Details of VAR-201103-0292

ID

VAR-201103-0292

CVE

CVE-2011-0193

TITLE

Apple Mac OS X Image RAW Multiple Buffer Overflow Vulnerabilities

Trust: 0.9

sources: BID: 46972 // CNNVD: CNNVD-201103-301

DESCRIPTION

Multiple buffer overflows in Image RAW in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Canon RAW image. Apple Mac OS X is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds check user-supplied input. Successful exploits may allow an attacker to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. Versions prior to OS X 10.6.7 are vulnerable. NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. 33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. For more information: SA41652 36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2011-0193 // JVNDB: JVNDB-2011-001416 // BID: 46972 // VULHUB: VHN-48138 // PACKETSTORM: 99616

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.3	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.2	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.5	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.3	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.5	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.4	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.1	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.6	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.6	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.0	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.4	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.6 to v10.6.6	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.6 to v10.6.6	Trust: 0.8
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	ne	version:	x10.6.7	Trust: 0.3

sources: BID: 46972 // JVNDB: JVNDB-2011-001416 // CNNVD: CNNVD-201103-301 // NVD: CVE-2011-0193

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-0193
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2011-0193
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201103-301
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-48138
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2011-0193
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-48138
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-48138 // JVNDB: JVNDB-2011-001416 // CNNVD: CNNVD-201103-301 // NVD: CVE-2011-0193

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-48138 // JVNDB: JVNDB-2011-001416 // NVD: CVE-2011-0193

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201103-301

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201103-301

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-001416

PATCH

title:	HT4581	url:	http://support.apple.com/kb/HT4581	Trust: 0.8
title:	HT4581	url:	http://support.apple.com/kb/HT4581?viewlocale=ja_JP	Trust: 0.8

sources: JVNDB: JVNDB-2011-001416

EXTERNAL IDS

db:	NVD	id:	CVE-2011-0193	Trust: 2.8
db:	JVNDB	id:	JVNDB-2011-001416	Trust: 0.8
db:	CNNVD	id:	CNNVD-201103-301	Trust: 0.7
db:	SECUNIA	id:	43814	Trust: 0.7
db:	NSFOCUS	id:	16613	Trust: 0.6
db:	NSFOCUS	id:	17153	Trust: 0.6
db:	APPLE	id:	APPLE-SA-2011-03-21-1	Trust: 0.6
db:	BID	id:	46972	Trust: 0.4
db:	VULHUB	id:	VHN-48138	Trust: 0.1
db:	PACKETSTORM	id:	99616	Trust: 0.1

sources: VULHUB: VHN-48138 // BID: 46972 // JVNDB: JVNDB-2011-001416 // PACKETSTORM: 99616 // CNNVD: CNNVD-201103-301 // NVD: CVE-2011-0193

REFERENCES

url:	http://support.apple.com/kb/ht4581	Trust: 1.8
url:	http://lists.apple.com/archives/security-announce/2011/mar/msg00006.html	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-0193	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu636925	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-0193	Trust: 0.8
url:	http://secunia.com/advisories/43814	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/17153	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/16613	Trust: 0.6
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	/archive/1/517102	Trust: 0.3
url:	/archive/1/518639	Trust: 0.3
url:	http://secunia.com/products/corporate/evm/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/company/events/mms_2011/	Trust: 0.1
url:	http://secunia.com/advisories/43814/	Trust: 0.1
url:	http://secunia.com/advisories/43814/#comments	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=43814	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-48138 // BID: 46972 // JVNDB: JVNDB-2011-001416 // PACKETSTORM: 99616 // CNNVD: CNNVD-201103-301 // NVD: CVE-2011-0193

CREDITS

Paul Harrington of NGS Secure

Trust: 0.3

sources: BID: 46972

SOURCES

db:	VULHUB	id:	VHN-48138
db:	BID	id:	46972
db:	JVNDB	id:	JVNDB-2011-001416
db:	PACKETSTORM	id:	99616
db:	CNNVD	id:	CNNVD-201103-301
db:	NVD	id:	CVE-2011-0193

LAST UPDATE DATE

2025-04-11T21:58:18.885000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-48138	date:	2011-03-23T00:00:00
db:	BID	id:	46972	date:	2015-03-19T09:07:00
db:	JVNDB	id:	JVNDB-2011-001416	date:	2011-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201103-301	date:	2011-03-24T00:00:00
db:	NVD	id:	CVE-2011-0193	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-48138	date:	2011-03-23T00:00:00
db:	BID	id:	46972	date:	2011-03-01T00:00:00
db:	JVNDB	id:	JVNDB-2011-001416	date:	2011-04-26T00:00:00
db:	PACKETSTORM	id:	99616	date:	2011-03-22T09:25:41
db:	CNNVD	id:	CNNVD-201103-301	date:	2011-03-24T00:00:00
db:	NVD	id:	CVE-2011-0193	date:	2011-03-23T02:00:06.173