VARIoT IoT vulnerabilities database
VAR-200605-0200 | CVE-2006-1441 | Apple Mac OS X CFNetwork Integer overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Integer overflow in CFNetwork in Apple Mac OS X 10.4.6 allows remote attackers to execute arbitrary code via crafted chunked transfer encoding. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200605-0201 | CVE-2006-1442 | Apple Mac OS X CoreFoundation bundle API Arbitrary code execution vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The bundle API in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4.6 loads dynamic libraries even if the client application has not directly requested it, which allows attackers to execute arbitrary code from an untrusted bundle. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200604-0272 | CVE-2006-1988 | Apple Mac OS X Multiple heap overflow vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The WebTextRenderer(WebInternal) _CG_drawRun:style:geometry: function in Apple Safari 2.0.3 allows remote attackers to cause a denial of service (application crash) via an HTML LI tag with a large VALUE attribute (list item number), which triggers a null dereference in QPainter::drawText, probably due to a failed memory allocation that uses the VALUE. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. When parsing malformed .tiff graphic files, LZWDecodeVector(), _cg_TIFFSetField () or PredictorVSetField () functions do not correctly parse the malformed data, resulting in the failure to open the graphic Application crashes. The vulnerability is triggered by the core .tiff parsing engine, so Preview, Finder, QuickTime, and Safari are all possible attack vectors. 2 When decompressing a specially crafted .zip file, the BOMStackPop () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 4 When decompressing a specially crafted .bmp file, the ReadBMP () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 5 When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability.
1) An error exists in the "BOMStackPop()" function in the
BOMArchiveHelper when decompressing malformed ZIP archives.
2) Some errors exists in the "KWQListIteratorImpl()", "drawText()",
and "objc_msgSend_rtp()" functions in Safari when processing
malformed HTML tags.
3) An error exists in the "ReadBMP()" function when processing
malformed BMP images and can be exploited via e.g. Safari or the
Preview application.
4) An error exists in the "CFAllocatorAllocate()" function when
processing malformed GIF images and can be exploited via e.g. Safari
when a user visits a malicious web site.
5) Two errors exists in the " _cg_TIFFSetField ()" and
"PredictorVSetField()" functions when processing malformed TIFF
images and can be exploited via e.g.
The vulnerabilities have been reported in version 10.4.6. Other
versions may also be affected.
SOLUTION:
Do not visit untrusted web sites, and do not open ZIP archives or
images originating from untrusted sources.
PROVIDED AND/OR DISCOVERED BY:
Tom Ferris
ORIGINAL ADVISORY:
Tom Ferris:
http://www.security-protocols.com/sp-x25-advisory.php
http://www.security-protocols.com/sp-x26-advisory.php
http://www.security-protocols.com/sp-x27-advisory.php
http://www.security-protocols.com/sp-x28-advisory.php
http://www.security-protocols.com/sp-x29-advisory.php
http://www.security-protocols.com/sp-x30-advisory.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0270 | CVE-2006-1986 | Apple Safari Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Apple Safari 2.0.3 allows remote attackers to cause a denial of service and possibly execute code via a large CELLSPACING attribute in a TABLE tag, which triggers an error in KWQListIteratorImpl::KWQListIteratorImpl. Apple Safari There is a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. When parsing malformed .tiff graphic files, LZWDecodeVector(), _cg_TIFFSetField () or PredictorVSetField () functions do not correctly parse the malformed data, resulting in the failure to open the graphic Application crashes. The vulnerability is triggered by the core .tiff parsing engine, so Preview, Finder, QuickTime, and Safari are all possible attack vectors. 2 When decompressing a specially crafted .zip file, the BOMStackPop () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 4 When decompressing a specially crafted .bmp file, the ReadBMP () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 5 When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability.
1) An error exists in the "BOMStackPop()" function in the
BOMArchiveHelper when decompressing malformed ZIP archives.
2) Some errors exists in the "KWQListIteratorImpl()", "drawText()",
and "objc_msgSend_rtp()" functions in Safari when processing
malformed HTML tags.
3) An error exists in the "ReadBMP()" function when processing
malformed BMP images and can be exploited via e.g. Safari or the
Preview application.
4) An error exists in the "CFAllocatorAllocate()" function when
processing malformed GIF images and can be exploited via e.g. Safari
when a user visits a malicious web site.
5) Two errors exists in the " _cg_TIFFSetField ()" and
"PredictorVSetField()" functions when processing malformed TIFF
images and can be exploited via e.g.
The vulnerabilities have been reported in version 10.4.6. Other
versions may also be affected.
SOLUTION:
Do not visit untrusted web sites, and do not open ZIP archives or
images originating from untrusted sources.
PROVIDED AND/OR DISCOVERED BY:
Tom Ferris
ORIGINAL ADVISORY:
Tom Ferris:
http://www.security-protocols.com/sp-x25-advisory.php
http://www.security-protocols.com/sp-x26-advisory.php
http://www.security-protocols.com/sp-x27-advisory.php
http://www.security-protocols.com/sp-x28-advisory.php
http://www.security-protocols.com/sp-x29-advisory.php
http://www.security-protocols.com/sp-x30-advisory.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200605-0212 | CVE-2006-1453 | Apple QuickTime QuickDraw Stack overflow vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Stack-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickDraw PICT image format file containing malformed font information. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. Malformed font information may cause stack overflow, and malformed graphics data may cause heap overflow. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. ____________________________________________________________________
McAfee, Inc.
