Mac Users - GoFuckYourself.com

jimmyf · 05-16-2005, 02:09 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Technical Cyber Security Alert TA05-136A
Apple Mac OS X is affected by multiple vulnerabilities

Original release date: May 16, 2005
Last revised: --
Source: US-CERT

Systems Affected

Mac OS X version 10.3.9 (Panther) and Mac OS X Server version 10.3.9

Overview

Apple has released Security Update 2005-005 to address multiple
vulnerabilities affecting Mac OS X and Mac OS X Server. The most
serious of these vulnerabilities may allow a remote attacker to
execute arbitrary code. Impacts of other vulnerabilities addressed by
the update include disclosure of information and denial of service.

I. Description

Apple Security Update 2005-005 resolves a number of vulnerabilities
affecting Mac OS X and OS X Server. Further details are available in
the following Vulnerability Notes:

VU#356070 - Apple Terminal fails to properly sanitize input for
x-man-page URI

Apple Terminal on Mac OS X fails to sanitize x-man-page URIs, allowing
a remote attacker to execute arbitrary commands.
(CAN-2005-1342)

VU#882750 - libXpm image library vulnerable to buffer overflow

libXpm image parsing code contains a buffer-overflow vulnerability
that may allow a remote attacker execute arbitrary code or cause a
denial-of-service condition.
(CAN-2004-0687)

VU#125598 - LibTIFF vulnerable to integer overflow via corrupted
directory entry count

An integer overflow in LibTIFF may allow a remote attacker to execute
arbitrary code.
(CAN-2004-1308)

VU#539110 - LibTIFF vulnerable to integer overflow in the
TIFFFetchStrip() routine

An integer overflow in LibTIFF may allow a remote attacker to execute
arbitrary code.
(CAN-2004-1307)

VU#537878 - libXpm library contains multiple integer overflow
vulnerabilities

libXpm contains multiple integer-overflow vulnerabilities that may
allow a remote attacker execute arbitrary code or cause a
denial-of-service condition.
(CAN-2004-0688)

VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly
validate external programs

Mac OS X Directory Service utilities do not properly validate code
paths to external programs, potentially allowing a local attacker to
execute arbitrary code.
(CAN-2004-1335)

VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer
overflow via incorrect handling of an environmental variable

A buffer overflow in Mac OS X's Foundation Framework's processing of
environment variables may lead to elevated privileges.
(CAN-2004-1336)

VU#706838 - Apple Mac OS X vulnerable to buffer overflow via vpnd
daemon

Apple Mac OS X contains a buffer overflow in vpnd that could allow a
local, authenticated attacker to execute arbitrary code with root
privileges.
(CAN-2004-1343)

VU#258390 - Apple Mac OS X with Bluetooth enabled may allow file
exchange without prompting users

Apple Mac OS X with Bluetooth support may unintentionally allow files
to be exchanged with other systems by default.
(CAN-2004-1332)

VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate
command line parameters

Apple Mac OS X Server NeST tool contains a vulnerability in the
processing of command line arguments that could allow a local attacker
to execute arbitrary code.
(CAN-2004-0594)

Please note that Apple Security Update 2005-005 addresses additional
vulnerabilities not described above. As further information becomes
available, we will publish individual Vulnerability Notes.

II. Impact

The impacts of these vulnerabilities vary, for information about
specific impacts please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
disclosure of sensitive information, and denial of service.

III. Solution

Install an Update

Install the update as described in Apple Security Update 2005-005.

Appendix A. References

* US-CERT Vulnerability Note VU#582934 -
<http://www.kb.cert.org/vuls/id/582934>

* US-CERT Vulnerability Note VU#258390 -
<http://www.kb.cert.org/vuls/id/258390>

* US-CERT Vulnerability Note VU#331694 -
<http://www.kb.cert.org/vuls/id/331694>

* US-CERT Vulnerability Note VU#706838 -
<http://www.kb.cert.org/vuls/id/706838>

* US-CERT Vulnerability Note VU#539110 -
<http://www.kb.cert.org/vuls/id/539110>

* US-CERT Vulnerability Note VU#354486 -
<http://www.kb.cert.org/vuls/id/354486>

* US-CERT Vulnerability Note VU#882750 -
<http://www.kb.cert.org/vuls/id/882750>

* US-CERT Vulnerability Note VU#537878 -
<http://www.kb.cert.org/vuls/id/537878>

* US-CERT Vulnerability Note VU#125598 -
<http://www.kb.cert.org/vuls/id/125598>

* US-CERT Vulnerability Note VU#356070 -
<http://www.kb.cert.org/vuls/id/356070>

* Apple Security Update 2005-005 -
<http://docs.info.apple.com/article.html?artnum=301528>
__________________________________________________ _______________

