VARIoT IoT vulnerabilities database
| VAR-200905-0046 | CVE-2009-0149 | Apple Mac OS X Elevation of privilege vulnerability in sparse disk image processing |
CVSS V2: 4.4 CVSS V3: - Severity: MEDIUM |
Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows local users to gain privileges or cause a denial of service (application crash) by attempting to mount a crafted sparse disk image that triggers memory corruption.
An attacker can exploit these issues by tricking a victim into mounting a malicious disk image.
A successful exploit will allow attacker-supplied content to execute in the context of the victim mounting the image. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-002.
The security update addresses new vulnerabilities that affect Apple Type Services, CFNetwork, CoreGraphics, Disk Images, Help Viewer, iChat, ICU, Kernel, Launch Services, QuickDraw Manager, and Spotlight components of Mac OS X. The advisory also contains security updates for 47 previously reported issues.
The following individual records have been created to better document the new issues:
34932 Apple Mac OS X Launch Services Denial of Service Vulnerability
34937 Apple Mac OS X QuickDraw PICT Handling Memory Corruption Vulnerability
34938 Apple Mac OS X PICT Image Handling Integer Overflow Vulnerability
34939 Apple Mac OS X SpotLight Multiple Memory Corruption Vulnerabilities
34941 Apple Mac OS X Local 'login' Privilege Escalation Vulnerability
34942 Apple Mac OS X Disk Image Multiple Memory Corruption Vulnerabilities
34947 Apple Mac OS X Compact Font Format (CFF) Heap Based Buffer Overflow Vulnerability
34948 Apple Mac OS X Telnet Stack Overflow Vulnerability
34950 Apple Mac OS X Help Viewer Cascading Style Sheets Remote Code Execution Vulnerability
34951 Apple Mac OS X CFNetwork 'Set-Cookie' Headers Information Disclosure Vulnerability
34952 Apple Mac OS X Help Viewer HTML Document Remote Code Execution Vulnerability
34958 Apple Mac OS X CFNetwork HTTP Header Handling Heap Buffer Overflow Vulnerability
34959 Apple Mac OS X Kernel Workqueue Local Privilege Escalation Vulnerability
34962 Apple Mac OS X CoreGraphics PDF Handling Multiple Memory Corruption Vulnerabilities
34965 Apple Mac OS X CoreGraphics PDF Handling Heap Overflow Vulnerability
34972 Apple Mac OS X Disk Image Stack Buffer Overflow Vulnerability
34973 Apple Mac OS X iChat Disabled SSL Connection Information Disclosure Vulnerability
34974 Apple Mac OS X International Components for Unicode Invalid Byte Sequence Handling Vulnerability.
I.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These and other updates are available via Software
Update or via Apple Downloads.
IV. References
* Apple Security Update 2009-002 -
<http://support.apple.com/kb/HT3549>
* Safari 3.2.3 - <http://support.apple.com/kb/HT3550>
* Apple Downloads - <http://support.apple.com/downloads/>
* Software Update -
<https://support.apple.com/kb/HT1338?viewlocale=en_US>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-133A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-133A Feedback VU#175188" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 13, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSgsdiHIHljM+H4irAQIsGAf+IykbS/FD1X/R2ooezndAmZjrcT29XnpV
HO4DiMlKmqW+dUffk4mdJLVR7y8pwUuP4TbjwncoT39SDR9UoEankv7+Dao/qkM/
Jp0flkEpb5qtcIm9VnuWvpCE31OZZgwBwJ7f2WWzbBLqoZ5FIWAhCcW6E5v6mjVy
J+Z4BmHYUIapPLzGzV8+HT6/7LRNpg+mZoldEBUoXXjik8o78v5A7iGyMSXoaBlV
vL8N/3GG9a9xecLqbbv5N6ABsncHA9f/GzBnfJUqVHkUM1xnjqmgd7TZikObw+fJ
xcgWvmYmoRdCMzM3b1jPqWPDGJDbo0oHZM3J3hKE+opsLe9xChM1qA==
=dQ2L
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
1) A vulnerability in Apache when handling FTP proxy requests can be
exploited by malicious people to conduct cross-site scripting
attacks.
For more information:
SA31384
2) A boundary error in the handling of Compact Font Format (CFF)
fonts in Apple Type Services can be exploited to cause a heap-based
buffer overflow when specially crafted document is downloaded or
viewed.
Successful exploitation allows execution of arbitrary code.
3) A vulnerability in BIND can potentially be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33404
4) An error in the parsing of Set-Cookie headers in CFNetwork can
result in applications using CFNetwork sending sensitive information
in unencrypted HTTP requests.
5) An unspecified error in the processing of HTTP headers in
CFNetwork can be exploited to cause a heap-based buffer overflow when
visiting a malicious web site.
Successful exploitation allows execution of arbitrary code.
6) Multiple errors exist in the processing of PDF files in
CoreGraphics, which can be exploited to corrupt memory and execute
arbitrary code via a specially crafted PDF file.
7) An integer underflow error in the processing of PDF files in
CoreGraphics can be exploited to cause a heap-based buffer overflow
when specially crafted PDF files is opened.
Successful exploitation allows execution of arbitrary code.
8) Multiple vulnerabilities in the processing of JBIG2 streams within
PDF files in CoreGraphics can be exploited by malicious people to
compromise a user's system.
For more information:
SA34291
9) Multiple vulnerabilities in cscope can be exploited by malicious
people to compromise a user's system.
For more information:
SA34978:
10) A boundary error in the handling of disk images can be exploited
to cause a stack-based buffer overflow when a specially crafted disk
image is mounted.
11) Multiple unspecified errors in the handling of disk images can be
exploited to cause memory corruptions when a specially crafted disk
image is mounted.
Successful exploitation of vulnerabilities #10 and #11 allows
execution of arbitrary code.
12) Multiple vulnerabilities in enscript can be exploited by
malicious people to compromise a vulnerable system.
For more information:
SA13968
SA32137
13) Multiple vulnerabilities in the Flash Player plugin can be
exploited by malicious people to compromise a user's system.
For more information:
SA34012
14) An error in Help Viewer when loading Cascading Style Sheets
referenced in URL parameters can be exploited to invoke arbitrary
AppleScript files.
15) A vulnerability exists due to Help Viewer not validating that
full paths to HTML documents are within registered help books, which
can be exploited to invoke arbitrary AppleScript files.
Successful exploitation of vulnerabilities #14 and #15 allows
execution of arbitrary code.
16) An error in iChat can result in AIM communication configured for
SSL to be sent in plaintext.
17) An error in the handling of certain character encodings in ICU
can be exploited to bypass filters on websites that attempt to
mitigate cross-site scripting.
18) Some vulnerabilities in IPSec can be exploited by malicious users
and malicious people to cause a DoS (Denial of Service).
For more information:
SA31450
SA31478
19) Multiple vulnerabilities in Kerberos can be exploited by
malicious people to potentially disclose sensitive information, cause
a DoS (Denial of Service), or potentially compromise a vulnerable
system.
For more information:
SA34347
20) An error in the handling of workqueues within the kernel can be
exploited by malicious, local users to cause a DoS or execute
arbitrary code with Kernel privileges.
21) An error in Launch Services can cause Finder to repeatedly
terminate and relaunch when a specially crafted Mach-O is
downloaded.
22) A vulnerability in libxml can be exploited by malicious people to
cause a DoS (Denial of Service) or potentially compromise an
application using the library.
For more information:
SA31558
23) A vulnerability in Net-SNMP can be exploited by malicious people
to cause a DoS (Denial of Service).
For more information:
SA32560
24) A vulnerability in Network Time can be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33406
25) A vulnerability in Network Time can be exploited by malicious
people to potentially compromise a user's system.
For more information:
SA34608
26) A vulnerability in Networking can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA31745
27) A vulnerability in OpenSSL can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA33338
28) Some vulnerabilities in PHP can be exploited by malicious people
to cause a DoS (Denial of Service) or potentially compromise a
vulnerable system, and by malicious, local users to bypass certain
security restrictions.
For more information:
SA32964
29) An unspecified error in QuickDraw Manager can be exploited to
cause a memory corruption and potentially execute arbitrary code via
a specially crafted PICT image.
30) An integer underflow error in the handling of PICT images in
QuickDraw Manager can be exploited to cause a heap-based buffer
overflow via a specially crafted PICT file.
Successful exploitation allows execution of arbitrary code.
31) Multiple vulnerabilities in ruby can be exploited by malicious
people to bypass certain security restrictions, cause a DoS (Denial
of Service), and conduct spoofing attacks.
For more information:
SA31430
SA31602
32) An error in the use of the OpenSSL library in ruby can cause
revoked certificates to be accepted.
33) A vulnerability in Safari when handling "feed:" URLs can be
exploited to compromise a user's system.
For more information:
SA35056
34) Multiple unspecified errors in Spotlight can be exploited to
cause memory corruptions and execute arbitrary code when a specially
crafted Office document is downloaded.
