[PCWorks] Apple iTunes Multiple Vulnerabilities
- From: "Clint Hamilton-PCWorks Admin" <PCWorks@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: "PCWorks@xxxxxxxxxxxxx" <pcworks@xxxxxxxxxxxxx>
- Date: Fri, 4 Mar 2011 05:04:40 -0600
TITLE:
Apple iTunes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
http://secunia.com/advisories/43582/
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Apple iTunes 10.x
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iTunes,
which
can be exploited by malicious people to compromise a user's
system.
1) Some errors exists due to the use of a vulnerable libpng
library.
For more information:
http://secunia.com/SA40302/
2) An array indexing error in the CoreGraphics library
(ImageIO) when
processing the International Color Consortium (ICC) profile
within a
JPEG image can be exploited to corrupt heap-based memory.
3) An error in the libTIFF library when handling JPEG encoded
TIFF
images can be exploited to cause a buffer overflow.
4) A boundary error in the libTIFF library when handling CCITT
Group
4 encoded TIFF images.
For more information:
http://secunia.com/SA43593/
5) A double free error in the libxml library when handling
XPath
expressions.
For more information:
http://secunia.com/SA42721/
6) An error exists in the libxml library when traversing the
XPath.
For more information:
http://secunia.com/SA42175/
7) Multiple unspecified errors in the WebKit component can be
exploited to corrupt memory.
8) An error in the WebKit component when elements are being
appended
to the DOM tree during the display of an error message can be
exploited to access a freed element via a specially crafted
document.
9) An error in the WebKit component when handling a DOM level 2
range
object can be exploited to corrupt memory by manipulating the
DOM via
an event listener.
10) A use-after-free error in the "setOuterText()" method in
the
htmlelement library (WebKit) when tracking DOM manipulations
can be
exploited to dereference freed memory.
11) A use-after-free error in the WebKit component when
promoting a
run-in element can be exploited to dereference freed memory.
12) An error in the WebKit component when performing layout
operations for a floating block of a pseudo-element can be
exploited
to dereference uninitialised glyph data.
13) An error in the WebKit component when parsing a Root
HTMLBRElement element can be exploited to call an unmapped
dangling
pointer.
14) An error in the Javascript array "sort()" method (WebKit)
can be
exploited to manipulate elements outside of the array's
boundary.
SOLUTION:
Update to version 10.2.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4554
iDefense VCP:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=897
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-095/
http://www.zerodayinitiative.com/advisories/ZDI-11-096/
http://www.zerodayinitiative.com/advisories/ZDI-11-097/
http://www.zerodayinitiative.com/advisories/ZDI-11-098/
http://www.zerodayinitiative.com/advisories/ZDI-11-099/
http://www.zerodayinitiative.com/advisories/ZDI-11-100/
http://www.zerodayinitiative.com/advisories/ZDI-11-101/
=========================
The list's FAQ's can be seen by sending an email to
PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line.
To unsubscribe, subscribe, set Digest or Vacation to on or off, go to
//www.freelists.org/list/pcworks . You can also send an email to
PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line. Your
member list settings can be found at
//www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks . Once logged in, you have
access to numerous other email options.
The list archives are located at //www.freelists.org/archives/pcworks/ .
All email posted to the list will be placed there in the event anyone needs to
look for previous posts.
-zxdjhu-
Other related posts:
