This document describes the security content of Xcode Tools 2.5, which can be downloaded and installed from http://developer.apple.com/tools/download/.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see Apple Security Updates.
gdb
CVE-ID: CVE-2006-2362
Available for: Mac OS X v10.4.x, Mac OS X v10.5
Impact: Processing a file with maliciously crafted TekHex content may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in gdb's handling of files with Tektronix Hex Format (TekHex) content. By enticing a user to run gdb's "restore" command on a maliciously crafted TekHex file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of TekHex records.
WebObjects
CVE-ID: CVE-2006-5327, CVE-2006-5328
Available for: Mac OS X v10.4.x, Mac OS X v10.5
Impact: An unprivileged local user may be able to obtain system privileges
Description: The Xcode WebObjects package contains a demo version of OpenBase for use with WebObjects example code. This demo version of OpenBase may allow a local user to obtain system privileges. This update addresses the issue by disabling the Apple-provided demo version of OpenBase. Credit to Kevin Finisterre of Netragard for reporting these issues.