Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Fri, 12 May 2006 11:01:53 +0200
Type : VULN
Sujet : CERT-Renater : 2006/VULN245 (APPLE: APPLE-SA-2006-05-11 Security Update 2006-003)
====================================================================                                    CERT-Renater

                         Note d'Information No. 2006/VULN245
_____________________________________________________________________

DATE                      : 12/05/2006

HARDWARE PLATFORM(S)      : APPLE.

OPERATING SYSTEM(S)       : Mac OS X.

======================================================================

APPLE-SA-2006-05-11 Security Update 2006-003

Security Update 2006-003 is now available and addresses the following
issues:

AppKit
CVE-ID:  CVE-2006-1439
Available for:  Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact:  Characters entered into a secure text field can be read
by other applications in the same window session
Description:  Under certain circumstances when switching between
text input fields, NSSecureTextField may fail to re-enable
secure event input. This may allow other applications in the
same window session to see some input characters and keyboard
events. This update addresses the issue by ensuring secure event
input is properly enabled. This issue does not affect systems
prior to Mac OS X v10.4.

AppKit, ImageIO
CVE-ID:  CVE-2006-1982, CVE-2006-1983, CVE-2006-1984
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Viewing a maliciously-crafted GIF or TIFF image may lead
to arbitrary code execution
Description:  The handling of malformed GIF or TIFF image may
lead to arbitrary code execution when parsing a
maliciously-crafted image. This affects applications that use
the ImageIO (Mac OS X v10.4 Tiger) or AppKit (Mac OS X v10.3
Panther) framework to read images. This update addresses the
issue by performing additional validation of GIF and TIFF
images.

BOM
CVE-ID:  CVE-2006-1985
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Expanding an archive may lead to arbitrary code
execution
Description:  By carefully crafting an archive (such as a Zip
archive) containing long path names, an attacker may be able to
trigger a heap buffer overflow in BOM. This may result in
arbitrary code execution. BOM is used to handle archives in
Finder and other applications. This update adresses the issue by
properly handling the boundary conditions.

BOM
CVE-ID:  CVE-2006-1440
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Expanding a malicious archive may cause arbitrary files
to be created or overwritten
Description:  An issue in the handling of directory traversal
symbolic links encountered in archives may cause BOM to create
or overwrite files in arbitrary locations accessible to the user
expanding the archive. BOM handles archives on behalf of Finder
and other applications. This update addresses the issue by
ensuring that files expanded from an archive are not placed
outside the destination directory.

CFNetwork
CVE-ID:  CVE-2006-1441
Available for:  Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact:  Visiting malicious web sites may lead to arbitrary code
execution
Description:  An integer overflow in the handling of chunked
transfer encoding could lead to arbitrary code execution.
CFNetwork is used by Safari and other applications. This update
addresses the issue by performing additional validation. The
issue does not affect systems prior to Mac OS X v10.4.

ClamAV
CVE-ID:  CVE-2006-1614, CVE-2006-1615, CVE-2006-1630
Available for:  Mac OS X Server v10.4.6
Impact:  Processing maliciously-crafted email messages with
ClamAV may lead to arbitrary code execution
Description:  The ClamAV virus scanning software has been updated
to incorporate security fixes in the latest release. ClamAV was
introduced in Mac OS X Server v10.4 for email scanning. The most
severe of these issues could lead to arbitrary code execution
with the privileges of ClamAV. For more information, see the
project web site at http://www.clamav.net.

CoreFoundation
CVE-ID:  CVE-2006-1442
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Registration of an untrusted bundle may lead to
arbitrary code execution
Description:  Under certain circumstances, bundles are implicitly
registered by applications or the system. A feature of the
bundle API allows dynamic libraries to load and execute when a
bundle is registered, even if the client application does not
explicitly request it. As a result, arbitrary code may be
executed from an untrusted bundle without explicit user
interaction. This update addresses the issue by only loading and
executing libraries from the bundle at the appropriate time.

CoreFoundation
CVE-ID:  CVE-2006-1443
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  String conversions to file system representation may
lead to arbitrary code execution
Description:  An integer underflow during the processing of a
boundary condition in CFStringGetFileSystemRepresentation may
lead to arbitrary code execution. Applications that use this API
or one of the related APIs such as NSFileManager's
getFileSystemRepresentation:maxLength:withPath: may trigger the
issue and lead to arbitrary code execution. This update adresses
the issue by properly handling the boundary conditions.

