Security Update 2009-001

AFP Server CVE-ID: CVE-2009-0142 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: A user with the ability to connect to AFP Server may be a able to trigger a denial of service Description: A race condition in AFP Server may lead to an infinite loop. Enumerating files on an AFP server may lead to a denial of service. This update addresses the issue through improved file enumeration logic. This issue only affects systems running Mac OS X v10.5.6.

Apple Pixlet Video CVE-ID: CVE-2009-0009 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exist in the handling of movie files using the Pixlet codec. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple.

CarbonCore CVE-ID: CVE-2009-0020 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Opening a file with a maliciously crafted resource fork may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in Resource Manager’s handling of resource forks. Opening a file with a maliciously crafted resource fork may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of resource forks. Credit: Apple.

CFNetwork Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Restores proper operation of cookies with null expiration times Description: This update addresses a non-security regression introduced in Mac OS X 10.5.6. Cookies may not be properly set if a web site attempts to set a session cookie by supplying a null value in the “expires” field, rather than omitting the field. This update addresses the issue by ignoring the “expires” field if it has a null value.

CFNetwork Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Restores proper operation of session cookies across applications Description: This update addresses a non-security regression introduced in Mac OS X 10.5.6. CFNetwork may not save cookies to disk if multiple open applications attempt to set session cookies. This update addresses the issue by ensuring that each application stores its session cookies separately.

Certificate Assistant CVE-ID: CVE-2009-0011 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: A local user may manipulate files with the privileges of another user running Certificate Assistant Description: An insecure file operation exists in Certificate Assistant’s handling of temporary files. This could allow a local user to overwrite files with the privileges of another user who is running Certificate Assistant. This update addresses the issue through improved handling of temporary files. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.

ClamAV CVE-ID: CVE-2008-5050, CVE-2008-5314 Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in ClamAV 0.94 Description: Multiple vulnerabilities exist in ClamAV 0.94, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.94.2. ClamAV is distributed only with Mac OS X Server systems. Further information is available via the ClamAV website at http://www.clamav.net/

CoreText CVE-ID: CVE-2009-0012 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Viewing maliciously crafted Unicode content may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow may occur when processing Unicode strings in CoreText. Using CoreText to handle maliciously crafted Unicode strings, such as when viewing a maliciously crafted web page, may result in an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5. Credit to Rosyna of Unsanity for reporting this issue.

CUPS CVE-ID: CVE-2008-5183 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination Description: Exceeding the maximum number of RSS subscriptions results in a null pointer dereference in the CUPS web interface. This may lead to an unexpected application termination when visiting a maliciously crafted website. In order to trigger this issue, valid user credentials must either be known by the attacker or cached in the user’s web browser. CUPS will be automatically restarted after this issue is triggered. This update addresses the issue by properly handling the number of RSS subscriptions. This issue does not affect systems prior to Mac OS X v10.5.

DS Tools CVE-ID: CVE-2009-0013 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Passwords supplied to dscl are exposed to other local users Description: The dscl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. Passwords exposed include those for users and administrators. This update makes the password parameter optional, and dscl will prompt for the password if needed. Credit: Apple.

fetchmail CVE-ID: CVE-2007-4565, CVE-2008-2711 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in fetchmail 6.3.8 Description: Multiple vulnerabilities exist in fetchmail 6.3.8, the most serious of which may lead to a denial of service. This update addresses the issues by updating to version 6.3.9. Further information is available via the fetchmail web site at http://fetchmail.berlios.de/

Folder Manager CVE-ID: CVE-2009-0014 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Other local users may access the Downloads folder Description: A default permissions issue exists in Folder Manager. When a user deletes their Downloads folder and Folder Manager recreates it, the folder is created with read permissions for everyone. This update addresses the issue by having Folder Manager limit permissions so that the folder is accessible only to the user. This issue only affects applications using Folder Manager. This issue does not affect systems prior to Mac OS X v10.5. Credit to Graham Perrin of CENTRIM, University of Brighton for reporting this issue.

FSEvents CVE-ID: CVE-2009-0015 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Using the FSEvents framework, a local user may be able to see filesystem activity that would otherwise not be available Description: A credential management issue exists in fseventsd. By using the FSEvents framework, a local user may be able to see filesystem activity that would otherwise not be available. This includes the name of a directory which the user would not otherwise be able to see, and the detection of activity in the directory at a given time. This update addresses the issue through improved credential validation in fseventsd. This issue does not affect systems prior to Mac OS X v10.5. Credit to Mark Dalrymple for reporting this issue.

Network Time Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: The Network Time service configuration has been updated Description: As a proactive security measure, this update changes the default configuration for the Network Time service. System time and version information will no longer be available in the default ntpd configuration. On Mac OS X v10.4.11 systems, the new configuration takes effect after a system restart when Network Time service is enabled.

perl CVE-ID: CVE-2008-1927 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Using regular expressions containing UTF-8 characters may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of certain UTF-8 characters in regular expressions. Parsing maliciously crafted regular expressions may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of regular expressions.

Printing CVE-ID: CVE-2009-0017 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: A local user may obtain system privileges Description: An error handling issue exists in csregprinter, which may result in a heap buffer overflow. This may allow a local user to obtain system privileges. This update addresses the issue through improved error handling. Credit to Lars Haulin for reporting this issue.

python CVE-ID: CVE-2008-1679, CVE-2008-1721, CVE-2008-1887, CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3144, CVE-2008-4864, CVE-2007-4965, CVE-2008-5031 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in python Description: Multiple vulnerabilities exist in python, the most serious of which may lead to arbitrary code execution. This update addresses the issues by applying patches from the python project.

Remote Apple Events CVE-ID: CVE-2009-0018 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Sending Remote Apple events may lead to the disclosure of sensitive information Description: An uninitialized buffer issue exists in the Remote Apple Events server, which may lead to disclosure of memory contents to network clients. This update addresses the issue through proper memory initialization. Credit: Apple.

Remote Apple Events CVE-ID: CVE-2009-0019 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Enabling Remote Apple Events may lead to an unexpected application termination or the disclosure of sensitive information Description: An out-of-bounds memory access exits in Remote Apple Events. Enabling Remote Apple Events may lead to an unexpected application termination or the disclosure of sensitive information to network clients. This update addresses the issue through improved bounds checking. Credit: Apple.

Safari RSS CVE-ID: CVE-2009-0137 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Accessing a maliciously crafted feed: URL may lead to arbitrary code execution Description: Multiple input validation issues exist in Safari’s handling of feed: URLs. The issues allow execution of arbitrary JavaScript in the local security zone. This update addresses the issues through improved handling of embedded JavaScript within feed: URLs. Credit to Clint Ruoho of Laconic Security, Billy Rios of Microsoft, and Brian Mastenbrook for reporting these issues.

servermgrd CVE-ID: CVE-2009-0138 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Remote attackers may be able to access Server Manager without valid credentials Description: An issue in Server Manager’s validation of authentication credentials could allow a remote attacker to alter the system configuration. This update addresses the issue through additional validation of authentication credentials. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.

SMB CVE-ID: CVE-2009-0139 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Connecting to a maliciously crafted SMB file system may lead to an unexpected system shutdown or arbitrary code execution with system privileges Description: An integer overflow in SMB File System may result in a heap buffer overflow. Connecting to a maliciously crafted SMB file system may lead to an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.

SMB CVE-ID: CVE-2009-0140 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Connecting to a maliciously crafted SMB file server may lead to an unexpected system shutdown Description: A memory exhaustion issue exists in the SMB File System’s handling of file system names. Connecting to a maliciously crafted SMB file server may lead to an unexpected system shutdown. This update addresses the issue by limiting the amount of memory allocated by the client for file system names. Credit: Apple.

SquirrelMail CVE-ID: CVE-2008-2379, CVE-2008-3663 Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in SquirrelMail Description: SquirrelMail is updated to version 1.4.17 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. Further information is available via the SquirrelMail web site at http://www.SquirrelMail.org/

X11 CVE-ID: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in X11 server Description: Multiple vulnerabilities exist in X11 server. The most serious of these may lead to arbitrary code execution with the privileges of the user running the X11 server, if the attacker can authenticate to the X11 server. This update addresses the issues by applying the updated X.Org patches. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security

X11 CVE-ID: CVE-2006-1861, CVE-2006-3467, CVE-2007-1351, CVE-2008-1806, CVE-2008-1807, CVE-2008-1808 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in FreeType v2.1.4 Description: Multiple vulnerabilities exist in FreeType v2.1.4, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. This update addresses the issues by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/ The issues are already addressed in systems running Mac OS X v10.5.6.

X11 CVE-ID: CVE-2007-1351, CVE-2007-1352, CVE-2007-1667 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in LibX11 Description: Multiple vulnerabilities exist in LibX11, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. This update addresses the issues by applying the updated X.Org patches. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security These issues do not affect systems running Mac OS X v10.5 or later.

XTerm CVE-ID: CVE-2009-0141 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: A local user may send information directly to another user’s Xterm Description: A permissions issue exists in Xterm. When used with luit, Xterm creates tty devices accessible by everyone. This update addresses the issue by having Xterm limit the permissions so tty devices are accessible only by the user.

  CVE-ID: CVE-2009-0142 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: A user with the ability to connect to AFP Server may be a able to trigger a denial of service Description: A race condition in AFP Server may lead to an infinite loop. Enumerating files on an AFP server may lead to a denial of service. This update addresses the issue through improved file enumeration logic. This issue only affects systems running Mac OS X v10.5.6. CVE-ID: CVE-2009-0009 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exist in the handling of movie files using the Pixlet codec. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple. CVE-ID: CVE-2009-0020 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Opening a file with a maliciously crafted resource fork may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in Resource Manager’s handling of resource forks. Opening a file with a maliciously crafted resource fork may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of resource forks. Credit: Apple. Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Restores proper operation of cookies with null expiration times Description: This update addresses a non-security regression introduced in Mac OS X 10.5.6. Cookies may not be properly set if a web site attempts to set a session cookie by supplying a null value in the “expires” field, rather than omitting the field. This update addresses the issue by ignoring the “expires” field if it has a null value. Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Restores proper operation of session cookies across applications Description: This update addresses a non-security regression introduced in Mac OS X 10.5.6. CFNetwork may not save cookies to disk if multiple open applications attempt to set session cookies. This update addresses the issue by ensuring that each application stores its session cookies separately. CVE-ID: CVE-2009-0011 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: A local user may manipulate files with the privileges of another user running Certificate Assistant Description: An insecure file operation exists in Certificate Assistant’s handling of temporary files. This could allow a local user to overwrite files with the privileges of another user who is running Certificate Assistant. This update addresses the issue through improved handling of temporary files. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple. CVE-ID: CVE-2008-5050, CVE-2008-5314 Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in ClamAV 0.94 Description: Multiple vulnerabilities exist in ClamAV 0.94, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.94.2. ClamAV is distributed only with Mac OS X Server systems. Further information is available via the ClamAV website at http://www.clamav.net/ CVE-ID: CVE-2009-0012 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Viewing maliciously crafted Unicode content may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow may occur when processing Unicode strings in CoreText. Using CoreText to handle maliciously crafted Unicode strings, such as when viewing a maliciously crafted web page, may result in an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5. Credit to Rosyna of Unsanity for reporting this issue. CVE-ID: CVE-2008-5183 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination Description: Exceeding the maximum number of RSS subscriptions results in a null pointer dereference in the CUPS web interface. This may lead to an unexpected application termination when visiting a maliciously crafted website. In order to trigger this issue, valid user credentials must either be known by the attacker or cached in the user’s web browser. CUPS will be automatically restarted after this issue is triggered. This update addresses the issue by properly handling the number of RSS subscriptions. This issue does not affect systems prior to Mac OS X v10.5. CVE-ID: CVE-2009-0013 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Passwords supplied to dscl are exposed to other local users Description: The dscl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. Passwords exposed include those for users and administrators. This update makes the password parameter optional, and dscl will prompt for the password if needed. Credit: Apple. CVE-ID: CVE-2007-4565, CVE-2008-2711 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in fetchmail 6.3.8 Description: Multiple vulnerabilities exist in fetchmail 6.3.8, the most serious of which may lead to a denial of service. This update addresses the issues by updating to version 6.3.9. Further information is available via the fetchmail web site at http://fetchmail.berlios.de/ CVE-ID: CVE-2009-0014 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Other local users may access the Downloads folder Description: A default permissions issue exists in Folder Manager. When a user deletes their Downloads folder and Folder Manager recreates it, the folder is created with read permissions for everyone. This update addresses the issue by having Folder Manager limit permissions so that the folder is accessible only to the user. This issue only affects applications using Folder Manager. This issue does not affect systems prior to Mac OS X v10.5. Credit to Graham Perrin of CENTRIM, University of Brighton for reporting this issue. CVE-ID: CVE-2009-0015 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Using the FSEvents framework, a local user may be able to see filesystem activity that would otherwise not be available Description: A credential management issue exists in fseventsd. By using the FSEvents framework, a local user may be able to see filesystem activity that would otherwise not be available. This includes the name of a directory which the user would not otherwise be able to see, and the detection of activity in the directory at a given time. This update addresses the issue through improved credential validation in fseventsd. This issue does not affect systems prior to Mac OS X v10.5. Credit to Mark Dalrymple for reporting this issue. Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: The Network Time service configuration has been updated Description: As a proactive security measure, this update changes the default configuration for the Network Time service. System time and version information will no longer be available in the default ntpd configuration. On Mac OS X v10.4.11 systems, the new configuration takes effect after a system restart when Network Time service is enabled. CVE-ID: CVE-2008-1927 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Using regular expressions containing UTF-8 characters may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of certain UTF-8 characters in regular expressions. Parsing maliciously crafted regular expressions may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of regular expressions. CVE-ID: CVE-2009-0017 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: A local user may obtain system privileges Description: An error handling issue exists in csregprinter, which may result in a heap buffer overflow. This may allow a local user to obtain system privileges. This update addresses the issue through improved error handling. Credit to Lars Haulin for reporting this issue. CVE-ID: CVE-2008-1679, CVE-2008-1721, CVE-2008-1887, CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3144, CVE-2008-4864, CVE-2007-4965, CVE-2008-5031 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in python Description: Multiple vulnerabilities exist in python, the most serious of which may lead to arbitrary code execution. This update addresses the issues by applying patches from the python project. CVE-ID: CVE-2009-0018 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Sending Remote Apple events may lead to the disclosure of sensitive information Description: An uninitialized buffer issue exists in the Remote Apple Events server, which may lead to disclosure of memory contents to network clients. This update addresses the issue through proper memory initialization. Credit: Apple. CVE-ID: CVE-2009-0019 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Enabling Remote Apple Events may lead to an unexpected application termination or the disclosure of sensitive information Description: An out-of-bounds memory access exits in Remote Apple Events. Enabling Remote Apple Events may lead to an unexpected application termination or the disclosure of sensitive information to network clients. This update addresses the issue through improved bounds checking. Credit: Apple. CVE-ID: CVE-2009-0137 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Accessing a maliciously crafted feed: URL may lead to arbitrary code execution Description: Multiple input validation issues exist in Safari’s handling of feed: URLs. The issues allow execution of arbitrary JavaScript in the local security zone. This update addresses the issues through improved handling of embedded JavaScript within feed: URLs. Credit to Clint Ruoho of Laconic Security, Billy Rios of Microsoft, and Brian Mastenbrook for reporting these issues. CVE-ID: CVE-2009-0138 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Remote attackers may be able to access Server Manager without valid credentials Description: An issue in Server Manager’s validation of authentication credentials could allow a remote attacker to alter the system configuration. This update addresses the issue through additional validation of authentication credentials. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple. CVE-ID: CVE-2009-0139 Available for: Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Connecting to a maliciously crafted SMB file system may lead to an unexpected system shutdown or arbitrary code execution with system privileges Description: An integer overflow in SMB File System may result in a heap buffer overflow. Connecting to a maliciously crafted SMB file system may lead to an unexpected system shutdown or arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple. CVE-ID: CVE-2009-0140 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Connecting to a maliciously crafted SMB file server may lead to an unexpected system shutdown Description: A memory exhaustion issue exists in the SMB File System’s handling of file system names. Connecting to a maliciously crafted SMB file server may lead to an unexpected system shutdown. This update addresses the issue by limiting the amount of memory allocated by the client for file system names. Credit: Apple. CVE-ID: CVE-2008-2379, CVE-2008-3663 Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in SquirrelMail Description: SquirrelMail is updated to version 1.4.17 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. Further information is available via the SquirrelMail web site at http://www.SquirrelMail.org/ CVE-ID: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: Multiple vulnerabilities in X11 server Description: Multiple vulnerabilities exist in X11 server. The most serious of these may lead to arbitrary code execution with the privileges of the user running the X11 server, if the attacker can authenticate to the X11 server. This update addresses the issues by applying the updated X.Org patches. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security CVE-ID: CVE-2006-1861, CVE-2006-3467, CVE-2007-1351, CVE-2008-1806, CVE-2008-1807, CVE-2008-1808 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in FreeType v2.1.4 Description: Multiple vulnerabilities exist in FreeType v2.1.4, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. This update addresses the issues by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/ The issues are already addressed in systems running Mac OS X v10.5.6. CVE-ID: CVE-2007-1351, CVE-2007-1352, CVE-2007-1667 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11 Impact: Multiple vulnerabilities in LibX11 Description: Multiple vulnerabilities exist in LibX11, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. This update addresses the issues by applying the updated X.Org patches. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security These issues do not affect systems running Mac OS X v10.5 or later. CVE-ID: CVE-2009-0141 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6 Impact: A local user may send information directly to another user’s Xterm Description: A permissions issue exists in Xterm. When used with luit, Xterm creates tty devices accessible by everyone. This update addresses the issue by having Xterm limit the permissions so tty devices are accessible only by the user.