US-CERT Technical Cyber Security Alert TA05-136A -- Apple Mac OS X is affected by multiple vulnerabilities

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 05/16/05


Date: Mon, 16 May 2005 15:34:59 -0400
To: cert-advisory@cert.org


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

          Technical Cyber Security Alert TA05-136A
   Apple Mac OS X is affected by multiple vulnerabilities

   Original release date: May 16, 2005
   Last revised: --
   Source: US-CERT

Systems Affected

   Mac OS X version 10.3.9 (Panther) and Mac OS X Server version 10.3.9

Overview

   Apple has released Security Update 2005-005 to address multiple
   vulnerabilities affecting Mac OS X and Mac OS X Server. The most
   serious of these vulnerabilities may allow a remote attacker to
   execute arbitrary code. Impacts of other vulnerabilities addressed by
   the update include disclosure of information and denial of service.

I. Description

   Apple Security Update 2005-005 resolves a number of vulnerabilities
   affecting Mac OS X and OS X Server. Further details are available in
   the following Vulnerability Notes:

   VU#356070 - Apple Terminal fails to properly sanitize input for
   x-man-page URI

    Apple Terminal on Mac OS X fails to sanitize x-man-page URIs, allowing
    a remote attacker to execute arbitrary commands.
    (CAN-2005-1342)

   VU#882750 - libXpm image library vulnerable to buffer overflow

    libXpm image parsing code contains a buffer-overflow vulnerability
    that may allow a remote attacker execute arbitrary code or cause a
    denial-of-service condition.
    (CAN-2004-0687)

   VU#125598 - LibTIFF vulnerable to integer overflow via corrupted
   directory entry count

    An integer overflow in LibTIFF may allow a remote attacker to execute
    arbitrary code.
    (CAN-2004-1308)

   VU#539110 - LibTIFF vulnerable to integer overflow in the
   TIFFFetchStrip() routine

    An integer overflow in LibTIFF may allow a remote attacker to execute
    arbitrary code.
    (CAN-2004-1307)

   VU#537878 - libXpm library contains multiple integer overflow
   vulnerabilities

    libXpm contains multiple integer-overflow vulnerabilities that may
    allow a remote attacker execute arbitrary code or cause a
    denial-of-service condition.
    (CAN-2004-0688)

   VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly
   validate external programs

    Mac OS X Directory Service utilities do not properly validate code
    paths to external programs, potentially allowing a local attacker to
    execute arbitrary code.
    (CAN-2004-1335)

   VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer
   overflow via incorrect handling of an environmental variable

    A buffer overflow in Mac OS X's Foundation Framework's processing of
    environment variables may lead to elevated privileges.
    (CAN-2004-1336)

   VU#706838 - Apple Mac OS X vulnerable to buffer overflow via vpnd
   daemon

    Apple Mac OS X contains a buffer overflow in vpnd that could allow a
    local, authenticated attacker to execute arbitrary code with root
    privileges.
    (CAN-2004-1343)

   VU#258390 - Apple Mac OS X with Bluetooth enabled may allow file
   exchange without prompting users

    Apple Mac OS X with Bluetooth support may unintentionally allow files
    to be exchanged with other systems by default.
    (CAN-2004-1332)

   VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate
   command line parameters

    Apple Mac OS X Server NeST tool contains a vulnerability in the
    processing of command line arguments that could allow a local attacker
    to execute arbitrary code.
    (CAN-2004-0594)
  
   Please note that Apple Security Update 2005-005 addresses additional
   vulnerabilities not described above. As further information becomes
   available, we will publish individual Vulnerability Notes.

II. Impact

   The impacts of these vulnerabilities vary, for information about
   specific impacts please see the Vulnerability Notes. Potential
   consequences include remote execution of arbitrary code or commands,
   disclosure of sensitive information, and denial of service.

III. Solution

Install an Update

   Install the update as described in Apple Security Update 2005-005.

Appendix A. References

     * US-CERT Vulnerability Note VU#582934 -
       <http://www.kb.cert.org/vuls/id/582934>
  
     * US-CERT Vulnerability Note VU#258390 -
       <http://www.kb.cert.org/vuls/id/258390>
     
     * US-CERT Vulnerability Note VU#331694 -
       <http://www.kb.cert.org/vuls/id/331694>

     * US-CERT Vulnerability Note VU#706838 -
       <http://www.kb.cert.org/vuls/id/706838>

     * US-CERT Vulnerability Note VU#539110 -
       <http://www.kb.cert.org/vuls/id/539110>

     * US-CERT Vulnerability Note VU#354486 -
       <http://www.kb.cert.org/vuls/id/354486>

     * US-CERT Vulnerability Note VU#882750 -
       <http://www.kb.cert.org/vuls/id/882750>

     * US-CERT Vulnerability Note VU#537878 -
       <http://www.kb.cert.org/vuls/id/537878>

     * US-CERT Vulnerability Note VU#125598 -
       <http://www.kb.cert.org/vuls/id/125598>

     * US-CERT Vulnerability Note VU#356070 -
       <http://www.kb.cert.org/vuls/id/356070>

     * Apple Security Update 2005-005 -
       <http://docs.info.apple.com/article.html?artnum=301528>
   _________________________________________________________________

   These vulnerabilities were discovered by several people and reported
   in Apple Security Update 2005-005. Please see the Vulnerability Notes
   for individual reporter acknowledgements.
   _________________________________________________________________

   Feedback can be directed to the authors: Jeffrey Gennari and Jason
   Rafail.
   _________________________________________________________________

   Copyright 2005 Carnegie Mellon University. Terms of use

   Revision History

   May 16, 2005: Initial release
   Last updated May 16, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQojwRBhoSezw4YfQAQKb1gf/a7XQAZQR+t5+FpzRoUrJyVIg3Mf1IISP
yS5GLgfwC+4GuDEd/BA51+591OhNAWa1hO2JAUQwJ799VL7vAY6vbDW84c+S0eQ+
J+FHgddUsuvRtmsXCg2Fin1JRG4hCqBQ9q2S0h4+fM7yWSdLOY7xeAAwPOwG+bsU
AVjDMNiPACHxw7CNQ8qpPXFfo3qrV+oj55F62TbR0fujtil6yQR3lE9wSeiuLs/i
KgQFZlHMEoAwQnghwLk7eQLkzGD9eAZ+pZ7Ny0AvF7avhGflh2nFNe2acFoJ2Iw7
/gMXj/uN/ZpDssS37y38LIvyA3kIQrSlEW7iKf1wi2eQ3ntjyv/9NA==
=uqBU
-----END PGP SIGNATURE-----



Relevant Pages