CoreGraphics
CVE-ID:  CVE-2006-1444
Available for:  Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact:  Characters entered into a secure text field can be read
by other applications in the same window session
Description:  Quartz Event Services provides applications with
the ability to observe and alter low-level user input events.
Normally, applications cannot intercept events when secure event
input is enabled. However, if "Enable access for assistive
devices" is on, Quartz Event Services can be used to intercept
events even when secure event input is enabled. This update
addresses the issue by filtering events when secure event input
is enabled. This issue does not affect systems prior to Mac OS X
v10.4. Credit to Damien Bobillot for reporting this issue.

Finder
CVE-ID:  CVE-2006-1448
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Launching an Internet Location item may lead to
arbitrary code execution
Description:  Internet Location items are simple URL containers
which may reference http://, ftp://, and file:// URLs, as well
as a few other URL schemes. These different types of Internet
Location items are visually distinct, and meant to be safe to
explicitly launch. However, the scheme of the URL may be
different than the Internet Location type. As a result, an
attacker may be able to convince a user to launch a supposedly
benign item (such as a Web Internet Location, http://), with the
result that some other URL scheme is actually used. In certain
circumstances, this may lead to arbitrary code execution. This
update addresses the issues by restricting the URL scheme based
on the Internet Location type.

FTPServer
CVE-ID:  CVE-2006-1445
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  FTP operations by authenticated FTP users may lead to
arbitrary code execution
Description:  Multiple issues in FTP server path name handling
could result in a buffer overflow. A malicious authenticated
user may be able to trigger this overflow which may lead to
arbitrary code execution with the privileges of the FTP server.
This update adresses the issue by properly handling the boundary
conditions.

Flash Player
CVE-ID:  CVE-2005-2628, CVE-2006-0024
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Playing Flash content may lead to arbitrary code
execution
Description:  Flash Player contains critical vulnerabilities that
may lead to arbitrary code execution when specially-crafted
files are loaded. Further information is available via the
Macromedia web site at www.macromedia.com. This update addresses
the issue by incorporating Flash Player version 8.0.24.0.

ImageIO
CVE-ID:  CVE-2006-1552
Available for:  Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact:  Viewing a maliciously-crafted JPEG image may lead to
arbitrary code execution
Description:  An integer overflow in the processing of JPEG
metadata may result in a heap buffer overflow. By carefully
crafting an image with malformed JPEG metadata, an attacker may
be able to cause arbitrary code execution when the image is
viewed. This update addresses the issue by performing additional
validation of images. This issue does not affect systems prior
to Mac OS X v10.4. Credit to Brent Simmons of NewsGator
Technologies, Inc. for reporting this issue.

Keychain
CVE-ID:  CVE-2006-1446
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  An application may be able to use Keychain items when
the Keychain is locked
Description:  When a Keychain is locked, it is not possible for
applications to access the Keychain items it contains without
first requesting that the Keychain be unlocked. However, an
application that has obtained a reference to a Keychain item
prior to the Keychain being locked may, in certain
circumstances, be able to continue using that Keychain item
regardless of whether the Keychain is locked or unlocked. This
update addresses the issue by rejecting requests to use Keychain
items when the Keychain is locked. Credit to Tobias Hahn of HU
Berlin for reporting this issue.

LaunchServices
CVE-ID:  CVE-2006-1447
Available for:  Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact:  Viewing a malicious web site may lead to arbitrary code
execution
Description:  Long file name extensions may prevent Download
Validation from correctly determining the application with which
an item may be opened. As a result, an attacker may be able to
bypass Download Validation and cause Safari to automatically
open unsafe content if the "Open `safe' files after downloading"
option is enabled and certain applications are not installed.
This update addresses the issue through improved checking of the
file name extension. This issue does not affect systems prior to
Mac OS X v10.4.

libcurl
CVE-ID:  CVE-2005-4077
Available for:  Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact:  URL handling in libcurl may lead to arbitrary code
execution
Description:  The open source HTTP library libcurl contains
buffer overflows in URL handling. Applications using curl for
URL handling may trigger the issue and lead to arbitrary code
execution. This update addresses the issue by incorporating
libcurl version 7.15.1. This issue does not affect systems prior
to Mac OS X v10.4.

Mail
CVE-ID:  CVE-2006-1449
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Viewing a malicious mail message may lead to arbitrary
code execution
Description:  By preparing a specially-crafted email message with
MacMIME encapsulated attachments, an attacker may trigger an
integer overflow. This may lead to arbitrary code execution with
the privileges of the user running Mail. This issue corrects the
issue by performing additional validation of messages.

Mail
CVE-ID:  CVE-2006-1450
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Viewing a malicious mail message may lead to arbitrary
code execution
Description:  The handling of invalid color information in
enriched text email messages could cause the allocation and
initialization of arbitrary classes. This may lead to arbitrary
code execution with the privileges of the user running Mail.
This update addresses the issue by properly handling malformed
enriched text data.