35) An error when invoking the "login" command can result in
unexpected high privileges.
36) A boundary error in telnet can be exploited to cause a
stack-based buffer overflow when connecting to a server with an
overly long canonical name in its DNS address record.
Successful exploitation may allow execution of arbitrary code.
37) A vulnerability in WebKit when handling SVGList objects can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA35056
38) Multiple vulnerabilities in FreeType can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise applications using the library.
For more information:
SA20100
SA25350
SA34723
39) A vulnerability in xterm can be exploited by malicious people to
compromise a user's system.
For more information:
SA33318
40) Multiple vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service) or to potentially
compromise an application using the library. Nathan
8) Alin Rad Pop, Secunia Research and Will Dormann, CERT/CC
10) Tiller Beauchamp, IOActive
14, 15) Brian Mastenbrook
17) Chris Weber of Casaba Security
20) An anonymous researcher working with Verisign iDefense VCP
30) Damian Put and Sebastian Apelt, working with ZDI, and Chris Ries
of Carnegie Mellon University Computing Services
38) Tavis Ormandy of the Google Security Team
OTHER REFERENCES:
SA13968:
http://secunia.com/advisories/13968/
SA20100:
http://secunia.com/advisories/20100/
SA25350:
http://secunia.com/advisories/25350/
SA29792:
http://secunia.com/advisories/29792/
SA31384:
http://secunia.com/advisories/31384/
SA31430:
http://secunia.com/advisories/31430/
SA31450:
http://secunia.com/advisories/31450/
SA31478:
http://secunia.com/advisories/31478/
SA31558:
http://secunia.com/advisories/31558/
SA31602:
http://secunia.com/advisories/31602/
SA31745:
http://secunia.com/advisories/31745/
SA32137:
http://secunia.com/advisories/32137/
SA32560:
http://secunia.com/advisories/32560/
SA32964:
http://secunia.com/advisories/32964/
SA33318:
http://secunia.com/advisories/33318/
SA33338:
http://secunia.com/advisories/33338/
SA33404:
http://secunia.com/advisories/33404/
SA33406:
http://secunia.com/advisories/33406/
SA33970:
http://secunia.com/advisories/33970/
SA34012:
http://secunia.com/advisories/34012/
SA34291:
http://secunia.com/advisories/34291/
SA34347:
http://secunia.com/advisories/34347/
SA34608:
http://secunia.com/advisories/34608/
SA34723:
http://secunia.com/advisories/34723/
SA34978:
http://secunia.com/advisories/34978/
SA35056:
http://secunia.com/advisories/35056/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200905-0044 | CVE-2009-0144 | Apple Mac OS X of CFNetwork Vulnerability in which important information is obtained |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
CFNetwork in Apple Mac OS X 10.5 before 10.5.7 does not properly parse noncompliant Set-Cookie headers, which allows remote attackers to obtain sensitive information by sniffing the network for "secure cookies" that are sent over unencrypted HTTP connections. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-002.
The security update addresses new vulnerabilities that affect Apple Type Services, CFNetwork, CoreGraphics, Disk Images, Help Viewer, iChat, ICU, Kernel, Launch Services, QuickDraw Manager, and Spotlight components of Mac OS X. The advisory also contains security updates for 47 previously reported issues.
An attacker could leverage this vulnerability via man-in-the-middle techniques to obtain potentially sensitive information that may aid in further attacks. There is a bug in CFNetwork's implementation of parsing the Set-Cookie header, which may accidentally send certain cookies over non-encrypted connections.
I.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These and other updates are available via Software
Update or via Apple Downloads.
IV. References
* Apple Security Update 2009-002 -
<http://support.apple.com/kb/HT3549>
* Safari 3.2.3 - <http://support.apple.com/kb/HT3550>
* Apple Downloads - <http://support.apple.com/downloads/>
* Software Update -
<https://support.apple.com/kb/HT1338?viewlocale=en_US>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-133A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-133A Feedback VU#175188" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 13, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSgsdiHIHljM+H4irAQIsGAf+IykbS/FD1X/R2ooezndAmZjrcT29XnpV
HO4DiMlKmqW+dUffk4mdJLVR7y8pwUuP4TbjwncoT39SDR9UoEankv7+Dao/qkM/
Jp0flkEpb5qtcIm9VnuWvpCE31OZZgwBwJ7f2WWzbBLqoZ5FIWAhCcW6E5v6mjVy
J+Z4BmHYUIapPLzGzV8+HT6/7LRNpg+mZoldEBUoXXjik8o78v5A7iGyMSXoaBlV
vL8N/3GG9a9xecLqbbv5N6ABsncHA9f/GzBnfJUqVHkUM1xnjqmgd7TZikObw+fJ
xcgWvmYmoRdCMzM3b1jPqWPDGJDbo0oHZM3J3hKE+opsLe9xChM1qA==
=dQ2L
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
1) A vulnerability in Apache when handling FTP proxy requests can be
exploited by malicious people to conduct cross-site scripting
attacks.
For more information:
SA31384
2) A boundary error in the handling of Compact Font Format (CFF)
fonts in Apple Type Services can be exploited to cause a heap-based
buffer overflow when specially crafted document is downloaded or
viewed.
Successful exploitation allows execution of arbitrary code.
For more information:
SA33404
4) An error in the parsing of Set-Cookie headers in CFNetwork can
result in applications using CFNetwork sending sensitive information
in unencrypted HTTP requests.
5) An unspecified error in the processing of HTTP headers in
CFNetwork can be exploited to cause a heap-based buffer overflow when
visiting a malicious web site.
Successful exploitation allows execution of arbitrary code.
6) Multiple errors exist in the processing of PDF files in
CoreGraphics, which can be exploited to corrupt memory and execute
arbitrary code via a specially crafted PDF file.
7) An integer underflow error in the processing of PDF files in
CoreGraphics can be exploited to cause a heap-based buffer overflow
when specially crafted PDF files is opened.
Successful exploitation allows execution of arbitrary code.
8) Multiple vulnerabilities in the processing of JBIG2 streams within
PDF files in CoreGraphics can be exploited by malicious people to
compromise a user's system.
For more information:
SA34291
9) Multiple vulnerabilities in cscope can be exploited by malicious
people to compromise a user's system.
For more information:
SA34978:
10) A boundary error in the handling of disk images can be exploited
to cause a stack-based buffer overflow when a specially crafted disk
image is mounted.
11) Multiple unspecified errors in the handling of disk images can be
exploited to cause memory corruptions when a specially crafted disk
image is mounted.
Successful exploitation of vulnerabilities #10 and #11 allows
execution of arbitrary code.
12) Multiple vulnerabilities in enscript can be exploited by
malicious people to compromise a vulnerable system.
For more information:
SA13968
SA32137
13) Multiple vulnerabilities in the Flash Player plugin can be
exploited by malicious people to compromise a user's system.
For more information:
SA34012
14) An error in Help Viewer when loading Cascading Style Sheets
referenced in URL parameters can be exploited to invoke arbitrary
AppleScript files.
15) A vulnerability exists due to Help Viewer not validating that
full paths to HTML documents are within registered help books, which
can be exploited to invoke arbitrary AppleScript files.
Successful exploitation of vulnerabilities #14 and #15 allows
execution of arbitrary code.
16) An error in iChat can result in AIM communication configured for
SSL to be sent in plaintext.
17) An error in the handling of certain character encodings in ICU
can be exploited to bypass filters on websites that attempt to
mitigate cross-site scripting.
18) Some vulnerabilities in IPSec can be exploited by malicious users
and malicious people to cause a DoS (Denial of Service).
For more information:
SA31450
SA31478
19) Multiple vulnerabilities in Kerberos can be exploited by
malicious people to potentially disclose sensitive information, cause
a DoS (Denial of Service), or potentially compromise a vulnerable
system.
For more information:
SA34347
20) An error in the handling of workqueues within the kernel can be
exploited by malicious, local users to cause a DoS or execute
arbitrary code with Kernel privileges.
21) An error in Launch Services can cause Finder to repeatedly
terminate and relaunch when a specially crafted Mach-O is
downloaded.
22) A vulnerability in libxml can be exploited by malicious people to
cause a DoS (Denial of Service) or potentially compromise an
application using the library.
For more information:
SA31558
23) A vulnerability in Net-SNMP can be exploited by malicious people
to cause a DoS (Denial of Service).
For more information:
SA33406
25) A vulnerability in Network Time can be exploited by malicious
people to potentially compromise a user's system.
For more information:
SA34608
26) A vulnerability in Networking can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA31745
27) A vulnerability in OpenSSL can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA33338
28) Some vulnerabilities in PHP can be exploited by malicious people
to cause a DoS (Denial of Service) or potentially compromise a
vulnerable system, and by malicious, local users to bypass certain
security restrictions.
For more information:
SA32964
29) An unspecified error in QuickDraw Manager can be exploited to
cause a memory corruption and potentially execute arbitrary code via
a specially crafted PICT image.