McAfee Avert\x99 Labs Security Advisory
Public Release Date: 2006-05-11
Apple QuickDraw/QuickTime Multiple Vulnerabilities
CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465
______________________________________________________________________
* Synopsis
Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data.
Two code execution vulnerabilities are present in QuickDraw PICT image format support.
Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium.
CVE-2006-1459
Seven integer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1460
Five buffer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1461
Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support.
CVE-2006-1462
Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support.
CVE-2006-1464
One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support.
CVE-2006-1465
One buffer overflow vulnerability is present in QuickTime AVI video format support.
______________________________________________________________________
* Legal Notice
Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes.
McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
______________________________________________________________________
.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
VAR-200605-0213 | CVE-2006-1454 | Apple QuickTime QuickDraw Heap overflow vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickDraw PICT image format file with malformed image data. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. Malformed font information may cause stack overflow, and malformed graphics data may cause heap overflow. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. ____________________________________________________________________
McAfee, Inc.
McAfee Avert\x99 Labs Security Advisory
Public Release Date: 2006-05-11
Apple QuickDraw/QuickTime Multiple Vulnerabilities
CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465
______________________________________________________________________
* Synopsis
Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data.
Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium.
CVE-2006-1459
Seven integer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1460
Five buffer overflow vulnerabilities are present in QuickTime MOV video format support.
CVE-2006-1461
Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support.
CVE-2006-1462
Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support.
CVE-2006-1464
One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support.
CVE-2006-1465
One buffer overflow vulnerability is present in QuickTime AVI video format support.
______________________________________________________________________
* Legal Notice
Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes.
McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
______________________________________________________________________
.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
VAR-200604-0349 | CVE-2006-1983 | Apple Mac OS X Multiple heap overflow vulnerabilities |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Multiple heap-based buffer overflows in Mac OS X 10.4.6 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) PredictorVSetField function for TIFF or (2) CFAllocatorAllocate function for GIF, as used in applications that use ImageIO or AppKit. NOTE: the BMP vector has been re-assigned to CVE-2006-2238 because it affects a separate product family. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. When parsing malformed .tiff graphic files, LZWDecodeVector(), _cg_TIFFSetField () or PredictorVSetField () functions do not correctly parse the malformed data, resulting in the failure to open the graphic Application crashes. The vulnerability is triggered by the core .tiff parsing engine, so Preview, Finder, QuickTime, and Safari are all possible attack vectors. 2 When decompressing a specially crafted .zip file, the BOMStackPop () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 4 When decompressing a specially crafted .bmp file, the ReadBMP () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 5 When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability.
1) An error exists in the "BOMStackPop()" function in the
BOMArchiveHelper when decompressing malformed ZIP archives.
2) Some errors exists in the "KWQListIteratorImpl()", "drawText()",
and "objc_msgSend_rtp()" functions in Safari when processing
malformed HTML tags.
3) An error exists in the "ReadBMP()" function when processing
malformed BMP images and can be exploited via e.g. Safari or the
Preview application. Safari
when a user visits a malicious web site.
The vulnerabilities have been reported in version 10.4.6. Other
versions may also be affected.
SOLUTION:
Do not visit untrusted web sites, and do not open ZIP archives or
images originating from untrusted sources.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200604-0269 | CVE-2006-1985 | Apple Mac OS X Multiple heap overflow vulnerabilities |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in BOM BOMArchiveHelper 10.4 (6.3) Build 312, as used in Mac OS X 10.4.6 and earlier, allows user-assisted attackers to execute arbitrary code via a crafted archive (such as ZIP) that contains long path names, which triggers an error in the BOMStackPop function. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. When parsing malformed .tiff graphic files, LZWDecodeVector(), _cg_TIFFSetField () or PredictorVSetField () functions do not correctly parse the malformed data, resulting in the failure to open the graphic Application crashes. The vulnerability is triggered by the core .tiff parsing engine, so Preview, Finder, QuickTime, and Safari are all possible attack vectors. 2 When decompressing a specially crafted .zip file, the BOMStackPop () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 4 When decompressing a specially crafted .bmp file, the ReadBMP () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 5 When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability.
1) An error exists in the "BOMStackPop()" function in the
BOMArchiveHelper when decompressing malformed ZIP archives.
2) Some errors exists in the "KWQListIteratorImpl()", "drawText()",
and "objc_msgSend_rtp()" functions in Safari when processing
malformed HTML tags.
3) An error exists in the "ReadBMP()" function when processing
malformed BMP images and can be exploited via e.g. Safari or the
Preview application. Safari
when a user visits a malicious web site.
The vulnerabilities have been reported in version 10.4.6. Other
versions may also be affected.
SOLUTION:
Do not visit untrusted web sites, and do not open ZIP archives or
images originating from untrusted sources.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200604-0348 | CVE-2006-1982 | Apple Mac OS X Multiple heap overflow vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in the LZWDecodeVector function in Mac OS X before 10.4.6, as used in applications that use ImageIO or AppKit, allows remote attackers to execute arbitrary code via crafted TIFF images. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. When parsing malformed .tiff graphic files, LZWDecodeVector(), _cg_TIFFSetField () or PredictorVSetField () functions do not correctly parse the malformed data, resulting in the failure to open the graphic Application crashes. The vulnerability is triggered by the core .tiff parsing engine, so Preview, Finder, QuickTime, and Safari are all possible attack vectors. 2 When decompressing a specially crafted .zip file, the BOMStackPop () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 4 When decompressing a specially crafted .bmp file, the ReadBMP () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 5 When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability.
1) An error exists in the "BOMStackPop()" function in the
BOMArchiveHelper when decompressing malformed ZIP archives.
2) Some errors exists in the "KWQListIteratorImpl()", "drawText()",
and "objc_msgSend_rtp()" functions in Safari when processing
malformed HTML tags.
3) An error exists in the "ReadBMP()" function when processing
malformed BMP images and can be exploited via e.g. Safari or the
Preview application. Safari
when a user visits a malicious web site.
The vulnerabilities have been reported in version 10.4.6. Other
versions may also be affected.
SOLUTION:
Do not visit untrusted web sites, and do not open ZIP archives or
images originating from untrusted sources.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200604-0268 | CVE-2006-1984 | Apple Mac OS X Multiple heap overflow vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the _cg_TIFFSetField function in Mac OS X 10.4.6 and earlier, as used in applications that use ImageIO or AppKit, allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a null dereference. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible. When parsing malformed .tiff graphic files, LZWDecodeVector(), _cg_TIFFSetField () or PredictorVSetField () functions do not correctly parse the malformed data, resulting in the failure to open the graphic Application crashes. The vulnerability is triggered by the core .tiff parsing engine, so Preview, Finder, QuickTime, and Safari are all possible attack vectors. 2 When decompressing a specially crafted .zip file, the BOMStackPop () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 4 When decompressing a specially crafted .bmp file, the ReadBMP () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 5 When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability.
1) An error exists in the "BOMStackPop()" function in the
BOMArchiveHelper when decompressing malformed ZIP archives.
2) Some errors exists in the "KWQListIteratorImpl()", "drawText()",
and "objc_msgSend_rtp()" functions in Safari when processing
malformed HTML tags.
3) An error exists in the "ReadBMP()" function when processing
malformed BMP images and can be exploited via e.g. Safari or the
Preview application. Safari
when a user visits a malicious web site.
The vulnerabilities have been reported in version 10.4.6. Other
versions may also be affected.
SOLUTION:
Do not visit untrusted web sites, and do not open ZIP archives or
images originating from untrusted sources.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200603-0217 | CVE-2006-1552 | Apple deformity JPEG Metadata Buffer Overflow Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Integer overflow in ImageIO in Apple Mac OS X 10.4 up to 10.4.5 allows remote attackers to cause a denial of service (crash) via a crafted JPEG image with malformed JPEG metadata, as demonstrated using Safari, aka "Deja-Doom". ImageIO is susceptible to a remote denial-of-service vulnerability. This issue is do to a failure to properly process malicious image files.
This issue allows remote users to crash applications that use the ImageIO API, denying further service to users. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X in the following applications or modules:
- AppKit
- ImageIO
- BOM
- CFNetwork
- ClamAV
- CoreFoundation
- CoreGraphics
- Finder
- FTPServer
- Flash Player
- ImageIO
- Keychain
- LaunchServices
- libcurl
- Mail
- MySQL Manager
- Preview
- QuickDraw
- QuickTime Streaming Server
- Ruby
- Safari
A remote attacker may exploit these issues to execute arbitrary code, trigger a denial-of-service condition, gain access to potentially sensitive information, or overwrite files. Other attacks may also be possible.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. Appe QuickTime is a popular multimedia player that supports many media formats. Similar to using Safari.
1) An error in the AppKit framework allows an application to read
characters entered into secure text field in the same window
session.
2) Errors in the AppKit and ImageIO framework when processing GIF and
TIFF images can be exploited to crash an application or potentially
execute arbitrary code.
For more information:
SA19686
3) A boundary error within the BOM component when expanding archives
can be exploited to crash an application or potentially execute
arbitrary code.
For more information:
SA19686
4) An input validation error in the BOM component when expanding
archives can be exploited to cause files to be written to arbitrary
locations outside the specified directory via directory traversal
attacks.
5) An integer overflow error in the CFNetwork component when handling
chunked transfer encoding may allow execution of arbitrary code if a
user is tricked into visiting a malicious web site.
6) Errors in ClamAV when processing specially crafted email messages
may allow execution of arbitrary code.
For more information:
SA19534
7) An error in the CoreFoundation component allows dynamic libraries
to load and execute when a bundle is registered. This can be
exploited to execute arbitrary code if an untrusted bundle is
registered.
8) An integer underflow error within the
"CFStringGetFileSystemRepresentation()" API during string conversion
may allow execution of arbitrary code.
9) An error in the CoreGraphics component allows an application in
the same window session to read characters entered into secure text
field when "Enable access for assistive devices" is enabled.
10) An error in Finder within the handling of Internet Location items
makes it possible to specify a different Internet Location type than
the actual URL scheme used. This may allow execution of arbitrary
code when launching an Internet Location item.
11) Boundary errors in the FTPServer component when handling path
names can be exploited to malicious users to cause a buffer overflow,
which may allow execution of arbitrary code.
12) Various errors in the Flash Player makes it possible to
compromise a user's system via specially crafted Flash files.
For more information:
SA17430
SA19218
13) An integer overflow error in the ImageIO framework when
processing JPEG images can be exploited to crash an application or
potentially execute arbitrary code.
14) An error in the Keychain component allows an application to use
Keychain items even when the Keychain is locked. This requires that
the application has obtained a reference to a Keychain item before
the Keychain was locked.
15) An error in the LaunchServices component when processing long
filename extensions may allow bypassing of the Download Validation
functionality.
16) Boundary errors in the libcurl URL handling may allow execution
of arbitrary code.
For more information:
SA17907
17) An integer overflow error in the Mail component may allow
execution of arbitrary code when viewing a specially crafted email
message with MacMIME encapsulated attachments.
18) An error in the Mail component when handling invalid colour
information in enriched text email messages may allow execution of
arbitrary code.
19) An design error in MySQL Manager makes it possible to access the
MySQL database with an empty password as the MySQL password supplying
during initial setup is not used.
20) A boundary error in the Preview component may allow execution of
arbitrary code via a stack-based buffer overflow when navigating a
specially crafted directory hierarchy.
21) Two boundary errors in the QuickDraw component when processing of
PICT images can be exploited to either cause a stack-based via a PICT
image with specially crafted font information or a heap-based buffer
overflow via a PICT image with specially crafted image data. This can
be exploited to crash an application and potentially execute arbitrary
code.
22) A NULL pointer dereference error in QuickTime Streaming Server
when processing QuickTime movies with a missing track can be
exploited to crash the application.
23) A boundary error in QuickTime Streaming Server when processing
RTSP requests can be exploited to crash the application or
potentially execute arbitrary code.
24) An error in Ruby can be exploited to bypass safe level
restrictions.
For more information:
SA16904
25) An error in Safari when handling archives with symbolic links may
place the symbolic links on a user's desktop. This requires that the
"Open 'safe' files after downloading" option is enabled.
SOLUTION:
Apply Security Update 2006-003.
13) The vendor credits Brent Simmons, NewsGator Technologies.
14) The vendor credits Tobias Hahn, HU Berlin.
19) The vendor credits Ben Low, University of New South Wales.
21) The vendor credits Mike Price, McAfee AVERT Labs.
23) Mu Security research team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303737
OTHER REFERENCES:
SA19686:
http://secunia.com/advisories/19686/
SA19534:
http://secunia.com/advisories/19534/
SA17430:
http://secunia.com/advisories/17430/
SA19218:
http://secunia.com/advisories/19218/
SA17907:
http://secunia.com/advisories/17907/
SA16904:
http://secunia.com/advisories/16904/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Impacts of other vulnerabilities include bypassing security
restrictions and denial of service.
I. Further details are available in the individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. This and other updates are
available via Apple Update.
Please see the Vulnerability Notes for individual reporter
acknowledgements.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8
WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG
c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD
+4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK
BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG
r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A==
=cabu
-----END PGP SIGNATURE-----
VAR-200604-0271 | CVE-2006-1987 | Apple Safari Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Apple Safari 2.0.3 allows remote attackers to cause a denial of service and possibly execute code via an invalid FRAME tag, possibly due to (1) multiple SCROLLING attributes with no values, or (2) a SRC attribute with no value. NOTE: due to lack of diagnosis by the researcher, it is unclear which vector is responsible. Apple Safari There is a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. When parsing malformed .tiff graphic files, LZWDecodeVector(), _cg_TIFFSetField () or PredictorVSetField () functions do not correctly parse the malformed data, resulting in the failure to open the graphic Application crashes. The vulnerability is triggered by the core .tiff parsing engine, so Preview, Finder, QuickTime, and Safari are all possible attack vectors. 2 When decompressing a specially crafted .zip file, the BOMStackPop () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 4 When decompressing a specially crafted .bmp file, the ReadBMP () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 5 When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability.
1) An error exists in the "BOMStackPop()" function in the
BOMArchiveHelper when decompressing malformed ZIP archives.
2) Some errors exists in the "KWQListIteratorImpl()", "drawText()",
and "objc_msgSend_rtp()" functions in Safari when processing
malformed HTML tags.
3) An error exists in the "ReadBMP()" function when processing
malformed BMP images and can be exploited via e.g. Safari or the
Preview application.
4) An error exists in the "CFAllocatorAllocate()" function when
processing malformed GIF images and can be exploited via e.g. Safari
when a user visits a malicious web site.
5) Two errors exists in the " _cg_TIFFSetField ()" and
"PredictorVSetField()" functions when processing malformed TIFF
images and can be exploited via e.g.
The vulnerabilities have been reported in version 10.4.6. Other
versions may also be affected.
SOLUTION:
Do not visit untrusted web sites, and do not open ZIP archives or
images originating from untrusted sources.
PROVIDED AND/OR DISCOVERED BY:
Tom Ferris
ORIGINAL ADVISORY:
Tom Ferris:
http://www.security-protocols.com/sp-x25-advisory.php
http://www.security-protocols.com/sp-x26-advisory.php
http://www.security-protocols.com/sp-x27-advisory.php
http://www.security-protocols.com/sp-x28-advisory.php
http://www.security-protocols.com/sp-x29-advisory.php
http://www.security-protocols.com/sp-x30-advisory.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200810-0184 | CVE-2008-3271 | Apache Tomcat allows access from a non-permitted IP address |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. Apache Tomcat from The Apache Software Foundation contains a vulnerability which may allow a user from a non-premitted IP address to gain access. Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Apache Tomcat contains a vulnerability which may allow a user from a non-permitted IP address to gain access to a protected context. This vulnerability was addressed and solved in ASF Bugzilla - Bug 25835. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 25835. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue. Kenichi Tsukamoto of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.Impact varies depending on the accessed context by the non-permitted IP address. For example information disclosure may be possible as a result. Apache Tomcat is prone to a security-bypass vulnerability related to extensions of 'RemoteFilterValve'.
Attackers may be able to bypass certain access restrictions.
The following versions are vulnerable:
Tomcat 4.1.0 through 4.1.32
Tomcat 5.5.0.
TITLE:
Apache Tomcat Directory Listing Denial of Service
SECUNIA ADVISORY ID:
SA17416
VERIFY ADVISORY:
http://secunia.com/advisories/17416/
CRITICAL:
Not critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
Apache Tomcat 5.x
http://secunia.com/product/3571/
DESCRIPTION:
David Maciejak has discovered a vulnerability in Apache Tomcat, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerability is caused due to the inefficient generation of
directory listing for web directories that has a large number of
files. By sending multiple concurrent requests for such a directory,
it is possible to prevent other users from accessing the directory
and causes the server to consume a large amount of CPU resources. The
vulnerability affects only the directory that is being listed. Files
or applications in other web directories are not affected.
Successful exploitation requires that directory listing is enabled in
a directory with a large number of files.
The vulnerability has been confirmed in Tomcat version 5.5.11 and
5.5.12 on the Windows platform, and has been reported in versions
5.5.0 through 5.5.11. Other versions may also be affected.
Note: In version 5.5.12, the server will resume normal operation
after a few minutes.
SOLUTION:
The vulnerability has been partially addressed in version 5.5.12,
which will resume normal operation after a few minutes.
Disable directory listing for web directories that has a large number
of files.
PROVIDED AND/OR DISCOVERED BY:
David Maciejak
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Mitigation:
Upgrade to:
4.1.32 or later
5.5.1 or later
6.0.0 or later
Example:
This has only been reproduced using a debugger to force a particular
processing sequence across two threads.
1. Set a breakpoint right after the place where a value
is to be entered in the instance variable of regexp
(search:org.apache.regexp.CharacterIterator).
2. Send a request from the IP address* which is not permitted.
(stopped at the breakpoint)
*About the IP address which is not permitted.
The character strings length of the IP address which is set
in RemoteAddrValve must be same.
3. Send a request from the IP address which was set in
RemoteAddrValve.
(stopped at the breakpoint)
In this way, the instance variable is to be overwritten here.
4. Resume the thread which is processing the step 2 above.
5. The request from the not permitted IP address will succeed.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt
OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj
=9Z/F
-----END PGP SIGNATURE-----
.
Apache Tomcat 5.x:
Update to version 5.5.1 or later.
SOLUTION:
Patches are scheduled for release.
Use a proxy or firewall to protect resources.
Version 5.5.x is intented for servlet/jsp specification 2.4/2.0.
More information on http://tomcat.apache.org/
Description:
Many time consuming directory listing requests can cause a denial of service.
Detection/PoC:
On Linux:
Vulnerable version tested are 5.5.0 to 5.5.11.
5.5.12 and 5.0.28 seems not to be impacted.
A easy way to test :
-Download Tomcat package from Tomcat archive
-Unpack it, use default configuration
-In webapps example dir, add some empty files (enough for the dir listing
request to be long)
-Thread many listing access on this directory
Workaround:
Upgrade to linux version 5.5.12
PS: Secunia team have done more test available on
http://secunia.com/advisories/17416/
David Maciejak
--------------------------------------------------------------------------------
KYXAR.FR - Mail envoy\xe9 depuis http://webmail.kyxar.fr
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
NEC WebOTX Products "RemoteFilterValve" Security Bypass Security
Issue
SECUNIA ADVISORY ID:
SA35684
VERIFY ADVISORY:
http://secunia.com/advisories/35684/
DESCRIPTION:
A security issue has been reported in various NEC WebOTX products,
which potentially can be exploited by malicious people to bypass
certain security restrictions.
The security issue is caused due to a synchronisation problem when
checking IP addresses and can be exploited to bypass a filter valve
that extends "RemoteFilterValve" and potentially gain access to
protected contexts.
The security issue is reported in the following products and
versions:
* WebOTX Web Edition version 4.x through 5.x
* WebOTX Standard-J Edition version 4.x through 5.x
* WebOTX Standard Edition version 4.x through 5.x
* WebOTX Enterprise Edition version 4.x through 5.x
* WebOTX UDDI Registry version 1.1 through 2.1
SOLUTION:
Reportedly, patches are available. Contact the vendor's sales
department for more information.
For more information:
SA32213
SOLUTION:
Apply updated packages via YaST Online Update or the SUSE FTP server
VAR-200512-0001 | CVE-2005-1939 | IPSwitch WhatsUp Small Business 2004 Reporting Service Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Ipswitch WhatsUp Small Business 2004 allows remote attackers to read arbitrary files via ".." (dot dot) sequences in a request to the Report service (TCP 8022). Successful exploitation could allow a remote attacker to gain access to files outside the Web root. Sensitive information may be obtained in this manner. A remote attacker can read any document.
Example:
http://[host]:8022/../../../../../[file]
SOLUTION:
Restrict access to the vulnerable service.
PROVIDED AND/OR DISCOVERED BY:
Independently discovered by:
* Dennis Rand, Cirt.dk.
* Carsten Eiram, Secunia Research.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2005-14/
Cirt.dk:
http://cirt.dk/advisories/cirt-40-advisory.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0172 | CVE-2005-2753 | Apple QuickTime Embedded Pascal Style Remote Integer Overflow Vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Integer overflow in Apple QuickTime before 7.0.3 allows user-assisted attackers to execute arbitrary code via a crafted MOV file that causes a sign extension of the length element in a Pascal style string. This issue is due to a failure of the application to properly validate integer signed-ness prior to using it to carry out critical operations.
An attacker may leverage this issue to cause the affected QuickTime client to crash, denying service to legitimate users. It has been speculated that this issue may also facilitate code execution; any code execution would occur with the privileges of the user that activated the affected software.
This issue affects both Microsoft Windows, and Apple versions of QuickTime.
CVE-ID: CVE-2005-2753
Original location:
http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt
Severity: Critical - remote code execution.
Software affected: QuickTime package 7.0.1 for Mac OS X 10.3
QuickTime package 7.0.1 for Mac OS X 10.4
QuickTime package 6.5.2 for Mac OS X 10.3
QuickTime package 6.5.2 for Mac OS X 10.2
QuickTime package 7* for Windows
Older versions may be also vulnerable.
Note: Following versions are not vulnerable, due to
the fact I have reported the vulnerabilities
before their releases:
QuickTime package 7.0.2 for Mac OS X 10.3
QuickTime package 7.0.2 for Mac OS X 10.4
0. DISCLAIMER
Author takes no responsibility for any actions with provided
informations or codes. The copyright for any material created by the
author is reserved. Any duplication of codes or texts provided here in
electronic or printed publications is not permitted without the author's
agreement.
I. BACKGROUND
Apple QuickTime Player is one of the Apple QuickTime components
used by hundreds of millions of users.
II.
A sign extension of an embedded "Pascal" style string could result in
a very large memory copy, which lead to potencial memory overwrite.
The vulnerability may lead to remote code execution when specially
crafted video file (MOV file) is being loaded.
III. POC CODE
Due to severity of this bug i will not release any proof of concept
codes for this issue.
IV. VENDOR RESPONSE
Vendor (Apple) has been noticed and released all necessary patches.
best regards,
Piotr Bania
--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info - Key ID: 0xBE43AC33
--------------------------------------------------------------------
" Dinanzi a me non fuor cose create
se non etterne, e io etterno duro.
Lasciate ogne speranza, voi ch'intrate "
- Dante, Inferno Canto III
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA17428
VERIFY ADVISORY:
http://secunia.com/advisories/17428/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
Apple Quicktime 6.x
http://secunia.com/product/810/
DESCRIPTION:
Piotr Bania has reported some vulnerabilities in Apple QuickTime,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.
2) An integer overflow error exists in the handling of certain movie
attributes when loading a ".mov" video file.
3) A NULL pointer dereferencing error exists when handling certain
missing movie attributes from a video file.
4) A boundary error exists in the QuickTime PictureViewer when
decompressing PICT data.
Prior versions may also be affected.
SOLUTION:
Update to version 7.0.3.
http://www.apple.com/support/downloads/quicktime703.html
PROVIDED AND/OR DISCOVERED BY:
Piotr Bania
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=302772
Piotr Bania:
http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt
http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt
http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt
http://pb.specialised.info/all/adv/quicktime-pict-adv.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0173 | CVE-2005-2754 | Apple QuickTime PictureViewer PICT data decompression buffer overflow |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Integer overflow in Apple QuickTime before 7.0.3 allows user-assisted attackers to execute arbitrary code via a crafted MOV file with "Improper movie attributes.". This issue is due to a failure of the application to properly validate integer signed-ness prior to using it to carry out critical operations.
An attacker may leverage this issue to cause the affected QuickTime client to crash, denying service to legitimate users. It has been speculated that this issue may also facilitate code execution; any code execution would occur with the privileges of the user that activated the affected software.
This issue affects both Microsoft Windows, and Apple versions of QuickTime.
CVE-ID: CVE-2005-2754
Original location:
http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt
Severity: Critical - remote code execution.
Software affected: QuickTime package 7.0.1 for Mac OS X 10.3
QuickTime package 7.0.1 for Mac OS X 10.4
QuickTime package 6.5.2 for Mac OS X 10.3
QuickTime package 6.5.2 for Mac OS X 10.2
QuickTime package 7* for Windows
Older versions may be also vulnerable.
Note: Following versions are not vulnerable, due to
the fact I have reported the vulnerabilities
before their releases:
QuickTime package 7.0.2 for Mac OS X 10.3
QuickTime package 7.0.2 for Mac OS X 10.4
0. DISCLAIMER
Author takes no responsibility for any actions with provided
informations or codes. The copyright for any material created by the
author is reserved. Any duplication of codes or texts provided here in
electronic or printed publications is not permitted without the author's
agreement.
I. BACKGROUND
Apple QuickTime Player is one of the Apple QuickTime components
used by hundreds of millions of users.
II.
Improper movie attributes could result in a very large memory copy,
which lead to potencial memory overwrite.
III. POC CODE
Due to severity of this bug i will not release any proof of concept
codes for this issue.
IV. VENDOR RESPONSE
Vendor (Apple) has been noticed and released all necessary patches.
best regards,
Piotr Bania
--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info - Key ID: 0xBE43AC33
--------------------------------------------------------------------
" Dinanzi a me non fuor cose create
se non etterne, e io etterno duro.
Lasciate ogne speranza, voi ch'intrate "
- Dante, Inferno Canto III
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA17428
VERIFY ADVISORY:
http://secunia.com/advisories/17428/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
Apple Quicktime 6.x
http://secunia.com/product/810/
DESCRIPTION:
Piotr Bania has reported some vulnerabilities in Apple QuickTime,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.
1) An integer overflow error exists in the handling of a "Pascal"
style string when loading a ".mov" video file.
3) A NULL pointer dereferencing error exists when handling certain
missing movie attributes from a video file.
4) A boundary error exists in the QuickTime PictureViewer when
decompressing PICT data.
Prior versions may also be affected.
SOLUTION:
Update to version 7.0.3.
http://www.apple.com/support/downloads/quicktime703.html
PROVIDED AND/OR DISCOVERED BY:
Piotr Bania
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=302772
Piotr Bania:
http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt
http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt
http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt
http://pb.specialised.info/all/adv/quicktime-pict-adv.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0175 | CVE-2005-2756 | Apple QuickTime PictureViewer PICT data decompression buffer overflow |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Apple QuickTime before 7.0.3 allows user-assisted attackers to overwrite memory and execute arbitrary code via a crafted PICT file that triggers an overflow during expansion. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer.
An attacker may leverage this issue to cause the affected QuickTime client to crash, denying service to legitimate users. It has been speculated that this issue may also facilitate code execution; any code execution would occur with the privileges of the user that activated the affected software.
This issue affects both Microsoft Windows, and Apple versions of QuickTime.
CVE-ID: CVE-2005-2756
Original location:
http://pb.specialised.info/all/adv/quicktime-pict-adv.txt
Severity: Critical - remote code execution.
Software affected: QuickTime package 7.0.1 for Mac OS X 10.3
QuickTime package 7.0.1 for Mac OS X 10.4
QuickTime package 6.5.2 for Mac OS X 10.3
QuickTime package 6.5.2 for Mac OS X 10.2
QuickTime package 7* for Windows
Older versions may be also vulnerable.
Note: Following versions are not vulnerable, due to
the fact I have reported the vulnerabilities
before their releases:
QuickTime package 7.0.2 for Mac OS X 10.3
QuickTime package 7.0.2 for Mac OS X 10.4
0. DISCLAIMER
Author takes no responsibility for any actions with provided
informations or codes. The copyright for any material created by the
author is reserved. Any duplication of codes or texts provided here in
electronic or printed publications is not permitted without the author's
agreement.
I. BACKGROUND
Apple QuickTime PictureViewer is one of the Apple QuickTime components
used by hundreds of millions of users.
II.
Expansion of compressed PICT data could exceed the size of the
destination buffer, this cause an memory overwrite.
The vulnerability may lead to remote code execution when specially
crafted picture file (PICT file) is being loaded.
III. POC CODE
Due to severity of this bug i will not release any proof of concept
codes for this issue.
IV. VENDOR RESPONSE
Vendor (Apple) has been noticed and released all necessary patches.
best regards,
Piotr Bania
--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info - Key ID: 0xBE43AC33
--------------------------------------------------------------------
" Dinanzi a me non fuor cose create
se non etterne, e io etterno duro.
Lasciate ogne speranza, voi ch'intrate "
- Dante, Inferno Canto III
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA17428
VERIFY ADVISORY:
http://secunia.com/advisories/17428/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
Apple Quicktime 6.x
http://secunia.com/product/810/
DESCRIPTION:
Piotr Bania has reported some vulnerabilities in Apple QuickTime,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.
1) An integer overflow error exists in the handling of a "Pascal"
style string when loading a ".mov" video file.
2) An integer overflow error exists in the handling of certain movie
attributes when loading a ".mov" video file.
3) A NULL pointer dereferencing error exists when handling certain
missing movie attributes from a video file.
4) A boundary error exists in the QuickTime PictureViewer when
decompressing PICT data.
Prior versions may also be affected.
SOLUTION:
Update to version 7.0.3.
http://www.apple.com/support/downloads/quicktime703.html
PROVIDED AND/OR DISCOVERED BY:
Piotr Bania
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=302772
Piotr Bania:
http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt
http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt
http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt
http://pb.specialised.info/all/adv/quicktime-pict-adv.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0174 | CVE-2005-2755 | Apple QuickTime PictureViewer PICT data decompression buffer overflow |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
Apple QuickTime Player before 7.0.3 allows user-assisted attackers to cause a denial of service (crash) via a crafted file with a missing movie attribute, which leads to a null dereference. Apple QuickTime PictureViewer contains a buffer overflow that may allow a remote attacker to execute arbitrary code on a vulnerable system. QuickTime is prone to a denial of service vulnerability. This issue is due to a failure in the application to handle exceptional conditions.
Successful exploitation of this vulnerability will cause the application to crash, effectively denying service to legitimate users.
This issue affects both Microsoft Windows, and Apple versions of QuickTime.
CVE-ID: CVE-2005-2755
Original location:
http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt
Severity: Critical - attack against any application
loading remotely-originated content.
Software affected: QuickTime package 7.0.1 for Mac OS X 10.3
QuickTime package 7.0.1 for Mac OS X 10.4
QuickTime package 6.5.2 for Mac OS X 10.3
QuickTime package 6.5.2 for Mac OS X 10.2
QuickTime package 7* for Windows
Older versions may be also vulnerable.
Note: Following versions are not vulnerable, due to
the fact I have reported the vulnerabilities
before their releases:
QuickTime package 7.0.2 for Mac OS X 10.3
QuickTime package 7.0.2 for Mac OS X 10.4
0. DISCLAIMER
Author takes no responsibility for any actions with provided
informations or codes. The copyright for any material created by the
author is reserved. Any duplication of codes or texts provided here in
electronic or printed publications is not permitted without the author's
agreement.
I. BACKGROUND
Apple QuickTime Player is one of the Apple QuickTime components
used by hundreds of millions of users.
II.
A missing movie attribute is interpreted as an extension, but the
absence of the extension is not flagged as an error, resulting in
a de-reference of a NULL pointer.
III. POC CODE
Due to severity of this bug i will not release any proof of concept
codes for this issue.
IV. VENDOR RESPONSE
Vendor (Apple) has been noticed and released all necessary patches.
best regards,
Piotr Bania
--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info - Key ID: 0xBE43AC33
--------------------------------------------------------------------
" Dinanzi a me non fuor cose create
se non etterne, e io etterno duro.
Lasciate ogne speranza, voi ch'intrate "
- Dante, Inferno Canto III
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA17428
VERIFY ADVISORY:
http://secunia.com/advisories/17428/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
Apple Quicktime 6.x
http://secunia.com/product/810/
DESCRIPTION:
Piotr Bania has reported some vulnerabilities in Apple QuickTime,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.
1) An integer overflow error exists in the handling of a "Pascal"
style string when loading a ".mov" video file. This can result in
memory overwrite due to a large memory copy, potentially allowing
arbitrary code execution via a specially crafted video file.
2) An integer overflow error exists in the handling of certain movie
attributes when loading a ".mov" video file. This can result in
memory overwrite due to a large memory copy, potentially allowing
arbitrary code execution via a specially crafted video file. This may be exploited to
crash an application that uses QuickTime when a specially crafted
video file is loaded.
4) A boundary error exists in the QuickTime PictureViewer when
decompressing PICT data. This may be exploited to cause a memory
overwrite, potentially allowing arbitrary code execution via a
specially crafted PICT picture file.
Prior versions may also be affected.
SOLUTION:
Update to version 7.0.3.
http://www.apple.com/support/downloads/quicktime703.html
PROVIDED AND/OR DISCOVERED BY:
Piotr Bania
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=302772
Piotr Bania:
http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt
http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt
http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt
http://pb.specialised.info/all/adv/quicktime-pict-adv.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0349 | CVE-2005-3482 | Cisco Airespace wireless LAN Controller allows unencrypted network access vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco 1200, 1131, and 1240 series Access Points, when operating in Lightweight Access Point Protocol (LWAPP) mode and controlled by 2000 and 4400 series Airespace WLAN controllers running 3.1.59.24, allow remote attackers to send unencrypted traffic to a secure network using frames with the MAC address of an authenticated end host. Cisco Airespace WLAN (Wireless LAN) devices are prone to an issue that may permit unauthorized parties to access a secure network. This may bypass the security of the wireless network as it may permit unauthorized access by hosts that have not authenticated. Legitimate end hosts can still communicate encrypted with the access point.
The vulnerability is caused due to the WLAN controller accepting
unencrypted traffic from end hosts even when it is configured to
perform encryption.
SOLUTION:
Update to version 3.1.105.0 of the WLAN Controller software.
Cisco 2000 Series WLAN Controller:
http://www.cisco.com/pcgi-bin/tablebuild.pl/2000_series_Wireless_LAN_controller
Cisco 4400 Series WLAN Controller:
http://www.cisco.com/pcgi-bin/tablebuild.pl/4400_series_Wireless_LAN_controller
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200511-0474 | CVE-2005-3467 | RhinoSoft Serv-U FTP Server Unknown denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Serv-U FTP Server before 6.1.0.4 allows attackers to cause a denial of service (crash) via (1) malformed packets and possibly other unspecified issues with unknown impact and attack vectors including (2) use of "~" in a pathname, and (3) memory consumption of the daemon. NOTE: it is not clear whether items (2) and above are vulnerabilities. Serv-U FTP server is prone to an unspecified denial of service vulnerability. This issue is most likely due to a failure in the application to handle exceptional conditions.
Specific details regarding this issue are not currently available, this BID will be updated as more information becomes available.
An attacker can exploit this vulnerability to cause the server to crash, effectively denying service to legitimate users.
TITLE:
Serv-U FTP Server Potential Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA17409
VERIFY ADVISORY:
http://secunia.com/advisories/17409/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
Serv-U FTP Server 6.x
http://secunia.com/product/5878/
DESCRIPTION:
A vulnerability has been reported in Serv-U, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service).
NOTE: The ZLib and OpenSSL libraries have also been changed to
version v1.2.3 and v0.9.8a respectively.
SOLUTION:
Update to version 6.1.0.4.
http://www.serv-u.com/dn.asp
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.serv-u.com/releasenotes.asp
OTHER REFERENCES:
SA17151:
http://secunia.com/advisories/17151/
SA16137:
http://secunia.com/advisories/16137/
SA15949:
http://secunia.com/advisories/15949/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------