[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 440/05 - Apple - Security Update 2005-006



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 440/05 dated 09.06.05  Time: 15:35  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Apple - Security Update 2005-006

Detail
====== 

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-06-08 Security Update 2005-006

Security Update 2005-006 is now available and delivers the following
security enhancements:

AFP Server
CVE-ID:  CAN-2005-1721
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  A buffer overflow in support for legacy clients could permit
the running of arbitrary code
Description:  The Mac OS X AFP Server supports a number of legacy
clients.  A buffer overflow in the support for one of these clients
could permit the running of arbitrary code.  This update modifies the
AFP Server to correct this buffer overflow.  This issue does not
affect systems prior to Mac OS X 10.4.

AFP Server
CVE-ID:  CAN-2005-1720
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  On an AFP server using an ACL enabled volume for storage,
the copying of a file with POSIX-only permissions can leave an ACL
attached
Description:  When copying a local file to an AFP Server that is
using an ACL enabled volume for storage, a temporary ACL is attached
to the remote object during the copy process.  This ACL can be left
behind if the file copy was into a directory that was not using ACLs.
The ACL that is left behind could cause confusion as it will
override the POSIX file permissions for the file owner.  The ACL does
not permit other users to access the file.  This update modifies the
AFP Server so that it correctly removes the ACL that is used for
copying the file.  This issue does not affect systems prior to Mac OS
X 10.4.

Bluetooth
CVE-ID:  CAN-2005-1333
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1, Mac OS X
v10.3.9, Mac OS X Server v10.3.9
Impact:  Directory traversal via Bluetooth object exchange
Description:  Due to insufficient input checking, the Bluetooth
object exchange services could be used to access files outside of the
default file exchange directory.  This update provides an additional
security improvement over the previous release by adding enhanced
filtering for path-delimiting characters.  Credit to
kf_lists[at]digitalmunition[dot]com for reporting this issue.

CoreGraphics
CVE-ID:  CAN-2005-1722
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  Applications using either PDFKit or CoreGraphics to render
poorly formed PDF documents could abort due to a NULL pointer
dereference.
Description:  If a poorly-formed PDF document is passed to PDFKit or
CoreGraphics for rendering, the rending engine will detect an error
and stop processing.  As part of the cleanup process, a check for a
NULL pointer was omitted.  This omission can cause an application
that handles PDF documents to abort - requiring that the application
be restarted.  CoreGraphics is updated to correctly handle the
cleanup of poorly-formed PDF documents.  This issue does not affect
systems prior to Mac OS X 10.4.  Credit to Chris Evans for reporting
this issue.

CoreGraphics
CVE-ID:  CAN-2005-1726
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  Console users can gain root privileges
Description:  The CoreGraphics Window Server is updated to disallow
unprivileged users from launching commands into root sessions.  This
issue does not affect systems prior to Mac OS X v10.4.

Folder Permissions
CVE-ID:  CAN-2005-1727
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  Potential file race condition via world- and group-writable
permissions on two directories
Description:  Secure folder permissions are applied to protect the
system's cache folder and the Dashboard system widgets.  This
exposure does not exist in systems prior to Mac OS X v10.4.  Credit
to Michael Haller at info@xxxxxxxxx for reporting this issue.

launchd
CVE-ID:  CAN-2005-1725
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  The setuid program launchd can allow local privilege
escalation
Description:  A vulnerability in launchd allows local users to gain
ownership of arbitrary files.  The launchd command is updated to
safely change ownership of files.  Credit to Neil Archibald of
Suresec LTD for reporting this issue.  This issue does not affect
systems prior to Mac OS X v10.4.

LaunchServices
CVE-ID:  CAN-2005-1723
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  File extensions and mime types marked as unsafe but not
mapped to an Apple UTI could bypass download safety checks
Description:  Mac OS X 10.4 contains a database of known unsafe file
extensions and mime types.  If an addition to the database of unsafe
types  was made, without a corresponding Apple UTI (Uniform Type
Identifier), then a query on certain forms of the file extension or
mime type would not be marked as unsafe.  All entries in the current
unsafe type database are mapped to an Apple UTI.  This update
corrects the query code to correctly identify unsafe file extensions
and mime types regardless of the presence of an Apple UTI.  This
issue does not affect systems prior to Mac OS X 10.4.

MCX Client
CVE-ID:  CAN-2005-1728
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  Portable Home Directory credentials may be available to
local system users
Description:  MCX Client is updated to not log portable home
directory mounting credentials.  This issue does not affect systems
prior to Mac OS X v10.4.

NFS
CVE-ID:  CAN-2005-1724
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  An NFS export restricted using -network / -mask flags will
export to "everyone"
Description:  The use of -network and -mask on a filesystem listed in
the NFS exports file would result in that filesystem being exported
to "everyone".  This update modifies the NFS exporting code to
correctly set the network and mask parameters.  This issue does not
affect systems prior to Mac OS X 10.4.

PHP
CVE-ID:  CAN-2005-0524, CAN-2005-0525, CAN-2005-1042, CAN-2005-1043
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1, Mac OS X
v10.3.9, Mac OS X Server v10.3.9
Impact:  Multiple vulnerabilities in PHP, including remote denial of
service and execution of arbitrary code
Description:  PHP is updated to version 4.3.11 to address several
issues. The PHP release announcement for version 4.3.11 is located at
http://www.php.net/release_4_3_11.php

VPN
CVE-ID:  CAN-2005-1343
Available for:  Mac OS X v10.4.1, Mac OS X Server v10.4.1
Impact:  A local user can obtain root privileges if the system is
being used as a VPN server
Description:  A buffer overflow in "vpnd" could be used by a local
user to obtain root privileges if the system is configured as a VPN
server.  This problem does not occur on systems that are configured
as a VPN client.  This issue cannot be exploited remotely.  This
update prevents the buffer overflow from occurring.  This issue was
fixed for Mac OS X v10.3.9 via Security Update 2005-005.  Credit to
Pieter de Boer of the master SNB at the Universiteit van Amsterdam
(UvA) for reporting this issue.

Security Update 2005-006 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.1 and Mac OS X Server v10.4.1
The download file is named:  "SecUpd2005-006Ti.dmg"
Its SHA-1 digest is:  89e432a13fc3de743b9444e2a33f3e989ceccdb4

For Mac OS X v10.3.9 and Mac OS X Server v10.3.9
The download file is named:  "SecUpd2005-006Pan.dmg"
Its SHA-1 digest is:  f897fbac3e12f9191356a06247b46f42a1d7312a

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.0 (Build 2001)

iQEVAwUBQqdPOIHaV5ucd/HdAQKDbgf/f7gg3seJ+fg4eIlToY5E/hJ7wO3gjUAd
mbfza+SgX2wKciGh7hPU7tPvYTRk6s49W/AKcrKcvOaoW7X0rCAwJCMh2iAhGbNg
vmxLeuWJ3oORhQN+2eGxppohtH/DZwqh6P2Ds7jbTBrDaeZcAZk2aDKpvKUJ8T6w
p5dzOCp6aB3IU1+tHJ5uW7CLlBizFuwLoLq3Mg7Od9yj+c4Oejbm+KF5Y4sJsACO
IoD04FUDsne7zhHMC6URMPfvYT+ClaC5eRyJlUuFzVoXVIgA+PrT1hscbGmyam0i
RyoCJD8EtE+keEe6BI3BIMys4+cESpBZK2fYb31c/LPqhodpTzmXGg==
=cmzm
- -----END PGP SIGNATURE-----



- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Apple for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQqhTI4pao72zK539AQFlXQQAmp9fHbxvIaCqwhpktU4+Dvj3MYWMi5Mp
W8LuoW41SRl9y1TLoNebaZulstmouMMfmIeVdO9Cawu7/9BqW0JoqhTsosyU48CZ
GDdfwgwwneZstIBEeQNqJPaUOwr9OR6qYVICteCeKFvfvdrw1rXzyjwot08UsMRX
1uisYwbYmfg=
=lxkz
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________