Languages

Archived - About the security content of Mac OS X v10.5.5 and Security Update 2008-006

This document describes the security content of Mac OS X v10.5.5 and Security Update 2008-006, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

This article has been archived and is no longer updated by Apple.

Mac OS X v10.5.5 and Security Update 2008-006

  • ATS

    CVE-ID: CVE-2008-2305

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Viewing a document containing a maliciously crafted font may lead to arbitrary code execution

    Description: A heap buffer overflow exists in Apple Type Services' handling of PostScript font names. Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. This update addresses the issue by performing additional validation of font names. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.

  • BIND

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: BIND is updated to address performance issues

    Description: BIND is updated to version 9.4.2-P2 to address performance issues. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P2. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P2. Further information is available via the ISC web site at https://www.isc.org/software/bind

  • ClamAV

    CVE-ID: CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215

    Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4

    Impact: Multiple vulnerabilities in ClamAV 0.92.1

    Description: Multiple vulnerabilities exist in ClamAV 0.92.1, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating to ClamAV 0.93.3. Further information is available via the ClamAV website at http://www.clamav.net/

  • Directory Services

    CVE-ID: CVE-2008-2329

    Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: A person with access to the login screen may be able to list user names

    Description: An information disclosure issue exists in Login Window when it is configured to authenticate users with Active Directory. By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed. This update addresses the issue through improved processing of user names in Directory Services. Credit to IT Department of the West Seneca Central School District for reporting this issue.

  • Directory Services

    CVE-ID: CVE-2008-2330

    Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4

    Impact: A local user may obtain the server password if an OpenLDAP system administrator runs slapconfig

    Description: An insecure file operation issue exists in the slapconfig tool used for configuring OpenLDAP. A local user can cause the password entered by a system administrator running slapconfig to be written to a file controlled by the user. This update addresses the issue by checking the return value of the mkfifo function.

  • Finder

    CVE-ID: CVE-2008-2331

    Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: The Get Info window may not display the actual privileges for a file

    Description: Finder does not update the displayed permissions under some circumstances in a Get Info window. After clicking the lock button, changes to the filesystem Sharing & Permissions will take effect, but will not be displayed. This update addresses the issue by properly updating the displayed permissions when access privileges on a file are changed. This issue does not affect systems prior to Mac OS X v10.5. Credit to Michel Colman for reporting this issue.

  • Finder

    CVE-ID: CVE-2008-3613

    Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: An attacker with access to the local network may cause a denial of service

    Description: A null pointer dereference issue exists in the Finder when it searches for a remote disc. An attacker with access to the local network can cause Finder to exit immediately after it starts, making the system unusable. This update addresses the issue by adding a check for a null pointer. This issue only affects these configurations: any product running Mac OS X v10.5.2, MacBook Air running Mac OS X v10.5.3, and MacBook Air running Mac OS X v10.5.4. Credit to Yuxuan Wang of Sogou for reporting this issue.

  • ImageIO

    CVE-ID: CVE-2008-2327

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of TIFF images.

  • ImageIO

    CVE-ID: CVE-2008-2332

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exits in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of TIFF images. Credit to Robert Swiecki of Google Security Team for reporting this issue.

  • ImageIO

    CVE-ID: CVE-2008-3608

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of JPEG images.

  • ImageIO

    CVE-ID: CVE-2008-1382

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: libpng in ImageIO is updated to version 1.2.29

    Description: libpng in ImageIO is updated to version 1.2.29. CVE-2008-1382 is not known to affect the use of libpng in ImageIO, and this update is applied as a precautionary measure.

  • Kernel

    CVE-ID: CVE-2008-3609

    Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Files may be accessed by a local user who does not have the proper permissions

    Description: Cached credentials are not always flushed when a vnode is recycled. This may allow a local user to read or write to a file where the permissions would not allow it. This update addresses the issue through improved handling of purged vnodes. Credit to Nevin ":-)" Liber, Thomas Pelaia of Oak Ridge National Lab, Thomas Tempelmann, and Ram Kolli for reporting this issue.

  • libresolv

    CVE-ID: CVE-2008-1447

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: libresolv is susceptible to DNS cache poisoning and may return forged information

    Description: libresolv provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, applications that rely on libresolv for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. Note that the BIND tools, dig, host, and nslookup use their own resolver library and are not addressed by this update. Credit to Dan Kaminsky of IOActive for reporting this issue.

  • Login Window

    CVE-ID: CVE-2008-3610

    Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: A user may log in without providing a password

    Description: A race condition exists in Login Window. To trigger this issue, the system must have the Guest account enabled or another account with no password. In a small proportion of attempts, an attempt to log in to such an account will not complete. The user list would then be presented again, and the person would be able to log in as any user without providing a password. If the original account were the Guest account, the contents of the new account will be deleted on logout. This update addresses the issue by properly clearing Login Window state when the login does not complete. This issue does not affect systems prior to Mac OS X v10.5.

