Fwd: APPLE-SA-2005-01-11 iTunes 4.7.1

From: David Ahmad (da_at_securityfocus.com)
Date: 01/11/05

  • Next message: Pavel Kankovsky: "Re: Firespoofing [Firefox 1.0]" 
    Date: Tue, 11 Jan 2005 15:21:52 -0700
To: bugtraq@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    APPLE-SA-2005-01-11 iTunes 4.7.1

    iTunes 4.7.1 is now available and delivers the following security
    enhancement:

    CVE-ID: CAN-2005-0043

    Impact: Malicious playlists can cause iTunes to crash and could
    execute arbitrary code

    Description: iTunes supports several common playlist formats.
    iTunes 4.7.1 fixes a buffer overflow in the parsing of m3u and pls
    playlist files that could allow earlier versions of iTunes to crash
    and execute arbitrary code. Credit to Sean de Regge
    (seanderegge[at]hotmail.com) for discovering this issue, and to
    iDEFENSE Labs for reporting it to us.

    Available for: Mac OS X, Microsoft Windows XP, Microsoft Windows
    2000

    iTunes 4.7.1 may be obtained from the Software Update pane in System
    Preferences, or Apple's iTunes download site:
    http://www.apple.com/itunes/download/

    The download file is named: "iTunes4.7.1.dmg"
    Its SHA-1 digest is: 2ae8c815f18756c24dfbc1ac7d837b75b828b92a

    Information will also be posted to the Apple Product Security
    web site:
    http://docs.info.apple.com/article.html?artnum=61798

    This message is signed with Apple's Product Security PGP key,
    and details are available at:
    http://www.apple.com/support/security/security_pgp.html

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQEVAwUBQeQviJyw5owIz4TQAQIMrgf/fYmI5LZy5DM5a61kbXgnzq5OpQQPaidH
    disRa8UbjGrr+sSvEytQaxgO5vbDsZWgDGYeeaHTUeyiBdznO/b7X9moUC0uXEtC
    /a/CC2219AYeoQLJCMWhiIbrkL3OQ8QHoV3KaMlcg98tHgsrZKg1ssqEZszkjNrV
    Jj1dm3hYn2/DHPqzhGy2+l4Lp/8Bdg2VwXJjCLrqD6cgcSAX0HVdVq+CM2VQ1DGH
    O9PjkspNxoTR2iV0VbJdc+q/Mi1HXlouNaURgR01oBYGqZoQ2mxYGMLIthgVoyri
    E/c5iyPq4lwDnhyjii4fajLO/3BW6MY7RVoNWv2ipYjVi1RPQ6d6iQ==
    =SryY
    -----END PGP SIGNATURE----- 

    -- 
David Mirza Ahmad
Symantec 
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
  • Next message: Pavel Kankovsky: "Re: Firespoofing [Firefox 1.0]"

    Relevant Pages

    • Re: Apple bitten by iTunes security bugs
      ... >> Apple bitten by iTunes security bugs ... >> Security researchers have discovered four critical vulnerabilities ... >> application for Apple's iTunes music store. ... >> platform flaw affects Windows 2000, Windows XP and Apple Mac OS X ...
      (comp.sys.mac.advocacy)
    • iTunes 7.3.x - Heap overflow in album cover parsing
      ... Vendor: Apple, Inc. ... Versions affected: Confirmed in iTunes 7.3.2 ... of service or code execution via maliciously crafted album cover art ... The Apple product security team for a timely response to this issue. ...
      (Bugtraq)
    • Re: Apple bitten by iTunes security bugs
      ... > Apple bitten by iTunes security bugs ... > Security researchers have discovered four critical vulnerabilities ... > application for Apple's iTunes music store. ... > platform flaw affects Windows 2000, Windows XP and Apple Mac OS X ...
      (comp.sys.mac.advocacy)
    • Re: Apple bitten by iTunes security bugs
      ... > Security researchers have discovered four critical vulnerabilities ... > application for Apple's iTunes music store. ... the firm that discovered the bugs. ... > platform flaw affects Windows 2000, Windows XP and Apple Mac OS X ...
      (comp.sys.mac.advocacy)
    • Re: Apple bitten by iTunes security bugs
      ... >> Security researchers have discovered four critical vulnerabilities ... >> application for Apple's iTunes music store. ... >> platform flaw affects Windows 2000, Windows XP and Apple Mac OS X ... Users are urged to update to QuickTime 7.0.4. ...
      (comp.sys.mac.advocacy)