About Security Update 2005-001 for Mac OS X

This document describes Security Update 2005-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How To Use The Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Security Update 2005-001

• at commands
  Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7
  CVE-ID: CAN-2005-0125
  Impact: Updates the "at" commands to address a local privilege escalation vulnerability
  Description: The "at" family of commands did not properly drop privileges. This could allow a local user to remove files not owned by them, run programs with added privileges, or read the contents of normally unreadable files. This update patches the commands at, atrm, batch, atq, and atrun. Credit to kf_lists[at]digitalmunition[dot]com for reporting this issue.
  
  
• ColorSync
  Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
  CVE-ID: CAN-2005-0126
  Impact: Malformed ICC color profiles could overwrite the program heap, resulting in arbitrary code execution.
  Description: An out-of-specification or improperly embedded ICC color profile could overwrite the program heap and allow arbitrary code execution. There are no known exploits for this issue. With this update, ColorSync will reject incorrectly-formed ICC color profiles.
  
  
• libxml2
  Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7
  CVE-ID: CAN-2004-0989
  Impact: The libxml2 library contains unsafe code that may be exploited in applications linked against it.
  Description: This update fixes several functions in the libxml2 library that have been identified as unsafe due to potentially exploitable buffer overflows.
  
  
• Mail
  Available for: Mac OS X v10.3.7 Client, Mac OS X Server v10.3.7
  CVE-ID: CAN-2005-0127
  Impact: Email messages sent from a single machine can be identified
  Description: A GUUID containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header. Mail now hides this information by computing the Message-ID using a cryptographic hash of the GUUID concatenated with data from /dev/random. Credit to Carl Purvis for reporting this issue.
  
  
• PHP
  Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
  CVE-ID: CAN-2003-0860, CAN-2003-0863, CAN-2004-0594, CAN-2004-0595, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065
  Impact: Multiple vulnerabilities in PHP, including remote denial of service and execution of arbitrary code
  Description: PHP is updated to version 4.3.10 to address several issues. The PHP release announcement for version 4.3.10 is located at http://www.php.net/release_4_3_10.php.
  
  
• Safari
  Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8
  CVE-ID: CAN-2004-1314
  Impact: When Safari's "Block Pop-Up Windows" feature is not enabled, a malicious pop-up window could appear as being from a trusted site
  Description: If the "Block Pop-Up Windows" feature is enabled, then this issue does not occur. If the "Block Pop-Up Windows" feature is not enabled, a user can be mislead about the content of a Pop-up window if they used an untrusted link to navigate to a site they wanted to view. This update corrects the issue regardless of the "Block Pop-Up Windows" setting. Credit to Secunia Research for reporting this issue.
  
  
• SquirrelMail
  Available for: Mac OS X Server 10.3.7
  CVE-ID: CAN-2004-1036
  Impact: SquirrelMail is updated to address a cross-site scripting vulnerability
  Description: A cross-site scripting vulnerability in SquirrelMail allowed email messages to contain content that would be rendered by a user's web browser. SquirrelMail is updated to address this issue. Further details are available from the SquirrelMail website: http://www.squirrelmail.org/.

Important: Information about products not manufactured by Apple is provided for information purposes only, and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website.