These vulnerabilities were discovered by several people and reported
in Apple Security Update 2005-005. Please see the Vulnerability Notes
for individual reporter acknowledgements.
__________________________________________________ _______________

Feedback can be directed to the authors: Jeffrey Gennari and Jason
Rafail.
__________________________________________________ _______________

Copyright 2005 Carnegie Mellon University. Terms of use

Revision History

May 16, 2005: Initial release
Last updated May 16, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

-----END PGP SIGNATURE-----

videoxpix · 05-16-2005, 02:30 PM

Thanks for the heads up

jimmyf · 05-16-2005, 03:50 PM

Quote:

Originally Posted by videoxpix

Thanks for the heads up

I don't use a Mac but, thought you guys that did might want 2 know.

so bump for the wacko Mac user

just kidding on the wacko

wimpy · 05-16-2005, 05:41 PM

This must be a few days old at least, I updated patches last week, just checked for new patches and none found.

nuttyrom · 05-16-2005, 05:48 PM

yeah, i got my g5 updated. thanks for the heads up

reynold · 05-16-2005, 06:18 PM

I don't think it will be useful for me, I'm sorry I am not a Mac User..

Jace · 05-16-2005, 06:23 PM

don't macs update automatically?

wait, just checked mine, they don't if you have automatic updates turned off..

thanks

MissMiranda · 05-16-2005, 07:03 PM

damn, I thought this was about makeup.

J/K

Tango · 05-16-2005, 07:04 PM

got the update - thx

05-16-2005, 05:41 PM	#4
wimpy Confirmed User Industry Role: Join Date: Jan 2003 Location: Cali Posts: 607	This must be a few days old at least, I updated patches last week, just checked for new patches and none found. __________________ Fyodor Dostoyevsky wrote: "Every man has reminiscences which he would not tell to everyone but only his friends. He has other matters in his mind which he would not reveal even to his friends, but only to himself, and that in secret. But there are other things which a man is afraid to tell even to himself, and every decent man has a number of such things stored away in his mind." icq 8243657

05-16-2005, 07:04 PM	#9
Tango Let's Tango! Join Date: Apr 2005 Posts: 1,570	got the update - thx __________________ ADULTS.com / ADULTS.net for sale AFFILIATE.com also for sale Serious Inquiries Only: Email: [email protected] for offers

