Security Update 2005-001 for Mac OS X

Apple Computer ^ | 1/24/2005 | Apple Computer staff

[Swordmaker]

About Security Update 2005-001 for Mac OS X

This document describes Security Update 2005-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How To Use The Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Security Update 2005-001

Component: at commands

Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7
CVE-ID: CAN-2005-0125
Impact: Updates the "at" commands to address a local privilege escalation vulnerability
Description: The "at" family of commands did not properly drop privileges. This could allow a local user to remove files not owned by them, run programs with added privileges, or read the contents of normally unreadable files. This update patches the commands at, atrm, batch, atq, and atrun. Credit to kf_lists[at]digitalmunition[dot]com for reporting this issue.

Component: ColorSync

Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2005-0126
Impact: Malformed ICC color profiles could overwrite the program heap, resulting in arbitrary code execution.
Description: An out-of-specification or improperly embedded ICC color profile could overwrite the program heap and allow arbitrary code execution. There are no known exploits for this issue. With this update, ColorSync will reject incorrectly-formed ICC color profiles.

Component: libxml2

Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7
CVE-ID: CAN-2004-0989
Impact: The libxml2 library contains unsafe code that may be exploited in applications linked against it.
Description: This update fixes several functions in the libxml2 library that have been identified as unsafe due to potentially exploitable buffer overflows.

Component: Mail

Available for: Mac OS X v10.3.7 Client, Mac OS X Server v10.3.7
CVE-ID: CAN-2005-0127
Impact: Email messages sent from a single machine can be identified
Description: A GUUID containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header. Mail now hides this information by computing the Message-ID using a cryptographic hash of the GUUID concatenated with data from /dev/random. Credit to Carl Purvis for reporting this issue.

Component: PHP

Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2003-0860, CAN-2003-0863, CAN-2004-0594, CAN-2004-0595, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065
Impact: Multiple vulnerabilities in PHP, including remote denial of service and execution of arbitrary code
Description: PHP is updated to version 4.3.10 to address several issues. The PHP release announcement for version 4.3.10 is located at http://www.php.net/release_4_3_10.php.

Component: Safari

Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1314
Impact: When Safari's "Block Pop-Up Windows" feature is not enabled, a malicious pop-up window could appear as being from a trusted site
Description: If the "Block Pop-Up Windows" feature is enabled, then this issue does not occur. If the "Block Pop-Up Windows" feature is not enabled, a user can be mislead about the content of a Pop-up window if they used an untrusted link to navigate to a site they wanted to view. This update corrects the issue regardless of the "Block Pop-Up Windows" setting. Credit to Secunia Research for reporting this issue.

Component: SquirrelMail

Available for: Mac OS X Server 10.3.7
CVE-ID: CAN-2004-1036
Impact: SquirrelMail is updated to address a cross-site scripting vulnerability
Description: A cross-site scripting vulnerability in SquirrelMail allowed email messages to contain content that would be rendered by a user's web browser. SquirrelMail is updated to address this issue. Further details are available from the SquirrelMail website: http://www.squirrelmail.org/.

[Swordmaker]

ALL OSX users should run their "SOFTWARE UPDATE" on the Apple menu immediately.

[Swordmaker]

ALL Freeper OSX users should run their "SOFTWARE UPDATE" on the Apple menu immediately PING!!!

Users of DU who are lurking and sneaking around here should do the same.

If you want to be included or excluded from the Mac Ping List,

[Swordmaker]

Here is some more grist for your mill, Bush... Apple OSX security updates.

[rlmorel]

Thanks...just got home, this was the first I heard of it.

[cyborg]

Nevermind. i don't want to spread newbie confusion with that link. I just clicked on software update and got everything I wanted. thanks for the important ping.

[general_re]

That PHP bug looks like a doozy - the rest appear somewhat less serious.

[Swordmaker]

Nevermind. i don't want to spread newbie confusion with that link. I just clicked on software update and got everything I wanted. thanks for the important ping.

It was a good link... but you're right about confusing newbies... and there are going to be a lot of them this week.

I was at the Sacramento Apple Store today. They sold out every Mac Mini they got in just 3 hours Saturday. That was several hundred. More are coming in Friday, but the salesgal thought they were all reserved.

They also sold every iPod Shuffle...

[Swordmaker]

Here is the info from PHP's website.

---

PHP 4.3.10 Release Announcement


[ Version Française ]


PHP Development Team would like to announce the immediate release of PHP 4.3.10. This is a maintenance release that in addition to over 30 non-critical bug fixes addresses several very serious security issues.


These include the following:

CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1018 - integer overflow/underflow in pack() and unpack() functions.
CAN-2004-1019 - possible information disclosure, double free and negative reference index array underflow in deserialization code.
CAN-2004-1020 - addslashes() not escaping \0 correctly.
CAN-2004-1063 - safe_mode execution directory bypass.
CAN-2004-1064 - arbitrary file access through path truncation.
CAN-2004-1065 - exif_read_data() overflow on long sectionname.
magic_quotes_gpc could lead to one level directory traversal with file uploads.

All Users of PHP are strongly encouraged to upgrade to this release as soon as possible.



Bugfix release


Aside from the above mentioned issues this release includes the following important fixes:

Possible crash inside ftp_get().

get_current_user() crashes on Windows.

Possible crash in ctype_digit() on large numbers.

Crash when parsing ?getvariable[][.

Possible crash in the curl_getinfo() function.

Double free when openssl_csr_new fails.

Crash when using unknown/unsupported session.save_handler and/or session.serialize_handler.

Prevent infinite recursion in url redirection.

Ensure that temporary files created by GD are removed.

Crash in fgetcsv() with negative length.

Improved performance of the foreach() construct.

Improved number handling on non-English locales.



For a full list of changes in PHP 4.3.10, see the ChangeLog.

[cyborg]

Wow that's incredible.

[TheOtherOne]

Thanks...will install

[austinmark]

Thanks for the "heads-Up". Luckly,These are few & far between.

[CheneyChick]

ALL Freeper OSX users should run their "SOFTWARE UPDATE" on the Apple menu immediately PING!!!

DONE!

[SunkenCiv]

Thanks Swordmaker, and Cyborg

[jalisco555]

Thanks for the heads up.

[MaryFromMichigan]

I certainly appreciate being on your ping list!
Thanks for the heads up!

[kitkat]

Hi Swordmaker,
I'm on OSX 1.10. The update is only available for 1.3. Do I need it on the 1.10?

[Swordmaker]

I'm on OSX 1.10. The update is only available for 1.3. Do I need it on the 1.10?

Use Software Update from your Preferences Window... it will download and install the updates that OSX.1.10 needs or can use from what's available.

[kitkat]

***Use Software Update from your Preferences Window... it will download and install the updates that OSX.1.10 needs or can use from what's available.***

You are such a gem! I'm a complete nerd when it comes to Mac after using Windows for many, many years.