Home / mailingsPDF  

APPLE-SA-2011-03-02-1 iTunes 10.2

Posted on 02 March 2011
Apple Security-announce

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2011-03-02-1 iTunes 10.2

iTunes 10.2 is now available and addresses the following:

ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Multiple vulnerabilities in libpng
Description: libpng is updated to version 1.4.3 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. For Mac OS X v10.5 systems, this is addressed in Security
Update 2010-007. Further information is available via the libpng
website at http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2010-1205
CVE-2010-2249

ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow issue existed in ImageIO's
handling of JPEG images. Viewing a maliciously crafted JPEG image may
lead to an unexpected application termination or arbitrary code
execution.
CVE-ID
CVE-2011-0170 : Andrzej Dyjak working with iDefense VCP

ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may result in an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libTIFF's handling of JPEG
encoded TIFF images. Viewing a maliciously crafted TIFF image may
result in an unexpected application termination or arbitrary code
execution.
CVE-ID
CVE-2011-0191 : Apple

ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may result in an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libTIFF's handling of
CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF
image may result in an unexpected application termination or
arbitrary code execution.
CVE-ID
CVE-2011-0192 : Apple

libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Processing a maliciously crafted XML file may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in libxml's handling of
XPath expressions. Processing a maliciously crafted XML file may lead
to an unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2010-4494 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences

libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Processing a maliciously crafted XML file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in libxml's XPath
handling. Processing a maliciously crafted XML file may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2010-4008 : Bui Quang Minh from Bkis (www.bkis.com)

WebKit
Available for: Windows 7, Vista, XP SP2 or later
Impact: A man-in-the-middle attack may lead to an unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in WebKit. A
man-in-the-middle attack while browsing the iTunes Store via iTunes
may lead to an unexpected application termination or arbitrary code
execution.
CVE-ID
CVE-2010-1824 : kuzzcc, and wushi of team509 working with
TippingPoint's Zero Day Initiative
CVE-2011-0111 : Sergey Glazunov
CVE-2011-0112 : Yuzo Fujishima of Google Inc.
CVE-2011-0113 : Andreas Kling of Nokia
CVE-2011-0114 : Chris Evans of Google Chrome Security Team
CVE-2011-0115 : J23 working with TippingPoint's Zero Day Initiative,
and Emil A Eklund of Google, Inc
CVE-2011-0116 : an anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0117 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0118 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0119 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0120 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0121 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0122 : Slawomir Blazek
CVE-2011-0123 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0124 : Yuzo Fujishima of Google Inc.
CVE-2011-0125 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0126 : Mihai Parparita of Google, Inc.
CVE-2011-0127 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0128 : David Bloom
CVE-2011-0129 : Famlam
CVE-2011-0130 : Apple
CVE-2011-0131 : wushi of team509
CVE-2011-0132 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0133 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0134 : Jan Tosovsky
CVE-2011-0135 : an anonymous reporter
CVE-2011-0136 : Sergey Glazunov
CVE-2011-0137 : Sergey Glazunov
CVE-2011-0138 : kuzzcc
CVE-2011-0139 : kuzzcc
CVE-2011-0140 : Sergey Glazunov
CVE-2011-0141 : Chris Rohlf of Matasano Security
CVE-2011-0142 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0143 : Slawomir Blazek and Sergey Glazunov
CVE-2011-0144 : Emil A Eklund of Google, Inc.
CVE-2011-0145 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0146 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0147 : Dirk Schulze
CVE-2011-0148 : Michal Zalewski of Google, Inc.
CVE-2011-0149 : wushi of team509 working with TippingPoint's Zero Day
Initiative, and SkyLined of Google Chrome Security Team
CVE-2011-0150 : Michael Gundlach of safariadblock.com
CVE-2011-0151 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0152 : SkyLined of Google Chrome Security Team
CVE-2011-0153 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0154 : an anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0155 : Aki Helin of OUSPG
CVE-2011-0156 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0164 : Apple
CVE-2011-0165 : Sergey Glazunov
CVE-2011-0168 : Sergey Glazunov


iTunes 10.2 may be obtained from:
http://www.apple.com/itunes/download/

For Mac OS X:
The download file is named: "iTunes10.2.dmg"
Its SHA-1 digest is: 35da52c03a478d7ff325e67d589e48afd195c9ab

For Windows XP / Vista / Windows 7:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 1f40939eaca43648e55c137be220fa391bb48c6c

For 64-bit Windows XP / Vista / Windows 7:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: efc23fc7d92eb95a1f2588b8a6506d99b726c9ea

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP

Mailings :

Exploits :