About Security Update 2005-003

This document describes Security Update 2005-003, which can be downloaded and installed using Software Update, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred, and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How To Use The Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Security Update 2005-003

• AFP Server
  Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
  CVE-ID: CAN-2005-0340
  Impact: A specially crafted packet can cause a Denial of Service against the AFP Server.
  Description: A specially crafted packet will terminate the operation of the AFP Server due to an incorrect memory reference. Credit to Braden Thomas for reporting this issue.


• AFP Server
  Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
  CVE-ID: CAN-2005-0715
  Impact: The contents of a Drop Box can be discovered.
  Description: Fixes the checking of file permissions for access to Drop Boxes. Credit to John M. Glenn of San Francisco for reporting this issue.


• Bluetooth Setup Assistant
  Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8
  CVE-ID: CAN-2005-0713
  Impact: Local security bypass when using a Bluetooth input device.
  Description: The Bluetooth Setup Assistant may be launched on systems without a keyboard or a preconfigured Bluetooth input device. In these cases, access to certain privileged functions has been disabled within the Bluetooth Setup Assistant.


• Core Foundation
  Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
  CVE-ID: CAN-2005-0716
  Impact: Buffer overflow via an environment variable.
  Description: The incorrect handling of an environment variable within Core Foundation can result in a buffer overflow that may be used to execute arbitrary code. This issue has been addressed by correctly handling the environment variable. Credit to iDEFENSE and Adriano Lima of SeedSecurity.com for reporting this issue.


• Cyrus IMAP
  Available for: Mac OS X Server v10.3.8
  CVE-ID: CAN-2004-1011, CAN-2004-1012, CAN-2004-1013, CAN-2004-1015, CAN-2004-1067
  Impact: Multiple vulnerabilities in Cyrus IMAP, including remotely exploitable denial of service and buffer overflows.
  Description: Cyrus IMAP is updated to version 2.2.12, which includes fixes for buffer overflows in fetchnews, backend, proxyd, and imapd. Further information is available from http://asg.web.cmu.edu/cyrus/download/imapd/changes.html.


• Cyrus SASL
  Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
  CVE-ID: CAN-2002-1347, CAN-2004-0884
  Impact: Multiple vulnerabilities in Cyrus SASL, including remote denial of service and possible remote code execution in applications that use this library.
  Description: Cyrus SASL is updated to address several security holes caused by improper data validation, memory allocation, and data handling.


• Folder permissions
  Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
  CVE-ID: CAN-2005-0712
  Impact: World-writable permissions on several directories, allowing potential file race conditions or local privilege escalation.
  Description: Secure folder permissions are applied to protect the installer's receipt cache and system-level ColorSync profiles. Credit to Eric Hall of DarkArt Consulting Services, Michael Haller (info@cilly.com), and (root at addcom.de) for reporting this issue.
  


• Mailman
  Available for: Mac OS X Server v10.3.8
  CVE-ID: CAN-2005-0202
  Impact: Directory traversal issue in Mailman that could allow access to arbitrary files.
  Description: Mailman is a software package that provides mailing list management. This update addresses an exposure in Mailman's private archive handling that allowed remote access to arbitrary files on the system. Further information is available from http://www.gnu.org/software/mailman/security.html.
  


• Safari
  Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
  CVE-ID: CAN-2005-0234
  Impact: Maliciously registered International Domain Names (IDN) can make URLs visually appear as legitimate sites.
  Description: Support for Unicode characters within domain names (International Domain Name support) can allow maliciously registered domain names to visually appear as legitimate sites. Safari has been modified so that it consults a user-customizable list of scripts that are allowed to be displayed natively. Characters based on scripts that are not in the allowed list are displayed in their Punycode equivalent. The default list of allowed scripts does not include Roman look-alike scripts. Credit to Eric Johanson (ericj@shmoo.com) for reporting this issue to us. More information is available here.
  
  
• Samba
  Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
  CVE-ID: CAN-2004-0882, CAN-2004-0930, CAN-2004-1154
  Impact: Multiple vulnerabilities in Samba including remote denial of service and possible remote execution of arbitrary commands
  Description: Several security vulnerabilities were addressed in recent Samba releases. Security Update 2005-003 installs Samba version 3.0.10 to provide these fixes. Further information is available from the Samba security site located at http://www.samba.org/samba/history/security.html


• SquirrelMail
  Available for: Mac OS X Server v10.3.8
  CVE-ID: CAN-2004-1036, CAN-2005-0075, CAN-2005-0103, CAN-2005-0104
  Impact: Multiple vulnerabilities in Squirrelmail including cross-site scripting and html injection
  Description: SquirrelMail 1.4.4 addresses several security issues including various cross-site scripting exposures and the possibility of using webmail.php to include web pages from remote servers. CAN-2005-0075 is an issue fixed in SquirrelMail 1.4.4, but which does not affect the default configuration of Mac OS X Server since register_globals is not enabled. Further information is available from the SquirrelMail security site located at http://www.squirrelmail.org/changelog.php


• Telnet
  Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
  CVE-ID: CAN-2005-0468, CAN-2005-0469
  Impact: Malicious telnet servers may cause local code execution
  Description: This update addresses two buffer overflows in the telnet client that could lead to local code execution by a malicious telnet server. Credit to iDEFENSE for reporting this issue.

Important: Information about products not manufactured by Apple is provided for information purposes only, and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website.