05-16-2005, 02:09 PM	#1
jimmyf OU812 Join Date: Feb 2001 Location: California Posts: 12,651	Mac Users -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-136A Apple Mac OS X is affected by multiple vulnerabilities Original release date: May 16, 2005 Last revised: -- Source: US-CERT Systems Affected Mac OS X version 10.3.9 (Panther) and Mac OS X Server version 10.3.9 Overview Apple has released Security Update 2005-005 to address multiple vulnerabilities affecting Mac OS X and Mac OS X Server. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Impacts of other vulnerabilities addressed by the update include disclosure of information and denial of service. I. Description Apple Security Update 2005-005 resolves a number of vulnerabilities affecting Mac OS X and OS X Server. Further details are available in the following Vulnerability Notes: VU#356070 - Apple Terminal fails to properly sanitize input for x-man-page URI Apple Terminal on Mac OS X fails to sanitize x-man-page URIs, allowing a remote attacker to execute arbitrary commands. (CAN-2005-1342) VU#882750 - libXpm image library vulnerable to buffer overflow libXpm image parsing code contains a buffer-overflow vulnerability that may allow a remote attacker execute arbitrary code or cause a denial-of-service condition. (CAN-2004-0687) VU#125598 - LibTIFF vulnerable to integer overflow via corrupted directory entry count An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code. (CAN-2004-1308) VU#539110 - LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code. (CAN-2004-1307) VU#537878 - libXpm library contains multiple integer overflow vulnerabilities libXpm contains multiple integer-overflow vulnerabilities that may allow a remote attacker execute arbitrary code or cause a denial-of-service condition. (CAN-2004-0688) VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly validate external programs Mac OS X Directory Service utilities do not properly validate code paths to external programs, potentially allowing a local attacker to execute arbitrary code. (CAN-2004-1335) VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer overflow via incorrect handling of an environmental variable A buffer overflow in Mac OS X's Foundation Framework's processing of environment variables may lead to elevated privileges. (CAN-2004-1336) VU#706838 - Apple Mac OS X vulnerable to buffer overflow via vpnd daemon Apple Mac OS X contains a buffer overflow in vpnd that could allow a local, authenticated attacker to execute arbitrary code with root privileges. (CAN-2004-1343) VU#258390 - Apple Mac OS X with Bluetooth enabled may allow file exchange without prompting users Apple Mac OS X with Bluetooth support may unintentionally allow files to be exchanged with other systems by default. (CAN-2004-1332) VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate command line parameters Apple Mac OS X Server NeST tool contains a vulnerability in the processing of command line arguments that could allow a local attacker to execute arbitrary code. (CAN-2004-0594) Please note that Apple Security Update 2005-005 addresses additional vulnerabilities not described above. As further information becomes available, we will publish individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary, for information about specific impacts please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, disclosure of sensitive information, and denial of service. III. Solution Install an Update Install the update as described in Apple Security Update 2005-005. Appendix A. References * US-CERT Vulnerability Note VU#582934 - <http://www.kb.cert.org/vuls/id/582934> * US-CERT Vulnerability Note VU#258390 - <http://www.kb.cert.org/vuls/id/258390> * US-CERT Vulnerability Note VU#331694 - <http://www.kb.cert.org/vuls/id/331694> * US-CERT Vulnerability Note VU#706838 - <http://www.kb.cert.org/vuls/id/706838> * US-CERT Vulnerability Note VU#539110 - <http://www.kb.cert.org/vuls/id/539110> * US-CERT Vulnerability Note VU#354486 - <http://www.kb.cert.org/vuls/id/354486> * US-CERT Vulnerability Note VU#882750 - <http://www.kb.cert.org/vuls/id/882750> * US-CERT Vulnerability Note VU#537878 - <http://www.kb.cert.org/vuls/id/537878> * US-CERT Vulnerability Note VU#125598 - <http://www.kb.cert.org/vuls/id/125598> * US-CERT Vulnerability Note VU#356070 - <http://www.kb.cert.org/vuls/id/356070> * Apple Security Update 2005-005 - <http://docs.info.apple.com/article.html?artnum=301528> __________________________________________________ _______________ These vulnerabilities were discovered by several people and reported in Apple Security Update 2005-005. Please see the Vulnerability Notes for individual reporter acknowledgements. __________________________________________________ _______________ Feedback can be directed to the authors: Jeffrey Gennari and Jason Rafail. __________________________________________________ _______________ Copyright 2005 Carnegie Mellon University. Terms of use Revision History May 16, 2005: Initial release Last updated May 16, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) -----END PGP SIGNATURE----- __________________ Epic CashEpic Cash works for me Solar Cash Paysite Plugin Gallery of the day freesites,POTD,Gallery generator with free hosting

05-16-2005, 02:30 PM	#2
videoxpix Confirmed User Join Date: Nov 2003 Location: EVIL EMPIRE - NYC Posts: 267	Thanks for the heads up

05-16-2005, 05:48 PM	#5
nuttyrom Confirmed User Industry Role: Join Date: Jan 2003 Location: San Diego Posts: 256	yeah, i got my g5 updated. thanks for the heads up

05-16-2005, 06:18 PM	#6
reynold Too lazy to set a custom title Join Date: Oct 2002 Location: Global Traveler Posts: 51,271	I don't think it will be useful for me, I'm sorry I am not a Mac User..

05-16-2005, 06:23 PM	#7
Jace FBOP Class Of 2013 Industry Role: Join Date: Jan 2004 Location: bumfuck, ky Posts: 35,562	don't macs update automatically? wait, just checked mine, they don't if you have automatic updates turned off.. thanks

05-16-2005, 07:03 PM	#8
MissMiranda Confirmed User Join Date: Jul 2004 Location: Riverside,CA Posts: 583	damn, I thought this was about makeup. J/K __________________