30) An integer underflow error in the handling of PICT images in
QuickDraw Manager can be exploited to cause a heap-based buffer
overflow via a specially crafted PICT file.
Successful exploitation allows execution of arbitrary code.
31) Multiple vulnerabilities in ruby can be exploited by malicious
people to bypass certain security restrictions, cause a DoS (Denial
of Service), and conduct spoofing attacks.
For more information:
SA31430
SA31602
32) An error in the use of the OpenSSL library in ruby can cause
revoked certificates to be accepted.
33) A vulnerability in Safari when handling "feed:" URLs can be
exploited to compromise a user's system.
For more information:
SA35056
34) Multiple unspecified errors in Spotlight can be exploited to
cause memory corruptions and execute arbitrary code when a specially
crafted Office document is downloaded.
35) An error when invoking the "login" command can result in
unexpected high privileges.
36) A boundary error in telnet can be exploited to cause a
stack-based buffer overflow when connecting to a server with an
overly long canonical name in its DNS address record.
Successful exploitation may allow execution of arbitrary code.
37) A vulnerability in WebKit when handling SVGList objects can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA35056
38) Multiple vulnerabilities in FreeType can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise applications using the library.
For more information:
SA20100
SA25350
SA34723
39) A vulnerability in xterm can be exploited by malicious people to
compromise a user's system.
For more information:
SA33318
40) Multiple vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service) or to potentially
compromise an application using the library. Nathan
8) Alin Rad Pop, Secunia Research and Will Dormann, CERT/CC
10) Tiller Beauchamp, IOActive
14, 15) Brian Mastenbrook
17) Chris Weber of Casaba Security
20) An anonymous researcher working with Verisign iDefense VCP
30) Damian Put and Sebastian Apelt, working with ZDI, and Chris Ries
of Carnegie Mellon University Computing Services
38) Tavis Ormandy of the Google Security Team
OTHER REFERENCES:
SA13968:
http://secunia.com/advisories/13968/
SA20100:
http://secunia.com/advisories/20100/
SA25350:
http://secunia.com/advisories/25350/
SA29792:
http://secunia.com/advisories/29792/
SA31384:
http://secunia.com/advisories/31384/
SA31430:
http://secunia.com/advisories/31430/
SA31450:
http://secunia.com/advisories/31450/
SA31478:
http://secunia.com/advisories/31478/
SA31558:
http://secunia.com/advisories/31558/
SA31602:
http://secunia.com/advisories/31602/
SA31745:
http://secunia.com/advisories/31745/
SA32137:
http://secunia.com/advisories/32137/
SA32560:
http://secunia.com/advisories/32560/
SA32964:
http://secunia.com/advisories/32964/
SA33318:
http://secunia.com/advisories/33318/
SA33338:
http://secunia.com/advisories/33338/
SA33404:
http://secunia.com/advisories/33404/
SA33406:
http://secunia.com/advisories/33406/
SA33970:
http://secunia.com/advisories/33970/
SA34012:
http://secunia.com/advisories/34012/
SA34291:
http://secunia.com/advisories/34291/
SA34347:
http://secunia.com/advisories/34347/
SA34608:
http://secunia.com/advisories/34608/
SA34723:
http://secunia.com/advisories/34723/
SA34978:
http://secunia.com/advisories/34978/
SA35056:
http://secunia.com/advisories/35056/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200905-0053 | CVE-2009-0157 | Apple Mac OS X of CFNetwork Vulnerable to buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in CFNetwork in Apple Mac OS X 10.5 before 10.5.7 allows remote web servers to execute arbitrary code or cause a denial of service (application crash) via long HTTP headers. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-002.
The security update addresses new vulnerabilities that affect Apple Type Services, CFNetwork, CoreGraphics, Disk Images, Help Viewer, iChat, ICU, Kernel, Launch Services, QuickDraw Manager, and Spotlight components of Mac OS X. The advisory also contains security updates for 47 previously reported issues.
An attacker can exploit this issue by tricking a victim into visiting a specially crafted website.
A successful attack will allow attacker-supplied code to run in the context of the user running the affected application.
I.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III.
IV. References
* Apple Security Update 2009-002 -
<http://support.apple.com/kb/HT3549>
* Safari 3.2.3 - <http://support.apple.com/kb/HT3550>
* Apple Downloads - <http://support.apple.com/downloads/>
* Software Update -
<https://support.apple.com/kb/HT1338?viewlocale=en_US>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-133A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-133A Feedback VU#175188" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 13, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSgsdiHIHljM+H4irAQIsGAf+IykbS/FD1X/R2ooezndAmZjrcT29XnpV
HO4DiMlKmqW+dUffk4mdJLVR7y8pwUuP4TbjwncoT39SDR9UoEankv7+Dao/qkM/
Jp0flkEpb5qtcIm9VnuWvpCE31OZZgwBwJ7f2WWzbBLqoZ5FIWAhCcW6E5v6mjVy
J+Z4BmHYUIapPLzGzV8+HT6/7LRNpg+mZoldEBUoXXjik8o78v5A7iGyMSXoaBlV
vL8N/3GG9a9xecLqbbv5N6ABsncHA9f/GzBnfJUqVHkUM1xnjqmgd7TZikObw+fJ
xcgWvmYmoRdCMzM3b1jPqWPDGJDbo0oHZM3J3hKE+opsLe9xChM1qA==
=dQ2L
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
1) A vulnerability in Apache when handling FTP proxy requests can be
exploited by malicious people to conduct cross-site scripting
attacks.
For more information:
SA31384
2) A boundary error in the handling of Compact Font Format (CFF)
fonts in Apple Type Services can be exploited to cause a heap-based
buffer overflow when specially crafted document is downloaded or
viewed.
Successful exploitation allows execution of arbitrary code.
3) A vulnerability in BIND can potentially be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33404
4) An error in the parsing of Set-Cookie headers in CFNetwork can
result in applications using CFNetwork sending sensitive information
in unencrypted HTTP requests.
Successful exploitation allows execution of arbitrary code.
6) Multiple errors exist in the processing of PDF files in
CoreGraphics, which can be exploited to corrupt memory and execute
arbitrary code via a specially crafted PDF file.
7) An integer underflow error in the processing of PDF files in
CoreGraphics can be exploited to cause a heap-based buffer overflow
when specially crafted PDF files is opened.
Successful exploitation allows execution of arbitrary code.
8) Multiple vulnerabilities in the processing of JBIG2 streams within
PDF files in CoreGraphics can be exploited by malicious people to
compromise a user's system.
For more information:
SA34291
9) Multiple vulnerabilities in cscope can be exploited by malicious
people to compromise a user's system.
For more information:
SA34978:
10) A boundary error in the handling of disk images can be exploited
to cause a stack-based buffer overflow when a specially crafted disk
image is mounted.
11) Multiple unspecified errors in the handling of disk images can be
exploited to cause memory corruptions when a specially crafted disk
image is mounted.
Successful exploitation of vulnerabilities #10 and #11 allows
execution of arbitrary code.
12) Multiple vulnerabilities in enscript can be exploited by
malicious people to compromise a vulnerable system.
For more information:
SA13968
SA32137
13) Multiple vulnerabilities in the Flash Player plugin can be
exploited by malicious people to compromise a user's system.
For more information:
SA34012
14) An error in Help Viewer when loading Cascading Style Sheets
referenced in URL parameters can be exploited to invoke arbitrary
AppleScript files.
15) A vulnerability exists due to Help Viewer not validating that
full paths to HTML documents are within registered help books, which
can be exploited to invoke arbitrary AppleScript files.
Successful exploitation of vulnerabilities #14 and #15 allows
execution of arbitrary code.
16) An error in iChat can result in AIM communication configured for
SSL to be sent in plaintext.
17) An error in the handling of certain character encodings in ICU
can be exploited to bypass filters on websites that attempt to
mitigate cross-site scripting.
18) Some vulnerabilities in IPSec can be exploited by malicious users
and malicious people to cause a DoS (Denial of Service).
For more information:
SA31450
SA31478
19) Multiple vulnerabilities in Kerberos can be exploited by
malicious people to potentially disclose sensitive information, cause
a DoS (Denial of Service), or potentially compromise a vulnerable
system.
For more information:
SA34347
20) An error in the handling of workqueues within the kernel can be
exploited by malicious, local users to cause a DoS or execute
arbitrary code with Kernel privileges.
21) An error in Launch Services can cause Finder to repeatedly
terminate and relaunch when a specially crafted Mach-O is
downloaded.
22) A vulnerability in libxml can be exploited by malicious people to
cause a DoS (Denial of Service) or potentially compromise an
application using the library.
For more information:
SA31558
23) A vulnerability in Net-SNMP can be exploited by malicious people
to cause a DoS (Denial of Service).
For more information:
SA32560
24) A vulnerability in Network Time can be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33406
25) A vulnerability in Network Time can be exploited by malicious
people to potentially compromise a user's system.
