Objavljene su programske ispravke za niz propusta vezanih uz iTunes. Točnije, nedostaci se odnose na programske pakete ImageIO, libxml i WebKit. Propusti u ImageIO su vezani uz neodgovarajuću obradu JPEG i TIFF datoteka, u paketu libxml uz pogrešno rukovanje XML datotekama, dok se nedostaci u paketu Webkit odnose na nepravilno rukovanje memorijom. Potencijalni ih napadači mogu iskoristiti za DoS (eng. Denial of Service) napad i pokretanje proizvoljnog programskog koda. Dostupne su ispravljene inačice.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-03-02-1 iTunes 10.2
iTunes 10.2 is now available and addresses the following:
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Multiple vulnerabilities in libpng
Description: libpng is updated to version 1.4.3 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. For Mac OS X v10.5 systems, this is addressed in Security
Update 2010-007. Further information is available via the libpng
website at http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2010-1205
CVE-2010-2249
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow issue existed in ImageIO's
handling of JPEG images. Viewing a maliciously crafted JPEG image may
lead to an unexpected application termination or arbitrary code
execution.
CVE-ID
CVE-2011-0170 : Andrzej Dyjak working with iDefense VCP
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may result in an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libTIFF's handling of JPEG
encoded TIFF images. Viewing a maliciously crafted TIFF image may
result in an unexpected application termination or arbitrary code
execution.
CVE-ID
CVE-2011-0191 : Apple
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may result in an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libTIFF's handling of
CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF
image may result in an unexpected application termination or
arbitrary code execution.
CVE-ID
CVE-2011-0192 : Apple
libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Processing a maliciously crafted XML file may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in libxml's handling of
XPath expressions. Processing a maliciously crafted XML file may lead
to an unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2010-4494 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Processing a maliciously crafted XML file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in libxml's XPath
handling. Processing a maliciously crafted XML file may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2010-4008 : Bui Quang Minh from Bkis (www.bkis.com)
WebKit
Available for: Windows 7, Vista, XP SP2 or later
Impact: A man-in-the-middle attack may lead to an unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in WebKit. A
man-in-the-middle attack while browsing the iTunes Store via iTunes
may lead to an unexpected application termination or arbitrary code
execution.
CVE-ID
CVE-2010-1824 : kuzzcc, and wushi of team509 working with
TippingPoint's Zero Day Initiative
CVE-2011-0111 : Sergey Glazunov
CVE-2011-0112 : Yuzo Fujishima of Google Inc.
CVE-2011-0113 : Andreas Kling of Nokia
CVE-2011-0114 : Chris Evans of Google Chrome Security Team
CVE-2011-0115 : J23 working with TippingPoint's Zero Day Initiative,
and Emil A Eklund of Google, Inc
CVE-2011-0116 : an anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0117 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0118 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0119 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0120 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0121 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0122 : Slawomir Blazek
CVE-2011-0123 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0124 : Yuzo Fujishima of Google Inc.
CVE-2011-0125 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0126 : Mihai Parparita of Google, Inc.
CVE-2011-0127 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0128 : David Bloom
CVE-2011-0129 : Famlam
CVE-2011-0130 : Apple
CVE-2011-0131 : wushi of team509
CVE-2011-0132 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0133 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0134 : Jan Tosovsky
CVE-2011-0135 : an anonymous reporter
CVE-2011-0136 : Sergey Glazunov
CVE-2011-0137 : Sergey Glazunov
CVE-2011-0138 : kuzzcc
CVE-2011-0139 : kuzzcc
CVE-2011-0140 : Sergey Glazunov
CVE-2011-0141 : Chris Rohlf of Matasano Security
CVE-2011-0142 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0143 : Slawomir Blazek and Sergey Glazunov
CVE-2011-0144 : Emil A Eklund of Google, Inc.
CVE-2011-0145 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0146 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0147 : Dirk Schulze
CVE-2011-0148 : Michal Zalewski of Google, Inc.
CVE-2011-0149 : wushi of team509 working with TippingPoint's Zero Day
Initiative, and SkyLined of Google Chrome Security Team
CVE-2011-0150 : Michael Gundlach of safariadblock.com
CVE-2011-0151 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0152 : SkyLined of Google Chrome Security Team
CVE-2011-0153 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0154 : an anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0155 : Aki Helin of OUSPG
CVE-2011-0156 : Abhishek Arya (Inferno) of Google, Inc.
CVE-2011-0164 : Apple
CVE-2011-0165 : Sergey Glazunov
CVE-2011-0168 : Sergey Glazunov
iTunes 10.2 may be obtained from:
http://www.apple.com/itunes/download/
For Mac OS X:
The download file is named: "iTunes10.2.dmg"
Its SHA-1 digest is: 35da52c03a478d7ff325e67d589e48afd195c9ab
For Windows XP / Vista / Windows 7:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 1f40939eaca43648e55c137be220fa391bb48c6c
For 64-bit Windows XP / Vista / Windows 7:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: efc23fc7d92eb95a1f2588b8a6506d99b726c9ea
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJNbrZ2AAoJEGnF2JsdZQeeIowH/1cW7yQKs7Jz3TAJjOwPkT6M
ETX53z7DBl1CLYYg6QZfbumUWrzj182WT5rKlt8qAhbxsMz4gLJ+TIqaaVn53NLV
c0mq9LN615DhXXsMWsHeINinSky6wZMjlTApocp3PwWQTGZn8rg7qnaUuNC+x2Y2
OxPOsCGyRtbzIq8AZMgJfK2J1Rm1TGQi5s/wSSkDq61R0CVyXHhzMG8L+ChUXDrQ
dKggtQQ8JeJK0kRp/q4kmJLxRBsimH21ame2urUrRKjXvvnqGLqy9pqJG9tbLFp2
1xlBg95tEF38v9wNRAx6gylN2dcGLvmK6+qqyvveenfGqlXd6BWmh4Ut4zHsD/4=
=pvse
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/lss.advisory%40gmail.com
This email sent to Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Posljednje sigurnosne preporuke