About the security content of iLife Support 8.3.1
This document describes the security content of iLife Support 8.3.1, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
iLife Support 8.3.1
ImageIO
CVE-ID: CVE-2008-2327
Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: Multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of TIFF images. These issues are already addressed in systems running Mac OS X v10.5.5. Credit: Apple.
ImageIO
CVE-ID: CVE-2008-2332
Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exits in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of TIFF images. This issue is already addressed in systems running Mac OS X v10.5.5. Credit to Robert Swiecki of Google Security Team for reporting this issue.
ImageIO
CVE-ID: CVE-2008-3608
Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11
Impact: Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of ICC profiles. This issue is already addressed in systems running Mac OS X v10.5.5. Credit: Apple.