For more information:
SA34608
26) A vulnerability in Networking can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA31745
27) A vulnerability in OpenSSL can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA33338
28) Some vulnerabilities in PHP can be exploited by malicious people
to cause a DoS (Denial of Service) or potentially compromise a
vulnerable system, and by malicious, local users to bypass certain
security restrictions.
For more information:
SA32964
29) An unspecified error in QuickDraw Manager can be exploited to
cause a memory corruption and potentially execute arbitrary code via
a specially crafted PICT image.
30) An integer underflow error in the handling of PICT images in
QuickDraw Manager can be exploited to cause a heap-based buffer
overflow via a specially crafted PICT file.
Successful exploitation allows execution of arbitrary code.
31) Multiple vulnerabilities in ruby can be exploited by malicious
people to bypass certain security restrictions, cause a DoS (Denial
of Service), and conduct spoofing attacks.
For more information:
SA31430
SA31602
32) An error in the use of the OpenSSL library in ruby can cause
revoked certificates to be accepted.
33) A vulnerability in Safari when handling "feed:" URLs can be
exploited to compromise a user's system.
For more information:
SA35056
34) Multiple unspecified errors in Spotlight can be exploited to
cause memory corruptions and execute arbitrary code when a specially
crafted Office document is downloaded.
35) An error when invoking the "login" command can result in
unexpected high privileges.
36) A boundary error in telnet can be exploited to cause a
stack-based buffer overflow when connecting to a server with an
overly long canonical name in its DNS address record.
37) A vulnerability in WebKit when handling SVGList objects can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA35056
38) Multiple vulnerabilities in FreeType can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise applications using the library.
For more information:
SA20100
SA25350
SA34723
39) A vulnerability in xterm can be exploited by malicious people to
compromise a user's system.
For more information:
SA33318
40) Multiple vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service) or to potentially
compromise an application using the library. Nathan
8) Alin Rad Pop, Secunia Research and Will Dormann, CERT/CC
10) Tiller Beauchamp, IOActive
14, 15) Brian Mastenbrook
17) Chris Weber of Casaba Security
20) An anonymous researcher working with Verisign iDefense VCP
30) Damian Put and Sebastian Apelt, working with ZDI, and Chris Ries
of Carnegie Mellon University Computing Services
38) Tavis Ormandy of the Google Security Team
OTHER REFERENCES:
SA13968:
http://secunia.com/advisories/13968/
SA20100:
http://secunia.com/advisories/20100/
SA25350:
http://secunia.com/advisories/25350/
SA29792:
http://secunia.com/advisories/29792/
SA31384:
http://secunia.com/advisories/31384/
SA31430:
http://secunia.com/advisories/31430/
SA31450:
http://secunia.com/advisories/31450/
SA31478:
http://secunia.com/advisories/31478/
SA31558:
http://secunia.com/advisories/31558/
SA31602:
http://secunia.com/advisories/31602/
SA31745:
http://secunia.com/advisories/31745/
SA32137:
http://secunia.com/advisories/32137/
SA32560:
http://secunia.com/advisories/32560/
SA32964:
http://secunia.com/advisories/32964/
SA33318:
http://secunia.com/advisories/33318/
SA33338:
http://secunia.com/advisories/33338/
SA33404:
http://secunia.com/advisories/33404/
SA33406:
http://secunia.com/advisories/33406/
SA33970:
http://secunia.com/advisories/33970/
SA34012:
http://secunia.com/advisories/34012/
SA34291:
http://secunia.com/advisories/34291/
SA34347:
http://secunia.com/advisories/34347/
SA34608:
http://secunia.com/advisories/34608/
SA34723:
http://secunia.com/advisories/34723/
SA34978:
http://secunia.com/advisories/34978/
SA35056:
http://secunia.com/advisories/35056/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. n.runs AG
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2009.001 15-May-2009
________________________________________________________________________
Vendor: Apple Inc., http://www.apple.com
Affected Products: Mac OS X 10.5.6
Vulnerability: Heap-based buffer overflow in CFNetwork component
(remote)
Risk: HIGH
________________________________________________________________________
Vendor communication:
2009/04/17 Initial notification of Apple including n.runs RFP
2009/04/27 Received response from Apple about planned disclosure date
2009/04/29 Received update from Apple about adjusted disclosure date
2009/05/12 Apple issues updates
________________________________________________________________________
Overview:
CFNetwork is a framework in the Core Services framework that provides a
library of abstractions for network protocols. It can be used to perform
a variety of network tasks using different protocols such as SSL/TLS,
DNS, FTP and HTTP.
Besides many other applications the CFNetwork framework is used by
Safari and Mail.
Description:
A remotely exploitable vulnerability has been found in the HTTP header
parsing code. Each HTTP header received from a web server is first
capitalized. I.e. the first character of the header name is upper-cased
while all remaining characters are lower-cased. Inside the CFNetwork
framework the _CFCapitalizeHeader() function is used for this purpose.
The first thing this function does is to convert the header name into
UTF-16 encoded form. Depending on the length of the header name the
result is either stored in a local stack buffer or in a buffer
allocated on the heap. For all header names > 511 bytes a heap buffer
is allocated as follows:
__text:00003A35 loc_3A35:
__text:00003A35 mov esi, [ebp+var_810]
__text:00003A3B add esi, esi
__text:00003A3D mov [esp+838h+var_838], esi
__text:00003A40 call _malloc
At address 0x00003A35 the length of the header name is stored in %esi
and then doubled to hold the UTF-16 encoded variant. After the buffer
was allocated some variables are setup. At 0x00003A4D the destination
pointer for the following memory copy operation is stored.
__text:00003A45 add esi, eax
__text:00003A47 mov [ebp+var_81C], eax
__text:00003A4D mov [ebp+var_814], esi
__text:00003A53 mov [ebp+var_818], eax
Note that in contrary to the stack buffer, where a pointer to the
_start_ of the buffer is stored in [ebp+var_814], this code stores
a pointer to the _end_ of the allocated buffer. The following
memory copy loop starting at 0x00003AD1 then stores the UTF-16
encoded header name not inside the buffer, but directly after it
which leads to an exploitable heap-based buffer overflow.
Impact:
One attack vector is the Safari browser. An attacker can exploit
this vulnerability by providing his own web server.
Solution:
Apple has issued an update to correct this vulnerability. More details
can be found at: http://support.apple.com/kb/HT1222
________________________________________________________________________
Credit:
Bug found by Moritz Jodeit of n.runs AG.
________________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0157
This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
________________________________________________________________________
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security@nruns.com for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In
no event shall n.runs be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if n.runs has been advised of the possibility of such damages.
Copyright 2009 n.runs AG. All rights reserved. Terms of use apply.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200905-0050 | CVE-2009-0154 | Apple Mac OS X of Apple Type Services (ATS) Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to execute arbitrary code via a crafted Compact Font Format (CFF) font. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw appears to exist in the ATSServer font server upon parsing of malicious Compact Font Format files. A boundary condition exists in the parsing of internal dictionaries that can lead to a memory corruption allowing the execution of arbitrary code. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-002.
The security update addresses new vulnerabilities that affect Apple Type Services, CFNetwork, CoreGraphics, Disk Images, Help Viewer, iChat, ICU, Kernel, Launch Services, QuickDraw Manager, and Spotlight components of Mac OS X. The advisory also contains security updates for 47 previously reported issues.
An attacker can exploit this issue to execute arbitrary code in the context of the application using the component. Failed exploit attempts will cause a denial-of-service condition.
I.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These and other updates are available via Software
Update or via Apple Downloads.
IV. References
* Apple Security Update 2009-002 -
<http://support.apple.com/kb/HT3549>
* Safari 3.2.3 - <http://support.apple.com/kb/HT3550>
* Apple Downloads - <http://support.apple.com/downloads/>
* Software Update -
<https://support.apple.com/kb/HT1338?viewlocale=en_US>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-133A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-133A Feedback VU#175188" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 13, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSgsdiHIHljM+H4irAQIsGAf+IykbS/FD1X/R2ooezndAmZjrcT29XnpV
HO4DiMlKmqW+dUffk4mdJLVR7y8pwUuP4TbjwncoT39SDR9UoEankv7+Dao/qkM/
Jp0flkEpb5qtcIm9VnuWvpCE31OZZgwBwJ7f2WWzbBLqoZ5FIWAhCcW6E5v6mjVy
J+Z4BmHYUIapPLzGzV8+HT6/7LRNpg+mZoldEBUoXXjik8o78v5A7iGyMSXoaBlV
vL8N/3GG9a9xecLqbbv5N6ABsncHA9f/GzBnfJUqVHkUM1xnjqmgd7TZikObw+fJ
xcgWvmYmoRdCMzM3b1jPqWPDGJDbo0oHZM3J3hKE+opsLe9xChM1qA==
=dQ2L
-----END PGP SIGNATURE-----
. More
details can be found at:
http://support.apple.com/kb/HT3549
-- Disclosure Timeline:
2009-03-19 - Vulnerability reported to vendor
2009-05-13 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Charlie Miller, Independent Security Evaluators
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
1) A vulnerability in Apache when handling FTP proxy requests can be
exploited by malicious people to conduct cross-site scripting
attacks.
