Home / mailingsPDF  

APPLE-SA-2008-09-15 Mac OS X v10.5.5 and Security Update 2008-006

Posted on 15 September 2008
Apple Security-announce

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2008-09-15 Mac OS X v10.5.5 and Security Update 2008-006

Mac OS X v10.5.5 and Security Update 2008-006 are now available
and address the following issues:

ATS
CVE-ID: CVE-2008-2305
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Viewing a document containing a maliciously crafted font may
lead to arbitrary code execution
Description: A heap buffer overflow exists in Apple Type Services'
handling of PostScript font names. Viewing a document containing a
maliciously crafted font may lead to arbitrary code execution. This
update addresses the issue by performing additional validation of
font names. Credit to Chris Ries of Carnegie Mellon University
Computing Services for reporting this issue.

BIND
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: BIND is updated to address performance issues
Description: BIND is updated to version 9.4.2-P2 to address
performance issues. For Mac OS X v10.4.11 systems, BIND is updated to
version 9.3.5-P2. For Mac OS X v10.5.4 systems, BIND is updated to
version 9.4.2-P2. Further information is available via the ISC web
site at http://www.isc.org/index.pl?/sw/bind/

ClamAV
CVE-ID: CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833,
CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713,
CVE-2008-3215
Available for: Mac OS X Server v10.4.11,
Mac OS X Server v10.5 through v10.5.4
Impact: Multiple vulnerabilities in ClamAV 0.92.1
Description: Multiple vulnerabilities exist in ClamAV 0.92.1, the
most serious of which may lead to arbitrary code execution. This
update addresses the issues by updating to ClamAV 0.93.3. Further
information is available via the ClamAV website at
http://www.clamav.net/

Directory Services
CVE-ID: CVE-2008-2329
Available for: Mac OS X v10.5 through v10.5.4,
Mac OS X Server v10.5 through v10.5.4
Impact: A person with access to the login screen may be able to list
user names
Description: An information disclosure issue exists in Login Window
when it is configured to authenticate users with Active Directory.
By supplying wildcard characters in the user name field, a list of
user names from Active Directory may be displayed. This update
addresses the issue through improved processing of user names in
Directory Services. Credit to IT Department of the West Seneca
Central School District for reporting this issue.

Directory Services
CVE-ID: CVE-2008-2330
Available for: Mac OS X Server v10.4.11,
Mac OS X Server v10.5 through v10.5.4
Impact: A local user may obtain the server password if an OpenLDAP
system administrator runs slapconfig
Description: An insecure file operation issue exists in the
slapconfig tool used for configuring OpenLDAP. A local user can cause
the password entered by a system administrator running slapconfig to
be written to a file controlled by the user. This update addresses
the issue by checking the return value of the mkfifo function.

Finder
CVE-ID: CVE-2008-2331
Available for: Mac OS X v10.5 through v10.5.4,
Mac OS X Server v10.5 through v10.5.4
Impact: The Get Info window may not display the actual privileges
for a file
Description: Finder does not update the displayed permissions under
some circumstances in a Get Info window. After clicking the lock
button, changes to the filesystem Sharing & Permissions will take
effect, but will not be displayed. This update addresses the issue by
properly updating the displayed permissions when access privileges on
a file are changed. This issue does not affect systems prior to Mac
OS X v10.5. Credit to Michel Colman for reporting this issue.

Finder
CVE-ID: CVE-2008-3613
Available for: Mac OS X v10.5 through v10.5.4,
Mac OS X Server v10.5 through v10.5.4
Impact: An attacker with access to the local network may cause a
denial of service
Description: A null pointer dereference issue exists in the Finder
when it searches for a remote disc. An attacker with access to the
local network can cause Finder to exit immediately after it starts,
making the system unusable. This update addresses the issue by adding
a check for a null pointer. This issue only affects these
configurations: any product running Mac OS X v10.5.2, MacBook Air
running Mac OS X v10.5.3, and MacBook Air running Mac OS X v10.5.4.
Credit to Yuxuan Wang of Sogou for reporting this issue.

ImageIO
CVE-ID: CVE-2008-2327
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple uninitialized memory access issues exist in
libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously
crafted TIFF image may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
proper memory initialization and additional validation of TIFF
images.

ImageIO
CVE-ID: CVE-2008-2332
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exits in ImageIO's handling
of TIFF images. Viewing a maliciously crafted TIFF image may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved processing of TIFF
images. Credit to Robert Swiecki of Google Security Team for
reporting this issue.

ImageIO
CVE-ID: CVE-2008-3608
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Viewing a large maliciously crafted JPEG image may lead to
an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in ImageIO's handling
of embedded ICC profiles in JPEG images. Viewing a large maliciously
crafted JPEG image may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved processing of JPEG images.

ImageIO
CVE-ID: CVE-2008-1382
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: libpng in ImageIO is updated to version 1.2.29
Description: libpng in ImageIO is updated to version 1.2.29.
CVE-2008-1382 is not known to affect the use of libpng in ImageIO,
and this update is applied as a precautionary measure.

Kernel
CVE-ID: CVE-2008-3609
Available for: Mac OS X v10.5 through v10.5.4,
Mac OS X Server v10.5 through v10.5.4
Impact: Files may be accessed by a local user who does not have the
proper permissions
Description: Cached credentials are not always flushed when a vnode
is recycled. This may allow a local user to read or write to a file
where the permissions would not allow it. This update addresses the
issue through improved handling of purged vnodes. Credit to Nevin
":-)" Liber, Thomas Pelaia of Oak Ridge National Lab, Thomas
Tempelmann, and Ram Kolli for reporting this issue.

libresolv
CVE-ID: CVE-2008-1447
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: libresolv is susceptible to DNS cache poisoning and may
return forged information
Description: libresolv provides translation between host names and
IP addresses for applications that use its unicast DNS resolution
API. A weakness in the DNS protocol may allow remote attackers to
perform DNS cache poisoning attacks. As a result, applications that
rely on libresolv for DNS may receive forged information. This update
addresses the issue by implementing source port randomization to
improve resilience against cache poisoning attacks. Note that the
BIND tools, dig, host, and nslookup use their own resolver library
and are not addressed by this update. Credit to Dan Kaminsky of
IOActive for reporting this issue.

Login Window
CVE-ID: CVE-2008-3610
Available for: Mac OS X v10.5 through v10.5.4,
Mac OS X Server v10.5 through v10.5.4
Impact: A user may log in without providing a password
Description: A race condition exists in Login Window. To trigger
this issue, the system must have the Guest account enabled or another
account with no password. In a small proportion of attempts, an
attempt to log in to such an account will not complete. The user list
would then be presented again, and the person would be able to log in
as any user without providing a password. If the original account
were the Guest account, the contents of the new account will be
deleted on logout. This update addresses the issue by properly
clearing Login Window state when the login does not complete. This
issue does not affect systems prior to Mac OS X v10.5.

Login Window
CVE-ID: CVE-2008-3611
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A person with access to the login screen may be able to
change a user's password
Description: When a system has been configured to enforce policies
on login passwords, users may be required to change their password in
the login screen. If a password change fails, an error message is
displayed, but the current password is not cleared. This may not be
obvious to the user. If the user leaves the system unattended with
this error message displayed, a person with access to the login
screen may be able to reset that user's password. This update
addresses the issue by clearing the current password when returning
to the login screen. This issue does not affect systems running Mac
OS X v10.5 or later. Credit to Christopher A. Grande of Middlesex
Community College for reporting this issue.

mDNSResponder
CVE-ID: CVE-2008-1447
Available for: Mac OS X v10.5 through v10.5.4,
Mac OS X Server v10.5 through v10.5.4
Impact: mDNSResponder is susceptible to DNS cache poisoning and may
return forged information
Description: mDNSResponder provides translation between host names
and IP addresses for applications that use its unicast DNS resolution
API. A weakness in the DNS protocol may allow a remote attacker to
perform DNS cache poisoning attacks. As a result, applications that
rely on mDNSResponder for DNS may receive forged information. This
update addresses the issue by implementing source port and
transaction ID randomization to improve resilience against cache
poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting
this issue.

OpenSSH
CVE-ID: CVE-2008-1483, CVE-2008-1657
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Multiple vulnerabilities in OpenSSH, the most serious of
which is local X11 session control
Description: Multiple vulnerabilities exist in OpenSSH versions
provided with Mac OS X v10.4.11 and Mac OS X v10.5.4, the most
serious of which allows a local user to control another user's X11
session. This update addresses the issues by updating to OpenSSH
5.1p1. Further information is available via the OpenSSH web site at
http://www.openssh.com/security.html

QuickDraw Manager
CVE-ID: CVE-2008-3614
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow exists in QuickDraw's handling of
PICT images. Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue by performing additional validation of
PICT images. Credit to an anonymous researcher working with the
iDefense VCP for reporting this issue.

Ruby
CVE-ID: CVE-2008-2376
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Running a Ruby script that uses untrusted input as the
arguments to the Array#fill method may lead to an unexpected
application termination or arbitrary code execution
Description: An integer overflow exists in rb_ary_fill(), which
implements the Ruby Array#fill method. Running a Ruby script that
uses untrusted input as the arguments to the Array#fill method may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of the arguments to rb_ary_fill().

SearchKit
CVE-ID: CVE-2008-3616
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Applications passing untrusted input to the SearchKit API
may lead to an unexpected application termination or arbitrary code
execution
Description: Integer overflow issues exist in functions within the
SearchKit framework. Passing untrusted input to SearchKit via an
application may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking.

System Configuration
CVE-ID: CVE-2008-2312
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may obtain the PPP password
Description: Network Preferences stores PPP passwords unencrypted in
a world readable file, accessible to any local user. This update
addresses the issue by storing PPP passwords in the system keychain
when the password is changed. This issue does not affect systems
running Mac OS X v10.5 or later. Credit to Hernan Ochoa of Core
Security Technologies, Tore Halset of pvv.org, and Matt Johnston of
the University Computer Club for reporting this issue.

System Preferences
CVE-ID: CVE-2008-3617
Available for: Mac OS X v10.5 through v10.5.4,
Mac OS X Server v10.5 through v10.5.4
Impact: Users may be misled into believing their passwords are
stronger than they are
Description: Remote Management and Screen Sharing can be configured
to require a password for VNC viewers. The maximum length for VNC
viewer passwords is eight characters. The password field can display
more than eight characters, implying that the additional characters
are used in the password. This update addresses the issue by limiting
VNC viewer passwords to eight characters in the user interface.
Credit to Michal Fresel of hi competence e.U. for reporting this
issue.

System Preferences
CVE-ID: CVE-2008-3618
Available for: Mac OS X v10.5 through v10.5.4
Impact: Authenticated users may have unexpected remote access to
files and directories
Description: The File Sharing pane in the Sharing preference pane
does not fully convey the actual access privileges. A user may infer
that only the folders listed under 'Shared Folders' are accessible.
However, authenticated users may also access their home directories,
and administrators may access all disks on the system. This update
provides additional text to help explain the actual access
permissions. Systems prior to Mac OS X v10.5 did not display a list
of shared folders in the File Sharing pane. This issue does not
affect Mac OS X Server systems.

Time Machine
CVE-ID: CVE-2008-3619
Available for: Mac OS X v10.5 through v10.5.4,
Mac OS X Server v10.5 through v10.5.4
Impact: Backing up a system with Time Machine may lead to the
disclosure of sensitive information
Description: During the Time Machine Backup, several log files are
saved to the backup drive with read permission allowed to other
users. This may lead to the disclosure of sensitive information. This
update addresses the issue by applying more restrictive permissions
to saved log files. This issue does not affect systems prior to Mac
OS X v10.5. Credit to Edwin McKenzie for reporting this issue.

VideoConference
CVE-ID: CVE-2008-3621
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Videoconferencing with a malicious user may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the VideoConference
framework's handling of H.264 encoded media. Videoconferencing with a
malicious user may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking.

Wiki Server
CVE-ID: CVE-2008-3622
Available for: Mac OS X v10.5 through v10.5.4,
Mac OS X Server v10.5 through v10.5.4
Impact: A remote attacker may cause persistent JavaScript injection
on a Wiki server
Description: The Wiki Server mailing list archive will execute
JavaScript code embedded in messages. A remote person may send an
email containing JavaScript code to a mailing list hosted on a Wiki
server. Viewing the message from the Wiki Server mailing list archive
will trigger the execution of the embedded JavaScript code on the
system of the person viewing the message. This update addresses the
issue by performing additional validation of emails. This issue does
not affect systems prior to Mac OS X v10.5. Credit to Leon von
Tippelskirch, and Matthias Wieczorek of the Chair for Applied
Software Engineering, TU Munich for reporting this issue.

Mac OS X v10.5.5 and Security Update 2008-006 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.5.5 or Security Update 2008-006.

For Mac OS X v10.5.4
The download file is named: "MacOSXUpd10.5.5.dmg"
Its SHA-1 digest is: bd9bf9304a5b3162f391233fe74fc64f6dbc2bf5

For Mac OS X v10.5 - v10.5.3
The download file is named: "MacOSXUpdCombo10.5.5.dmg"
Its SHA-1 digest is: 91ac9b720ba3b4166e5dc1dd518b1651d77c0f46

For Mac OS X Server v10.5.4
The download file is named: "MacOSXServerUpd10.5.5.dmg"
Its SHA-1 digest is: 00264fd6990b568b5017f1244820d1eeebda8ab2

For Mac OS X Server v10.5 - v10.5.3
The download file is named: "MacOSXServerUpdCombo10.5.5.dmg"
Its SHA-1 digest is: cc463a4f2b2d2079fca56704057f407f86b96661

For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-006Intel.dmg"
Its SHA-1 digest is: c64a7aa8b13377b2066110fa86b4f879e0ca746b

For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-006PPC.dmg"
Its SHA-1 digest is: 61898bf315d04958aaf487bb92ba257d059a33ce

For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-006Univ.dmg"
Its SHA-1 digest is: 0309967cb7e6ae990bd3726e8af4abfeca776b63

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-006PPC.dmg"
Its SHA-1 digest is: 61898bf315d04958aaf487bb92ba257d059a33ce

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

 

TOP