About the security content of iLife Support 8.3.1

This document describes the security content of iLife Support 8.3.1, which can be downloaded and installed via Software Update preferences or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To find out more about other Security Updates, see “Apple Security Updates”.

iLife Support 8.3.1

• ImageIO

  CVE-ID: CVE-2008-2327

  Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11

  Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

  Description: Multiple uninitialised memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialisation and additional validation of TIFF images. These issues are already addressed in systems running Mac OS X v10.5.5. Credit: Apple.

• ImageIO

  CVE-ID: CVE-2008-2332

  Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11

  Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

  Description: A memory corruption issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of TIFF images. This issue is already addressed in systems running Mac OS X v10.5.5. Credit to Robert Swiecki of Google Security Team for reporting this issue.

• ImageIO

  CVE-ID: CVE-2008-3608

  Available for: iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11

  Impact: Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution

  Description: A memory corruption issue exists in ImageIO’s handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of ICC profiles. This issue is already addressed in systems running Mac OS X v10.5.5. Credit: Apple.