MySQL Manager
CVE-ID:  CVE-2006-1451
Available for:  Mac OS X Server v10.4.6
Impact:  MySQL database may be accessed with an empty password
Description:  During the initial setup of a MySQL database server
using MySQL Manager, the "New MySQL root password" may be
supplied. However, this password is not actually used. As a
result, the MySQL root password will remain empty. A local user
may then obtain access to the MySQL database with full
privileges. This update addresses the issue by ensuring that the
entered password is saved. This issue does not affect systems
prior to Mac OS X Server v10.4. Credit to Ben Low of the
University of New South Wales for reporting this issue.

Preview
CVE-ID:  CVE-2006-1452
Available for:  Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact:  Navigating a maliciously-crafted directory hierarchy may
lead to arbitrary code execution
Description:  When navigating very deep directory hierarchies in
Preview, a stack buffer overflow may be trigger. By carefully
crafting such a directory hierarchy, it may be possible for an
attacker to cause arbitrary code execution if the directories
are opened in Preview. This issue does not affect systems prior
to Mac OS X v10.4.

QuickDraw
CVE-ID:  CVE-2006-1453, CVE-2006-1454
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Viewing a maliciously-crafted PICT image may lead to
arbitrary code execution
Description:  Two issues affect QuickDraw when processing PICT
images. Malformed font information may cause a stack buffer
overflow, and malformed image data may cause a heap buffer
overflow. By carefully crafting a malicious PICT image, an
attacker may be able to cause arbitrary code execution when the
image is viewed. This update addresses the issue by performing
additional validation of PICT images. Credit to Mike Price of
McAfee AVERT Labs for reporting this issue.

QuickTime Streaming Server
CVE-ID:  CVE-2006-1455
Available for:  Mac OS X Server v10.3.9, Mac OS X Server v10.4.6
Impact:  A malformed QuickTime movie can cause QuickTime
Streaming Server to crash
Description:  A QuickTime movie that has a missing track may
cause a null pointer dereference, causing the server process to
crash. This causes active client connections to be interrupted.
However, the server is restarted automatically. This update
addresses the issue by producing an error when malformed movies
are encountered.

QuickTime Streaming Server
CVE-ID:  CVE-2006-1456
Available for:  Mac OS X Server v10.3.9, Mac OS X Server v10.4.6
Impact:  Maliciously-crafted RTSP requests may lead to crashes or
arbitrary code execution
Description:  By carefully crafting an RTSP request, an attacker
may be able to trigger a buffer overflow during message logging.
This may lead to the arbitrary code execution with the
privileges of the QuickTime Streaming Server. This update
adresses the issue by properly handling the boundary conditions.
Credit to the Mu Security research team for reporting this
issue.

Ruby
CVE-ID:  CVE-2005-2337
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact:  Ruby safe level restrictions may be bypassed
Description:  The Ruby scripting language contains a mechanism
called "safe levels" that is used to restrict certain
operations. This mechanism is most commonly used when running
privileged Ruby applications or Ruby network applications. In
certain circumstances, an attacker may be able to bypass the
restrictions in such applications. Applications that do not rely
on safe levels are unaffected. This update addresses the issue
by ensuring that safe levels cannot be bypassed.

Safari
CVE-ID:  CVE-2006-1457
Available for:  Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact:  Visiting malicious web sites may lead to file
manipulation or arbitrary code execution
Description:  When Safari's "Open `safe' files after downloading"
option is enabled, archives will be automatically expanded. If
the archive contains a symbolic link, the target symlink may be
moved to the user's desktop and launched. This update addresses
the issue by not resolving downloaded symbolic links. This issue
does not affect systems prior to Mac OS X v10.4.

Security Update 2006-003 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.6 (PowerPC)
The download file is named:  "SecUpd2006-003Ti.dmg"
Its SHA-1 digest is:  f0dcb0dc51add2b51c297a8f416c4c23da67057c

For Mac OS X v10.4.6 (Intel)
The download file is named:  "SecUpd2006-003Intel.dmg"
Its SHA-1 digest is:  38ec78604ce11a76d0cf18a78f295a95f74e73ed

For Mac OS X Server v10.4.6
The download file is named:  "SecUpdSrvr2006-003Ti.dmg"
Its SHA-1 digest is:  f7236bfc5a910d8cd6c3f9c697ded8156fbd0e59

For Mac OS X v10.3.9
The download file is named:  "SecUpd2006-003Pan.dmg"
Its SHA-1 digest is:  f6985d511581d99eeabfeb9b71da12188494a1e1

For Mac OS X Server v10.3.9
The download file is named:  "SecUpdSrvr2006-003Pan.dmg"
Its SHA-1 digest is:  022cf62fbfc205cf2031c02faa0e62f6fff44c46

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnuma798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================