Home / mailings APPLE-SA-2007-10-30 Xcode 2.5 Developer Tools
Posted on 30 October 2007
Apple Security-announce-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-10-30 Xcode 2.5 Developer Tools
Xcode 2.5 Developer Tools is now available and addresses the
following issues:
gdb
CVE-ID: CVE-2006-2362
Available for: Mac OS X v10.4.x, Mac OS X v10.5
Impact: Processing a file with maliciously crafted TekHex content
may lead to an unexpected application termination or arbitrary code
execution
Description: A buffer overflow exists in gdb's handling of files
with Tektronix Hex Format (TekHex) content. By enticing a user to run
gdb's "restore" command on a maliciously crafted TekHex file, an
attacker may cause an unexpected application termination or arbitrary
code execution. This update addresses the issue by performing
additional validation of TekHex records.
WebObjects
CVE-ID: CVE-2006-5327, CVE-2006-5328
Available for: Mac OS X v10.4.x, Mac OS X v10.5
Impact: An uprivileged local user may be able to obtain system
privileges
Description: The Xcode WebObjects package contains a demo version of
OpenBase for use with WebObjects example code. This demo version of
OpenBase may allow a local user to obtain system privileges. This
update addresses the issue by disabling the Apple-provided demo
version of OpenBase. Credit to Kevin Finisterre of Netragard for
reporting these issues.
Xcode 2.5 Developer Tools may be obtained from the Apple Developer
web site:
http://developer.apple.com/tools/download/
Login is required, and membership is free.
The download file is named: "xcode25_8m2558_developerdvd.dmg"
Its SHA-1 digest is: 30884704b0a4b098f02ccbb753958cd5331b8982
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