Successful exploitation allows execution of arbitrary code.
3) A vulnerability in BIND can potentially be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33404
4) An error in the parsing of Set-Cookie headers in CFNetwork can
result in applications using CFNetwork sending sensitive information
in unencrypted HTTP requests.
5) An unspecified error in the processing of HTTP headers in
CFNetwork can be exploited to cause a heap-based buffer overflow when
visiting a malicious web site.
Successful exploitation allows execution of arbitrary code.
6) Multiple errors exist in the processing of PDF files in
CoreGraphics, which can be exploited to corrupt memory and execute
arbitrary code via a specially crafted PDF file.
7) An integer underflow error in the processing of PDF files in
CoreGraphics can be exploited to cause a heap-based buffer overflow
when specially crafted PDF files is opened.
Successful exploitation allows execution of arbitrary code.
8) Multiple vulnerabilities in the processing of JBIG2 streams within
PDF files in CoreGraphics can be exploited by malicious people to
compromise a user's system.
For more information:
SA34291
9) Multiple vulnerabilities in cscope can be exploited by malicious
people to compromise a user's system.
For more information:
SA34978:
10) A boundary error in the handling of disk images can be exploited
to cause a stack-based buffer overflow when a specially crafted disk
image is mounted.
11) Multiple unspecified errors in the handling of disk images can be
exploited to cause memory corruptions when a specially crafted disk
image is mounted.
Successful exploitation of vulnerabilities #10 and #11 allows
execution of arbitrary code.
12) Multiple vulnerabilities in enscript can be exploited by
malicious people to compromise a vulnerable system.
For more information:
SA13968
SA32137
13) Multiple vulnerabilities in the Flash Player plugin can be
exploited by malicious people to compromise a user's system.
For more information:
SA34012
14) An error in Help Viewer when loading Cascading Style Sheets
referenced in URL parameters can be exploited to invoke arbitrary
AppleScript files.
15) A vulnerability exists due to Help Viewer not validating that
full paths to HTML documents are within registered help books, which
can be exploited to invoke arbitrary AppleScript files.
Successful exploitation of vulnerabilities #14 and #15 allows
execution of arbitrary code.
16) An error in iChat can result in AIM communication configured for
SSL to be sent in plaintext.
17) An error in the handling of certain character encodings in ICU
can be exploited to bypass filters on websites that attempt to
mitigate cross-site scripting.
18) Some vulnerabilities in IPSec can be exploited by malicious users
and malicious people to cause a DoS (Denial of Service).
For more information:
SA31450
SA31478
19) Multiple vulnerabilities in Kerberos can be exploited by
malicious people to potentially disclose sensitive information, cause
a DoS (Denial of Service), or potentially compromise a vulnerable
system.
For more information:
SA34347
20) An error in the handling of workqueues within the kernel can be
exploited by malicious, local users to cause a DoS or execute
arbitrary code with Kernel privileges.
21) An error in Launch Services can cause Finder to repeatedly
terminate and relaunch when a specially crafted Mach-O is
downloaded.
22) A vulnerability in libxml can be exploited by malicious people to
cause a DoS (Denial of Service) or potentially compromise an
application using the library.
For more information:
SA31558
23) A vulnerability in Net-SNMP can be exploited by malicious people
to cause a DoS (Denial of Service).
For more information:
SA32560
24) A vulnerability in Network Time can be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33406
25) A vulnerability in Network Time can be exploited by malicious
people to potentially compromise a user's system.
For more information:
SA34608
26) A vulnerability in Networking can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA31745
27) A vulnerability in OpenSSL can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA33338
28) Some vulnerabilities in PHP can be exploited by malicious people
to cause a DoS (Denial of Service) or potentially compromise a
vulnerable system, and by malicious, local users to bypass certain
security restrictions.
For more information:
SA32964
29) An unspecified error in QuickDraw Manager can be exploited to
cause a memory corruption and potentially execute arbitrary code via
a specially crafted PICT image.
30) An integer underflow error in the handling of PICT images in
QuickDraw Manager can be exploited to cause a heap-based buffer
overflow via a specially crafted PICT file.
Successful exploitation allows execution of arbitrary code.
31) Multiple vulnerabilities in ruby can be exploited by malicious
people to bypass certain security restrictions, cause a DoS (Denial
of Service), and conduct spoofing attacks.
For more information:
SA31430
SA31602
32) An error in the use of the OpenSSL library in ruby can cause
revoked certificates to be accepted.
33) A vulnerability in Safari when handling "feed:" URLs can be
exploited to compromise a user's system.
For more information:
SA35056
34) Multiple unspecified errors in Spotlight can be exploited to
cause memory corruptions and execute arbitrary code when a specially
crafted Office document is downloaded.
35) An error when invoking the "login" command can result in
unexpected high privileges.
36) A boundary error in telnet can be exploited to cause a
stack-based buffer overflow when connecting to a server with an
overly long canonical name in its DNS address record.
Successful exploitation may allow execution of arbitrary code.
For more information:
SA35056
38) Multiple vulnerabilities in FreeType can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise applications using the library.
For more information:
SA20100
SA25350
SA34723
39) A vulnerability in xterm can be exploited by malicious people to
compromise a user's system.
For more information:
SA33318
40) Multiple vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service) or to potentially
compromise an application using the library. Nathan
8) Alin Rad Pop, Secunia Research and Will Dormann, CERT/CC
10) Tiller Beauchamp, IOActive
14, 15) Brian Mastenbrook
17) Chris Weber of Casaba Security
20) An anonymous researcher working with Verisign iDefense VCP
30) Damian Put and Sebastian Apelt, working with ZDI, and Chris Ries
of Carnegie Mellon University Computing Services
38) Tavis Ormandy of the Google Security Team
OTHER REFERENCES:
SA13968:
http://secunia.com/advisories/13968/
SA20100:
http://secunia.com/advisories/20100/
SA25350:
http://secunia.com/advisories/25350/
SA29792:
http://secunia.com/advisories/29792/
SA31384:
http://secunia.com/advisories/31384/
SA31430:
http://secunia.com/advisories/31430/
SA31450:
http://secunia.com/advisories/31450/
SA31478:
http://secunia.com/advisories/31478/
SA31558:
http://secunia.com/advisories/31558/
SA31602:
http://secunia.com/advisories/31602/
SA31745:
http://secunia.com/advisories/31745/
SA32137:
http://secunia.com/advisories/32137/
SA32560:
http://secunia.com/advisories/32560/
SA32964:
http://secunia.com/advisories/32964/
SA33318:
http://secunia.com/advisories/33318/
SA33338:
http://secunia.com/advisories/33338/
SA33404:
http://secunia.com/advisories/33404/
SA33406:
http://secunia.com/advisories/33406/
SA33970:
http://secunia.com/advisories/33970/
SA34012:
http://secunia.com/advisories/34012/
SA34291:
http://secunia.com/advisories/34291/
SA34347:
http://secunia.com/advisories/34347/
SA34608:
http://secunia.com/advisories/34608/
SA34723:
http://secunia.com/advisories/34723/
SA34978:
http://secunia.com/advisories/34978/
SA35056:
http://secunia.com/advisories/35056/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0899 | CVE-2009-0145 | Apple Mac OS X of CoreGraphics Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
CoreGraphics in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file that triggers memory corruption.
An attacker can exploit these issues by tricking a victim into opening a specially crafted PDF file.
A successful attack will allow attacker-supplied code to run in the context of the victim opening the file. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-002.
The security update addresses new vulnerabilities that affect Apple Type Services, CFNetwork, CoreGraphics, Disk Images, Help Viewer, iChat, ICU, Kernel, Launch Services, QuickDraw Manager, and Spotlight components of Mac OS X. The advisory also contains security updates for 47 previously reported issues.
I.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These and other updates are available via Software
Update or via Apple Downloads.
IV. References
* Apple Security Update 2009-002 -
<http://support.apple.com/kb/HT3549>
* Safari 3.2.3 - <http://support.apple.com/kb/HT3550>
* Apple Downloads - <http://support.apple.com/downloads/>
* Software Update -
<https://support.apple.com/kb/HT1338?viewlocale=en_US>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-133A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-133A Feedback VU#175188" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 13, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSgsdiHIHljM+H4irAQIsGAf+IykbS/FD1X/R2ooezndAmZjrcT29XnpV
HO4DiMlKmqW+dUffk4mdJLVR7y8pwUuP4TbjwncoT39SDR9UoEankv7+Dao/qkM/
Jp0flkEpb5qtcIm9VnuWvpCE31OZZgwBwJ7f2WWzbBLqoZ5FIWAhCcW6E5v6mjVy
J+Z4BmHYUIapPLzGzV8+HT6/7LRNpg+mZoldEBUoXXjik8o78v5A7iGyMSXoaBlV
vL8N/3GG9a9xecLqbbv5N6ABsncHA9f/GzBnfJUqVHkUM1xnjqmgd7TZikObw+fJ
xcgWvmYmoRdCMzM3b1jPqWPDGJDbo0oHZM3J3hKE+opsLe9xChM1qA==
=dQ2L
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
Other vulnerabilities have also been reported of which some may also
affect Safari version 3.x.
