovi of Matasano Security for
reporting this issue.
AFP Server
CVE-ID: CVE-2006-3495
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.7
Impact: When file sharing is enabled, authenticated local users
may be able to access files or folders of other users through
AFP
Description: On Mac OS X Server, the AFP server supports
reconnection of file sharing sessions after a network outage.
The storage of reconnect keys is world-readable. It may be
possible for an authenticated local user to read the reconnect
keys, use them to impersonate another user over AFP, and access
files or folders with the privileges of the impersonated user.
This update addresses the issue by protecting the reconnect keys
with appropriate file system permissions. This issue only
affects Mac OS X Server.
AFP Server
CVE-ID: CVE-2006-3496
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: When file sharing is enabled, a maliciously-crafted AFP
request may cause the AFP server to crash
Description: An unchecked error condition exists in the AFP
server that may lead to a crash. By carefully crafting an
invalid AFP request, an attacker may be able to trigger this
condition and cause a denial of service. This update addresses
the issue by handling the formerly unchecked error condition.
AppKit, ImageIO
CVE-ID: CVE-2006-3459, CVE-2006-3461, CVE-2006-3462,
CVE-2006-3465
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted TIFF image may lead to an
application crash or arbitrary code execution
Description: Buffer overflows were discovered in TIFF tag
handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog
decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder
(CVE-2006-3462). By carefully crafting a corrupt TIFF image, an
attacker can trigger a buffer overflow which may lead to an
application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of TIFF
images. Systems prior to Mac OS X v10.4 are affected only by the
TIFF NeXT RLE decoder issue (CVE-2006-3462). Credit to Tavis
Ormandy, Google Security Team for reporting this issue.
Note: A fifth issue discovered by Tavis Ormandy, CVE-2006-3460,
does not affect Mac OS X.
Bluetooth Setup Assistant
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Passkey length increased for Bluetooth pairing
Description: The length of the automatically generated passkey used
for pairing has been increased from six characters to eight
characters. This enhancement does not require a CVE ID.
Bom
CVE-ID: CVE-2006-3497
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: Opening a maliciously-crafted archive may lead to an
application crash or arbitrary code execution
Description: An issue in Bom's compression state handling may
cause heap corruption. By carefully crafting a corrupt Zip
archive and persuading a victim to open it, an attacker may be
able to trigger this condition which could lead to an
application crash or arbitrary code execution. Note that Safari
will automatically open archives when "Open `safe' files after
downloading" is enabled. This update addresses the issue by
properly handling such malformed Zip archives. Credit to Tom
Ferris of Security-Protocols.com for reporting this issue.
DHCP
CVE-ID: CVE-2006-3498
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: When bootpd is enabled, a maliciously-crafted BOOTP
request may cause arbitrary code execution
Description: A stack buffer overflow exists in bootpd's request
processing. By carefully crafting a malicious BOOTP request, a
remote attacker may be able to trigger the overflow and cause
arbitrary code execution with the privileges of the system. Note
that bootpd is not enabled by default in Mac OS X, and must be
manually configured in order to be enabled. This update
addresses the issue by performing additional bounds checking.
dyld
CVE-ID: CVE-2006-3499
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: Malicious local users may influence dynamic linker
output with undesirable consequences
Description: Malicious local system users may specify dynamic
linker options that cause output to standard error. This output
contains informational content and potentially user-specified
content. As a result, privileged applications that parse or
reuse standard error may be influenced inappropriately. This
update addresses the issue by ignoring the problematic dynamic
linker options in privileged applications. Credit to Neil
Archibald of Suresec LTD for reporting this issue.
dyld
CVE-ID: CVE-2006-3500
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Malicious local users may influence the loading of
dynamic libraries in order to gain elevated privileges
Description: An improperly handled condition in the dynamic
linker may lead to including dangerous paths when searching for
libraries to load into privileged applications. As a result,
malicious local users may cause the dynamic linker to load and
execute arbitrary code with elevated privileges. This update
addresses the issue by properly selecting search paths when
executing privileged applications. Credit to Neil Archibald of
Suresec LTD for reporting this issue.
fetchmail
CVE-ID: CVE-2005-2335, CVE-2005-3088, CVE-2005-4348,
CVE-2006-0321
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: Multiple issues in the fetchmail utility may lead to
denial of service or arbitrary code execution
Description: Several issues in the fetchmail utility were
discovered. The most serious issue could lead to arbitrary code
execution when fetching mail from a malicious POP3 mail server.
All issues are described at the fetchmail website
(fetchmail.berlios.de). This update addresses the issues by
updating fetchmail to version 6.3.4. In addition, fetchmail is
no longer distributed as a privileged utility.
gunzip
CVE-ID: CVE-2005-0988
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: Malicious local users may be able to modify permissions
of files owned by another user when the command line tool gunzip
is run
Description: A race condition may allow a malicious local user
to modify the permissions of files owned by another user
executing gunzip. This issue is only exploitable when executing
gunzip on files in directories that are modifiable by other
users. This update addresses the issue by properly handling
files while decompressing.
gunzip
CVE-ID: CVE-2005-1228
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: Decompressing maliciously-crafted files with "gunzip -N"
may lead to arbitrary file replacement or creation
Description: A directory traversal vulnerability is present in
the command line utility gunzip when it is used with the
non-default "-N" option. By carefully crafting a malicious
compressed file and persuading a user to open it with "gunzip
- -N", an attacker may replace or create arbitrary files with the
privileges of the victim. This update addresses the issue by
properly stripping paths from files when decompressing.