  • Login Window

    CVE-ID: CVE-2008-3611

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A person with access to the login screen may be able to change a user's password

    Description: When a system has been configured to enforce policies on login passwords, users may be required to change their password in the login screen. If a password change fails, an error message is displayed, but the current password is not cleared. This may not be obvious to the user. If the user leaves the system unattended with this error message displayed, a person with access to the login screen may be able to reset that user's password. This update addresses the issue by clearing the current password when returning to the login screen. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Christopher A. Grande of Middlesex Community College for reporting this issue.

  • mDNSResponder

    CVE-ID: CVE-2008-1447

    Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information

    Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.

  • OpenSSH

    CVE-ID: CVE-2008-1483, CVE-2008-1657

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Multiple vulnerabilities in OpenSSH, the most serious of which is local X11 session control

    Description: Multiple vulnerabilities exist in OpenSSH versions provided with Mac OS X v10.4.11 and Mac OS X v10.5.4, the most serious of which allows a local user to control another user's X11 session. This update addresses the issues by updating to OpenSSH 5.1p1. Further information is available via the OpenSSH web site at http://www.openssh.com/security.html

  • QuickDraw Manager

    CVE-ID: CVE-2008-3614

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow exists in QuickDraw's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.

  • Ruby

    CVE-ID: CVE-2008-2376

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Running a Ruby script that uses untrusted input as the arguments to the Array#fill method may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow exists in rb_ary_fill(), which implements the Ruby Array#fill method. Running a Ruby script that uses untrusted input as the arguments to the Array#fill method may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of the arguments to rb_ary_fill().

  • SearchKit

    CVE-ID: CVE-2008-3616

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Applications passing untrusted input to the SearchKit API may lead to an unexpected application termination or arbitrary code execution

    Description: Integer overflow issues exist in functions within the SearchKit framework. Passing untrusted input to SearchKit via an application may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

  • System Configuration

    CVE-ID: CVE-2008-2312

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A local user may obtain the PPP password

    Description: Network Preferences stores PPP passwords unencrypted in a world readable file, accessible to any local user. This update addresses the issue by storing PPP passwords in the system keychain when the password is changed. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Hernan Ochoa of Core Security Technologies, Tore Halset of pvv.org, and Matt Johnston of the University Computer Club for reporting this issue.

  • System Preferences

    CVE-ID: CVE-2008-3617

    Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Users may be misled into believing their passwords are stronger than they are

    Description: Remote Management and Screen Sharing can be configured to require a password for VNC viewers. The maximum length for VNC viewer passwords is eight characters. The password field can display more than eight characters, implying that the additional characters are used in the password. This update addresses the issue by limiting VNC viewer passwords to eight characters in the user interface. Credit to Michal Fresel of hi competence e.U. for reporting this issue.

  • System Preferences

    CVE-ID: CVE-2008-3618

    Available for: Mac OS X v10.5 through v10.5.4

    Impact: Authenticated users may have unexpected remote access to files and directories

    Description: The File Sharing pane in the Sharing preference pane does not fully convey the actual access privileges. A user may infer that only the folders listed under 'Shared Folders' are accessible. However, authenticated users may also access their home directories, and administrators may access all disks on the system. This update provides additional text to help explain the actual access permissions. Systems prior to Mac OS X v10.5 did not display a list of shared folders in the File Sharing pane. This issue does not affect Mac OS X Server systems.

  • Time Machine

    CVE-ID: CVE-2008-3619

    Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Backing up a system with Time Machine may lead to the disclosure of sensitive information

    Description: During the Time Machine Backup, several log files are saved to the backup drive with read permission allowed to other users. This may lead to the disclosure of sensitive information. This update addresses the issue by applying more restrictive permissions to saved log files. This issue does not affect systems prior to Mac OS X v10.5. Credit to Edwin McKenzie for reporting this issue.

  • VideoConference

    CVE-ID: CVE-2008-3621

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: Videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in the VideoConference framework's handling of H.264 encoded media. Videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

  • Wiki Server

    CVE-ID: CVE-2008-3622

    Available for: Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4

    Impact: A remote attacker may cause persistent JavaScript injection on a Wiki server

    Description: The Wiki Server mailing list archive will execute JavaScript code embedded in messages. A remote person may send an email containing JavaScript code to a mailing list hosted on a Wiki server. Viewing the message from the Wiki Server mailing list archive will trigger the execution of the embedded JavaScript code on the system of the person viewing the message. This update addresses the issue by performing additional validation of emails. This issue does not affect systems prior to Mac OS X v10.5. Credit to Leon von Tippelskirch, and Matthias Wieczorek of the Chair for Applied Software Engineering, TU Munich for reporting this issue.

Additional Information

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.

Last Modified: Nov 9, 2011
Helpful?
Yes
No
  • Last Modified: Nov 9, 2011
  • Article: HT3137
  • Views:

    1820
  • Rating:
    • 100.0

    (1 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked