Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to execute arbitrary commands, cause a denial of service, disclose sensitive information, or bypass security restrictions.
The first issue is due to an error in the AFP server when displaying search results, which could be exploited by malicious users to disclose names of files and folders for which they have no access.
The second flaw is due to an integer overflow error in the AFP server, which could be exploited by authenticated attackers to execute arbitrary commands or cause a denial of service.
The third vulnerability is due to insecure permissions being set the reconnect keys supported by the AFP server, which could be exploited by authenticated attackers to read and use the reconnect keys to access files or folders.
The fourth issue is due to an error in the AFP server when handling malformed requests, which could be exploited by remote attackers to cause a denial of service.
The fifth vulnerability is due to an error in Bom's compression state handling, which could be exploited by attackers to crash a vulnerable application or execute arbitrary commands via a malicious ZIP archive.
The sixth issue is due to a stack overflow error in bootpd (disabled by default) when processing malformed requests, which could be exploited by remote attackers to compromise a vulnerable system.
The seventh flaw is due to an error in dyld when handling user-supplied options, which could be exploited by malicious users to cause certain privileged applications to be influenced inappropriately.
The eighth flaw is due to an error in dyld when handling user-supplied paths, which could be exploited by malicious users to cause the dynamic linker to load and execute arbitrary code with elevated privileges.
The ninth issue is due to errors in Fetchmail and gunzip. For additional information, see : FrSIRT/ADV-2005-1171 - FrSIRT/ADV-2005-2182 - FrSIRT/ADV-2005-2996 - FrSIRT/ADV-2006-0300 - FrSIRT/ADV-2005-0460
The tenth flaw is due to a buffer overflow error when processing malformed Canon RAW images, which could be exploited by attackers to execute arbitrary commands via a malicious image.
The eleventh vulnerability is due to integer and buffer overflow errors in ImageIO when processing malformed Radiance or GIF images, which could be exploited by attackers to compromise a vulnerable system via a malicious image.
The twelfth issue is due to an error in LaunchServices that erroneously identifies certain HTML files containing HTML as "safe", which could be exploited by attackers to execute arbitrary scripting code.
The thirteenth flaw is due to an error in OpenSSH when handling login attempts for nonexistent users, which could be exploited by remote attackers to cause a denial of service or detect the existence of a particular account.
The fourteenth issue is due to an error in Telnet. For additional information, see : FrSIRT/ADV-2005-0786
The fifteenth vulnerability is due to a memory corruption error in WebKit when accessing a previously deallocated object, which could be exploited by remote attackers to compromise a vulnerable system via a specially crafted web page.
The sixteenth flaw is due to buffer overflow errors in AppKit and ImageIO when processing malformed TIFF images, which could be exploited by attackers to execute arbitrary commands via a malicious image. For additional information, see : FrSIRT/ADV-2006-3105
Credits
Vulnerabilities reported by Dino Dai Zovi, Tom Ferris, Neil Archibald, Rob Middleton, Gael Delalleau, Jesse Ruderman, and Tavis Ormandy.
ChangeLog
2006-08-01 : Initial release
2006-08-09 : Updated Solution
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