Image RAW
CVE-ID: CVE-2006-0392
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted Canon RAW image may lead
to an application crash or arbitrary code execution
Description: By carefully crafting a corrupt Canon RAW image, an
attacker can trigger a buffer overflow which may lead to an
application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of Canon
RAW images. This issue does not affect systems prior to Mac OS X
v10.4.
ImageIO
CVE-ID: CVE-2006-3501
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted Radiance image may lead to
an application crash or arbitrary code execution
Description: By carefully crafting a corrupt Radiance image, an
attacker can trigger an integer overflow which may lead to an
application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of
Radiance images. This issue does not affect systems prior to Mac
OS X v10.4.
ImageIO
CVE-ID: CVE-2006-3502
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted GIF image may lead to an
application crash or arbitrary code execution
Description: By carefully crafting a corrupt GIF image, an
attacker can trigger an undetected memory allocation failure
which may lead to an application crash or arbitrary code
execution. This update addresses the issue by performing
additional validation of GIF images. This issue does not affect
systems prior to Mac OS X v10.4.
ImageIO
CVE-ID: CVE-2006-3503
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted GIF image may lead to an
application crash or arbitrary code execution
Description: By carefully crafting a corrupt GIF image, an
attacker can trigger an integer overflow which may lead to an
application crash or arbitrary code execution. This update
addresses the issue by performing additional validation of GIF
images. This issue does not affect systems prior to Mac OS X
v10.4. Credit to Tom Ferris of Security-Protocols.com for
reporting this issue.
LaunchServices
CVE-ID: CVE-2006-3504
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Visiting a malicious web site could cause JavaScript to
execute in the local domain
Description: Download Validation may erroneously identify
certain files containing HTML as "safe". If such a file is
downloaded in Safari and Safari's "Open `safe' files after
downloading" option is enabled, the HTML document will
automatically be opened from a local URI. This would allow any
JavaScript code embedded in the document to bypass access
restrictions normally imposed on remote content. This update
provides additional checks to identify potentially malicious
file types so that they are not automatically opened. This issue
does not affect systems prior to Mac OS X v10.4.
OpenSSH
CVE-ID: CVE-2006-0393
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: When remote login is enabled, remote attackers may cause
a denial of service or determine whether an account exists
Description: Attempting to log in to an OpenSSH server ("Remote
Login") using a nonexistent account causes the authentication
process to hang. An attacker can exploit this behavior to detect
the existence of a particular account. A large number of such
attempts may lead to a denial of service. This update addresses
the issue by properly handling attempted logins by nonexistent
users. This issue does not affect systems prior to Mac OS X
v10.4. Credit to Rob Middleton of the Centenary Institute
(Sydney, Australia) for reporting this issue.
telnet
CVE-ID: CVE-2005-0488
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: When the command line tool telnet is used to connect to
a malicious TELNET server, environmental variables may be
disclosed
Description: When connected to a TELNET server, the client may
send the contents of arbitrary environment variables to the
server if the server requests them. Some environment variables
may contain sensitive information that should not be sent over
the network. This update addresses the issue by ensuring that
only non-sensitive variables and variables that the user has
explicitly requested are are shared with the server. Credit to
Gael Delalleau and iDEFENSE for reporting this issue.
WebKit
CVE-ID: CVE-2006-3505
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact: Visiting a malicious web site may lead to arbitrary code
execution
Description: A maliciously-crafted HTML document could cause a
previously deallocated object to be accessed. This may lead to
an application crash or arbitrary code execution. This update
addresses the issue by properly handling such documents. Credit
to Jesse Ruderman of Mozilla Corporation for reporting this
issue.
Security Update 2006-004 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.7 (PowerPC)
The download file is named: "SecUpd2006-004Ti.dmg"
Its SHA-1 digest is: bb8011f3e8f293b906751e6cb9b6b667730e4717
For Mac OS X v10.4.7 (Intel)
The download file is named: "SecUpd2006-004Intel.dmg"
Its SHA-1 digest is: 7e18919ee3f053abe063af288d135064ef75309f
For Mac OS X Server v10.4.7
The download file is named: "SecUpd2006-004Ti.dmg"
Its SHA-1 digest is: bb8011f3e8f293b906751e6cb9b6b667730e4717
For Mac OS X v10.3.9
The download file is named: "SecUpd2006-004Pan.dmg"
Its SHA-1 digest is: d27c67fb88143810d4d77d71a5c30de59a1a6942
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2006-004Pan.dmg"
Its SHA-1 digest is: 411ca0d2ca827965644c3ed41dc0925fd280381e
Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRM+dBomzP5/bU5rtAQil5Af+J78dkCfhD/RlSXLoSWb9iEPftsRt8yYs
rgxhADtSPCyec2OoMP2qLpTpBDEjb5hBp+JM6JjJ3fMH68tgaKIEslERnNdfEZmF
sRdCT5GELT1zAMM6dwX7NzKehQKnw3lGOxh6Je1mBFvC35jen+li5WUs5B0jYu2M
GsMZPUC4RvdLtGEK4Wx8qzNCPgYsbhAeC1A6quY47MIl3up3+94WienwfSi1itkX
nBeDOtMOdKmO+t+hrJlbcDRICm3VYVzZqF5OMvE2h09agBYcHZxmicnhohSTmrm8
nMAioQxL9kF4sBUT1lTvy2l16g+fx/PwUbvpoVSWsYkPweYfDWwZig==
=5LiR
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden