U radu programskog paketa Apple TV 5.1 otkriveno je i otklonjeno više sigurnosnih propusta. Udaljeni napadač ih je mogao iskoristiti za DoS napad, pokretanje zlonamjernog programskog koda i čitanje osjetljivih informacija.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-09-24-1 Apple TV 5.1

Apple TV 5.1 is now available and addresses the following:

Apple TV
Available for:  Apple TV 2nd generation and later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC

Apple TV
Available for:  Apple TV 2nd generation and later
Impact:  A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description:  Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed  networks per the DNAv4
protocol. This issue was addressed by disabling DNAv4 on unencrypted
Wi-Fi networks
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.

Apple TV
Available for:  Apple TV 2nd generation and later
Impact:  Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167

Apple TV
Available for:  Apple TV 2nd generation and later
Impact:  Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328

Apple TV
Available for:  Apple TV 2nd generation and later
Impact:  Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description:  A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting

Apple TV
Available for:  Apple TV 2nd generation and later
Impact:  Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-1173

Apple TV
Available for:  Apple TV 2nd generation and later
Impact:  Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description:  A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599

Apple TV
Available for:  Apple TV 2nd generation and later
Impact:  An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description:  Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla

Apple TV
Available for:  Apple TV 2nd generation and later
Impact:  An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in
JavaScriptCore. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-3589 : Dave Mandelin of Mozilla
CVE-2012-3590 : Apple Product Security
CVE-2012-3591 : Apple Product Security
CVE-2012-3592 : Apple Product Security
CVE-2012-3678 : Apple Product Security
CVE-2012-3679 : Chris Leary of Mozilla


Installation note:

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".

To check the current version of software, select
"Settings -> General -> About".

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJQXO50AAoJEPefwLHPlZEwc40P/AmBKys+PAsdT8gGrSpOY1B9
8h+Y0xdE+Hmesq9D4p6wvdY/lR+zMqtSwT6amNImYCIaRmm1P8+r8n31be52TYlg
7GqEAZbDtFztHwIISC8Khf8dMvWSrLhzRa7X/cxlIgRKmoXFnqJZzYcUov/M9Uw8
KwejQnztmAx7srHnZCNI+dxFqAC7hPoegnDnlVPx1DkwKDjt8q9xD3PGQyiGWWkI
wqUEWvMGWr65CFyA7R0hDqKuNCowWn2cKP1UhIoEur5yRmc4aQVtOnHhJ8k9mdoO
+58JC/y8lCtqGUyEL2Ar0FmIcRX/GJf+/isKOtmHx0JuEhH5beQ6s9FxU5eNR9DH
EVPmVXowY9wMvKxwHFU3jwq8kQ3+IYC+7KA6lScb5mXO5mC5dbJPLp7uJto7+VtI
atgQmvzdB8G562wpwTPuA4UQWWr0i6WWl8zkfgkRHO+cXyN683rkBP/vVEo9FipR
YkQ10RsXqYDRXBcRywmTZZwQy6txMtV9D2bnk1uukQHBsZh30/mEpcmZbo6CO3s3
mnOtu5D2OQsNt4MqbviUkEgdc9JIJnqAOo+9YguDCEu6Rd7unbKB3RpmD+A3OJnR
GhEa2Gqyvm/ozfb2D4L01y4UQo7dMLw+t/FOZXkrpdLlWn2LANWvXDCPSzIFCKoN
cXF+ij425pfY+d7Iekz3
=PSL+
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/advisory%40lss.hr

This email sent to Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.