SOLUTION:
Upgrade to Safari version 4, which fixes the vulnerabilities.
PROVIDED AND/OR DISCOVERED BY:
1-3) Tavis Ormandy
4) Chris Evans of Google Inc. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
1) A vulnerability in Apache when handling FTP proxy requests can be
exploited by malicious people to conduct cross-site scripting
attacks.
For more information:
SA31384
2) A boundary error in the handling of Compact Font Format (CFF)
fonts in Apple Type Services can be exploited to cause a heap-based
buffer overflow when specially crafted document is downloaded or
viewed.
Successful exploitation allows execution of arbitrary code.
3) A vulnerability in BIND can potentially be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33404
4) An error in the parsing of Set-Cookie headers in CFNetwork can
result in applications using CFNetwork sending sensitive information
in unencrypted HTTP requests.
5) An unspecified error in the processing of HTTP headers in
CFNetwork can be exploited to cause a heap-based buffer overflow when
visiting a malicious web site.
Successful exploitation allows execution of arbitrary code.
7) An integer underflow error in the processing of PDF files in
CoreGraphics can be exploited to cause a heap-based buffer overflow
when specially crafted PDF files is opened.
Successful exploitation allows execution of arbitrary code.
8) Multiple vulnerabilities in the processing of JBIG2 streams within
PDF files in CoreGraphics can be exploited by malicious people to
compromise a user's system.
For more information:
SA34291
9) Multiple vulnerabilities in cscope can be exploited by malicious
people to compromise a user's system.
For more information:
SA34978:
10) A boundary error in the handling of disk images can be exploited
to cause a stack-based buffer overflow when a specially crafted disk
image is mounted.
11) Multiple unspecified errors in the handling of disk images can be
exploited to cause memory corruptions when a specially crafted disk
image is mounted.
Successful exploitation of vulnerabilities #10 and #11 allows
execution of arbitrary code.
12) Multiple vulnerabilities in enscript can be exploited by
malicious people to compromise a vulnerable system.
For more information:
SA13968
SA32137
13) Multiple vulnerabilities in the Flash Player plugin can be
exploited by malicious people to compromise a user's system.
For more information:
SA34012
14) An error in Help Viewer when loading Cascading Style Sheets
referenced in URL parameters can be exploited to invoke arbitrary
AppleScript files.
15) A vulnerability exists due to Help Viewer not validating that
full paths to HTML documents are within registered help books, which
can be exploited to invoke arbitrary AppleScript files.
Successful exploitation of vulnerabilities #14 and #15 allows
execution of arbitrary code.
16) An error in iChat can result in AIM communication configured for
SSL to be sent in plaintext.
17) An error in the handling of certain character encodings in ICU
can be exploited to bypass filters on websites that attempt to
mitigate cross-site scripting.
18) Some vulnerabilities in IPSec can be exploited by malicious users
and malicious people to cause a DoS (Denial of Service).
For more information:
SA31450
SA31478
19) Multiple vulnerabilities in Kerberos can be exploited by
malicious people to potentially disclose sensitive information, cause
a DoS (Denial of Service), or potentially compromise a vulnerable
system.
For more information:
SA34347
20) An error in the handling of workqueues within the kernel can be
exploited by malicious, local users to cause a DoS or execute
arbitrary code with Kernel privileges.
21) An error in Launch Services can cause Finder to repeatedly
terminate and relaunch when a specially crafted Mach-O is
downloaded.
22) A vulnerability in libxml can be exploited by malicious people to
cause a DoS (Denial of Service) or potentially compromise an
application using the library.
For more information:
SA31558
23) A vulnerability in Net-SNMP can be exploited by malicious people
to cause a DoS (Denial of Service).
For more information:
SA32560
24) A vulnerability in Network Time can be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33406
25) A vulnerability in Network Time can be exploited by malicious
people to potentially compromise a user's system.
For more information:
SA34608
26) A vulnerability in Networking can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA31745
27) A vulnerability in OpenSSL can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA33338
28) Some vulnerabilities in PHP can be exploited by malicious people
to cause a DoS (Denial of Service) or potentially compromise a
vulnerable system, and by malicious, local users to bypass certain
security restrictions.
For more information:
SA32964
29) An unspecified error in QuickDraw Manager can be exploited to
cause a memory corruption and potentially execute arbitrary code via
a specially crafted PICT image.
30) An integer underflow error in the handling of PICT images in
QuickDraw Manager can be exploited to cause a heap-based buffer
overflow via a specially crafted PICT file.
Successful exploitation allows execution of arbitrary code.
31) Multiple vulnerabilities in ruby can be exploited by malicious
people to bypass certain security restrictions, cause a DoS (Denial
of Service), and conduct spoofing attacks.
For more information:
SA31430
SA31602
32) An error in the use of the OpenSSL library in ruby can cause
revoked certificates to be accepted.
33) A vulnerability in Safari when handling "feed:" URLs can be
exploited to compromise a user's system.
For more information:
SA35056
34) Multiple unspecified errors in Spotlight can be exploited to
cause memory corruptions and execute arbitrary code when a specially
crafted Office document is downloaded.
35) An error when invoking the "login" command can result in
unexpected high privileges.
36) A boundary error in telnet can be exploited to cause a
stack-based buffer overflow when connecting to a server with an
overly long canonical name in its DNS address record.
37) A vulnerability in WebKit when handling SVGList objects can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA35056
38) Multiple vulnerabilities in FreeType can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise applications using the library.
For more information:
SA20100
SA25350
SA34723
39) A vulnerability in xterm can be exploited by malicious people to
compromise a user's system.
For more information:
SA33318
40) Multiple vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service) or to potentially
compromise an application using the library. Nathan
8) Alin Rad Pop, Secunia Research and Will Dormann, CERT/CC
10) Tiller Beauchamp, IOActive
14, 15) Brian Mastenbrook
17) Chris Weber of Casaba Security
20) An anonymous researcher working with Verisign iDefense VCP
30) Damian Put and Sebastian Apelt, working with ZDI, and Chris Ries
of Carnegie Mellon University Computing Services
38) Tavis Ormandy of the Google Security Team
OTHER REFERENCES:
SA13968:
http://secunia.com/advisories/13968/
SA20100:
http://secunia.com/advisories/20100/
SA25350:
http://secunia.com/advisories/25350/
SA29792:
http://secunia.com/advisories/29792/
SA31384:
http://secunia.com/advisories/31384/
SA31430:
http://secunia.com/advisories/31430/
SA31450:
http://secunia.com/advisories/31450/
SA31478:
http://secunia.com/advisories/31478/
SA31558:
http://secunia.com/advisories/31558/
SA31602:
http://secunia.com/advisories/31602/
SA31745:
http://secunia.com/advisories/31745/
SA32137:
http://secunia.com/advisories/32137/
SA32560:
http://secunia.com/advisories/32560/
SA32964:
http://secunia.com/advisories/32964/
SA33318:
http://secunia.com/advisories/33318/
SA33338:
http://secunia.com/advisories/33338/
SA33404:
http://secunia.com/advisories/33404/
SA33406:
http://secunia.com/advisories/33406/
SA33970:
http://secunia.com/advisories/33970/
SA34012:
http://secunia.com/advisories/34012/
SA34291:
http://secunia.com/advisories/34291/
SA34347:
http://secunia.com/advisories/34347/
SA34608:
http://secunia.com/advisories/34608/
SA34723:
http://secunia.com/advisories/34723/
SA34978:
http://secunia.com/advisories/34978/
SA35056:
http://secunia.com/advisories/35056/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0880 | CVE-2009-0153 | Apple Mac OS X of ICU Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
International Components for Unicode (ICU) 4.0, 3.6, and other 3.x versions, as used in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Fedora 9 and 10, and possibly other operating systems, does not properly handle invalid byte sequences during Unicode conversion, which might allow remote attackers to conduct cross-site scripting (XSS) attacks. The International Components for Unicode is prone to an input-validation vulnerability because the library may incorrectly convert some invalid byte sequences.
An attacker may leverage this vulnerability to bypass content filters. This may lead to cross-site scripting attacks or allow the attacker to obtain sensitive information in some cases. Other attacks are also possible.
NOTE: This issue was previously covered in BID 34926 (Apple Mac OS X 2009-002 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. There is a bug in the implementation of ICU's handling of certain character encodings. ===========================================================
Ubuntu Security Notice USN-846-1 October 08, 2009
icu vulnerability
CVE-2009-0153
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
libicu38 3.8-6ubuntu0.2
Ubuntu 8.10:
libicu38 3.8.1-2ubuntu0.2
Ubuntu 9.04:
libicu38 3.8.1-3ubuntu1.1
After a standard system upgrade you need to restart applications linked
against libicu, such as OpenOffice.org, to effect the necessary changes. If an application using ICU processed crafted
data, content security mechanisms could be bypassed, potentially leading to
cross-site scripting (XSS) attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1889-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
September 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : icu
Vulnerability : programming error
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2009-0153
It was discovered that the ICU unicode library performed incorrect
processing of invalid multibyte sequences, resulting in potential
bypass of security mechanisms.
For the old stable distribution (etch), this problem has been fixed in
version 3.6-2etch3.
For the stable distribution (lenny), this problem has been fixed in
version 3.8.1-3+lenny2.
For the unstable distribution (sid), this problem has been fixed in
version 4.0.1-1.
We recommend that you upgrade your icu packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch3.dsc
Size/MD5 checksum: 592 8b600075600533ce08c9801ffa571a19
http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch3.diff.gz
Size/MD5 checksum: 45190 601af38fe10a27e08e40985c409bc6c4
http://security.debian.org/pool/updates/main/i/icu/icu_3.6.orig.tar.gz
Size/MD5 checksum: 9778863 0f1bda1992b4adca62da68a7ad79d830
Architecture independent packages:
http://security.debian.org/pool/updates/main/i/icu/icu-doc_3.6-2etch3_all.deb
Size/MD5 checksum: 3239572 8bf16fb7db375fb14de7082bcb814733
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_alpha.deb
Size/MD5 checksum: 5586140 1244a1b89188c020a97468dc25d22af7
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_alpha.deb
Size/MD5 checksum: 7012868 8680617bb8c38f6abef169b572a76baa
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_amd64.deb
Size/MD5 checksum: 5444866 f9271ec21977880f74955cfe06b7580d
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_amd64.deb
Size/MD5 checksum: 6573726 25374ce8e6ae12b655a9744db65b9455
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_hppa.deb
Size/MD5 checksum: 5913798 20c8976b23d28d9bc91ea053748d79e0
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_hppa.deb
Size/MD5 checksum: 7110674 bee82145df32672bf5d61e29dd3d6bc3
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_i386.deb
Size/MD5 checksum: 6466444 d8e1c31e6f1d238353340a9b82da1ed8
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_i386.deb
Size/MD5 checksum: 5470148 f5d9e50ecb224df9ae4f0c7057097f54
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_ia64.deb
Size/MD5 checksum: 5869036 c305e7cff86ad5584c4842fec7619fd8
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_ia64.deb
Size/MD5 checksum: 7243932 effc8dc2ed962de903e848ff402c167a
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_mips.deb
Size/MD5 checksum: 5747354 39624db186bbf7ce259c47681d0a1cfc
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_mips.deb
Size/MD5 checksum: 7052540 c159699731d592ec60fcfd4bbe010a51
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_mipsel.deb
Size/MD5 checksum: 6769230 32e24d0b40b3f2e62e0c2c4c4be96dce
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_mipsel.deb
Size/MD5 checksum: 5464426 5f544b29dd41d8326ddfd70b31e4045a
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_powerpc.deb
Size/MD5 checksum: 6891510 af8e8b416b43a9d6c5f5893dd63261d6
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_powerpc.deb
Size/MD5 checksum: 5750422 ec7b53398b703da8f7e166a33768e260
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_s390.deb
Size/MD5 checksum: 6896648 d6e3cde239924756df46b084e80388d4
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_s390.deb
Size/MD5 checksum: 5781028 e5c3b53fdcda2562a206d92b15a5f520
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch3_sparc.deb
Size/MD5 checksum: 6774462 94ce55cf609a906af5336f32b6c2ee22
http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch3_sparc.deb
Size/MD5 checksum: 5673738 d63d35c169da448d83074fa45e25ed64
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/icu/icu_3.8.1-3+lenny2.diff.gz
Size/MD5 checksum: 41943 57d76fe9884c543a634bfd44425a42c6
http://security.debian.org/pool/updates/main/i/icu/icu_3.8.1.orig.tar.gz
Size/MD5 checksum: 10591204 ca52a1eb5050478f5f7d24e16ce01f57
http://security.debian.org/pool/updates/main/i/icu/icu_3.8.1-3+lenny2.dsc
Size/MD5 checksum: 1298 e0528ce00964025af9b2f940f588664a
Architecture independent packages:
http://security.debian.org/pool/updates/main/i/icu/icu-doc_3.8.1-3+lenny2_all.deb
Size/MD5 checksum: 3659700 69882d02e07863b195b7e9b798bdeff2
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_alpha.deb
Size/MD5 checksum: 6068242 7e4d26e612e178ebac27cbd2a7db72a9
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_alpha.deb
Size/MD5 checksum: 7568600 18c17c486d3ee39d0c0b1574d219c228
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_alpha.deb
Size/MD5 checksum: 2366836 bb1325175eb3086459d6a1daba52d010
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_amd64.deb
Size/MD5 checksum: 5932454 22e0013e161bf6ec46fdb7e330fa9c2e
http://security.debian.org/pool/updates/main/i/icu/lib32icu38_3.8.1-3+lenny2_amd64.deb
Size/MD5 checksum: 5919044 c785a70caa0bf88a644f0b65011915ee
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_amd64.deb
Size/MD5 checksum: 2404096 2ce67914c39c474ff42f57ffc24bb263
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_amd64.deb
Size/MD5 checksum: 7123322 5357c9591d7cea42b4cd9bd00b6c9114
http://security.debian.org/pool/updates/main/i/icu/lib32icu-dev_3.8.1-3+lenny2_amd64.deb
Size/MD5 checksum: 6063026 bde21ee163171d88d1d3b96cfa795d9b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_arm.deb
Size/MD5 checksum: 5910002 195d7e79719dc7b6275776eb29b28b3a
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_arm.deb
Size/MD5 checksum: 7183106 d5939d433c5e647e1c75af8fb27351d7
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_arm.deb
Size/MD5 checksum: 2287448 c3e04dae0ad884951cc1ba6663026fed
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_armel.deb
Size/MD5 checksum: 5848632 1adf442fa32cd182384d2d2608000ef8
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_armel.deb
Size/MD5 checksum: 7420504 f593ee94d7bdb4bb8c0796aebfaccd61
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_armel.deb
Size/MD5 checksum: 1758708 cffc60f24a4293d362d82fb6483d38fd
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_hppa.deb
Size/MD5 checksum: 6379014 1cdb8e9a77f953d7846eb12976efb04f
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_hppa.deb
Size/MD5 checksum: 7667266 2b4fa947ccb1c56e0a1ab997081349ad
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_hppa.deb
Size/MD5 checksum: 2360524 012847a53a622bb3dff6a522c0521801
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_i386.deb
Size/MD5 checksum: 2278340 b95d691813f7d32d7bc1a8aa96ddcd94
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_i386.deb
Size/MD5 checksum: 6975168 e5c844c5ce908655075dd49c57182b3f
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_i386.deb
Size/MD5 checksum: 5918780 a471bd785fecadc4a7acd91be38a1bca
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_ia64.deb
Size/MD5 checksum: 6398722 9a8fb2a23112dfa081285f2b34bc2c48
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_ia64.deb
Size/MD5 checksum: 7828890 a56ec00c1e33f8abaaa73e211e3f26c1
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_ia64.deb
Size/MD5 checksum: 2210326 674686adc1b87ef59144e90fdddb6e8a
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_mips.deb
Size/MD5 checksum: 6209236 3f2f1f954799ec7c20226b66578496fb
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_mips.deb
Size/MD5 checksum: 7601662 e5873a370ba2f10e07ba438221ec9326
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_mips.deb
Size/MD5 checksum: 2475268 9ccfeff2fbd457798ad595513c3fceb8
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_mipsel.deb
Size/MD5 checksum: 7294770 e7a2b87be42cf6c2eb5defc1f16fcd1b
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_mipsel.deb
Size/MD5 checksum: 5900392 1fd37ee3d1d15c3ad251a5b4e2707275
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_mipsel.deb
Size/MD5 checksum: 2408066 8c5b8b9e7eb46d8404d6fbdf319ba647
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_powerpc.deb
Size/MD5 checksum: 2378760 842531d765b7bcd25f27535f7e2195fa
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_powerpc.deb
Size/MD5 checksum: 7462340 0ce58e5b42bf6cea3488fc55af9b0721
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_powerpc.deb
Size/MD5 checksum: 6292462 d8ca2eb3b172e43405339d1ddb233b66
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_s390.deb
Size/MD5 checksum: 7436198 33277bb42e73a64ae8421c5ce4cc390a
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_s390.deb
Size/MD5 checksum: 6270994 b23dd748a28ccde33d87d7df945693a2
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_s390.deb
Size/MD5 checksum: 2471744 926e06bca83a31ce3aca813409cc95a8
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny2_sparc.deb
Size/MD5 checksum: 7304054 9f98cb39fce383087d192faa2fc47386
http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny2_sparc.deb
Size/MD5 checksum: 2135440 3db054d567561c48e935814465e4a525
http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny2_sparc.deb
Size/MD5 checksum: 6146402 1bfc509accd39f0ca52b871b4af534a2
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkqxN9cACgkQXm3vHE4uylp6WACcDP/faUO12bVfOeG8qVHMiiRv
oKUAn0ZXj9WAkxDxgUbpM2SEG6TuoUgo
=FNYT
-----END PGP SIGNATURE-----
| VAR-200902-0475 | CVE-2009-0140 | Apple Mac OS of SMB Service disruption in components (DoS) Vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the SMB component in Apple Mac OS X 10.4.11 and 10.5.6 allows remote SMB servers to cause a denial of service (memory exhaustion and system shutdown) via a crafted file system name.
An attacker who can trick an unsuspecting victim into connecting to a malicious SMB server may exploit this issue to cause the affected computer to shut down.
NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0458 | CVE-2009-0009 | Apple Mac OS of Pixlet Vulnerability in arbitrary code execution in codec |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Pixlet codec in Apple Mac OS X 10.4.11 and 10.5.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted movie file that triggers memory corruption. (DoS) There are vulnerabilities that are put into a state.A remote attacker could execute arbitrary code or disrupt service (DoS) There is a possibility of being put into a state.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. Apple Mac OS X is prone to a code-execution issue because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Mac OS X 10.4.11 and 10.5.6 (both client and server).
NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0477 | CVE-2009-0142 | Apple Mac OS of AFP Service disruption at the server (DoS) Vulnerabilities |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
Race condition in AFP Server in Apple Mac OS X 10.5.6 allows local users to cause a denial of service (infinite loop) via unspecified vectors related to "file enumeration logic.". Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues.
This issue affects Mac OS X 10.5.6 (both client and server).
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0476 | CVE-2009-0141 | Apple Mac OS of  XTerm writable vulnerability in |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
XTerm in Apple Mac OS X 10.4.11 and 10.5.6, when used with luit, creates tty devices with insecure world-writable permissions, which allows local users to write to the Xterm of another user.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues.
Local attackers may exploit this issue to gain elevated privileges; other attacks may also be possible.
This issue affects Mac OS X 10.4.11 and 10.5.6. Other distributions that include XTerm and Luit may also be vulnerable, but this has not been confirmed.
NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges. This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0474 | CVE-2009-0139 | Apple Mac OS of SMB Component integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer overflow in the SMB component in Apple Mac OS X 10.5.6 allows remote SMB servers to cause a denial of service (system shutdown) or execute arbitrary code via a crafted SMB file system that triggers a heap-based buffer overflow. Apple Mac OS X is prone to a buffer-overflow vulnerability that occurs in the SMB component.
An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will facilitate in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
OS X 10.5.6 and OS X Server 10.5.6 are vulnerable.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
4) Certificate Assistant handles temporary files in an insecure
manner.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0473 | CVE-2009-0138 | Apple Mac OS of Server Manager Vulnerable to changing system settings |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
servermgrd (Server Manager) in Apple Mac OS X 10.5.6 does not properly validate authentication credentials, which allows remote attackers to modify the system configuration. The advisory also contains security updates for 32 previously reported issues. Apple Mac OS X is prone to an authentication-bypass vulnerability.
A remote attacker may exploit this issue to connect to the Server Manager without proper authorization. This will allow the attacker to alter the configuration of the affected system, which may aid in further attacks.
The issue affects Mac OS X v10.5.6 and Mac OS X Server v10.5.6.
NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0463 | CVE-2009-0015 | Apple Mac OS of FSEvents Information disclosure vulnerability in the framework |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in fseventsd in the FSEvents framework in Apple Mac OS X 10.5.6 allows local users to obtain sensitive information (filesystem activities and directory names) via unknown vectors related to "credential management.".
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues.
A local attacker may exploit this issue to gain potentially sensitive information that may aid in further attacks.
This issue affects Mac OS X 10.5.6 (both client and server).
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0462 | CVE-2009-0014 | Apple Mac OS of Folder Manager Vulnerable to reading the "Download" folder |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Folder Manager in Apple Mac OS X 10.5.6 uses insecure default permissions when recreating a Downloads folder after it has been deleted, which allows local users to bypass intended access restrictions and read the Downloads folder.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. Apple Mac OS X is prone to a local information-disclosure vulnerability.
A local attacker may exploit this issue to gain access to the Downloads folders of other users and potentially obtain sensitive information. This may aid in further attacks.
This issue affects Mac OS X v10.5.6 and Mac OS X Server v10.5.6.
NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0461 | CVE-2009-0013 | Apple Mac OS of DS Elevation of privilege vulnerability in tools |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
dscl in DS Tools in Apple Mac OS X 10.4.11 and 10.5.6 requires that passwords must be provided as command line arguments, which allows local users to gain privileges by listing process information.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues.
A local attacker may exploit this issue to gain information about user passwords. This may aid in further attacks.
This issue affects Mac OS X 10.4.11 and 10.5.6 (both client and server).
NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0460 | CVE-2009-0012 | Apple Mac OS of CoreText Vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in CoreText in Apple Mac OS X 10.5.6 allows remote attackers to execute arbitrary code via a crafted Unicode string.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues.
An attacker can exploit this issue to execute arbitrary code in the context of the application using the component. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
Apple Mac OS X 10.5.6 and OS X Server 10.5.6 are vulnerable. There is a heap overflow in the handling of Unicode strings in CoreText.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0459 | CVE-2009-0011 | Apple Mac OS Certificate Assistant vulnerable to arbitrary file overwriting |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Certificate Assistant in Apple Mac OS X 10.5.6 allows local users to overwrite arbitrary files via unknown vectors related to an "insecure file operation" on a temporary file. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues.
This issue affects Mac OS X 10.5.6 (both client and server).
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0456 | CVE-2009-0019 | Apple Mac OS of Service disruption at remote Apple events (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Remote Apple Events in Apple Mac OS X 10.4.11 and 10.5.6 allows remote attackers to cause a denial of service (application termination) or obtain sensitive information via unspecified vectors that trigger an out-of-bounds memory access.
A remote attacker may exploit this issue to gain access to memory contents or to crash the affected process, causing a denial-of-service condition.
The issue affects Mac OS X v10.4.11 and v10.5.6 (client and server). Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0457 | CVE-2009-0020 | Apple Mac OS of CarbonCore Vulnerable to arbitrary code execution |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in CarbonCore in Apple Mac OS X 10.4.11 and 10.5.6 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted resource fork that triggers memory corruption.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. Apple Mac OS X is prone to a code-execution issue.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Mac OS X 10.4.11 and 10.5.6 (both client and server).
NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0454 | CVE-2009-0017 | Apple Mac OS of Printing Vulnerability in arbitrary code execution in components |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
csregprinter in the Printing component in Apple Mac OS X 10.4.11 and 10.5.6 does not properly handle error conditions, which allows local users to execute arbitrary code via unknown vectors that trigger a heap-based buffer overflow.
Local attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges, which may facilitate a complete compromise of the affected computer.
This issue affects Mac OS X v10.4.11 and v10.5.6 (client and server). Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues.
NOTE: The new issues have been covered in the following BIDs to better document them:
33806 Apple Mac OS X Pixlet Video Handling Remote Code Execution Vulnerability
33820 Apple Mac OS X Insecure Downloads Folder Permissions Information Disclosure Vulnerability
33815 Apple Mac OS X 'dscl' Local Information Disclosure Vulnerability
33816 Apple Mac OS X Remote Apple Events Uninitialized Buffer Information Disclosure Vulnerability
33814 Apple Mac OS X Remote Apple Events Out of Bounds Memory Access Security Vulnerability
33813 Apple Mac OS X Server Manager Authentication Bypass Security Vulnerability
33812 Apple Mac OS X AFP Server Remote Denial of Service Vulnerability
33810 Apple Mac OS X Certificate Assistant Insecure Temporary File Creation Vulnerability
33811 Apple Mac OS X 'csregprinter' Local Privilege Escalation Vulnerability
33808 Apple Mac OS X Resource Manager Remote Code Execution Vulnerability
33809 Apple Mac OS X CoreText Unicode String Handling Heap Based Buffer Overflow Vulnerability
33800 Apple Mac OS X SMB Component Unspecified Buffer Overflow Vulnerability
33798 Apple Mac OS X Xterm Local Privilege Escalation Vulnerability
33796 Apple Mac OS X SMB File System Remote Denial Of Service Vulnerability
33234 Apple Safari 'feed:' URI Multiple Input Validation Vulnerabilities
33821 Apple Mac OS X 'FSEvents' Local Information Disclosure Vulnerabilit.
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
For more information:
SA26837
SA31305
14) An uninitialized memory access error in the Remote Apple events
server can be exploited to disclose potentially sensitive memory
contents via specially crafted Remote Apple events.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------