Apple's list of security fixes in Mac OS X 10.3 ("Panther")

From: Aron Roberts <aron_at_socrates.berkeley.edu>
Date: Wed Oct 29 2003 - 10:48:03 PST

   Apple has now formally listed the major security fixes incorporated
in its just released Mac OS X 10.3 ("Panther"), below. These include
fixes for three significant Mac OS X vulnerabilities identified by
@stake, mentioned in postings to the MAGNet and ucb-security lists
earlier today and yesterday.

   The just-released Mac OS X 10.3 itself contained a vulnerability in
QuickTime Java, for which Apple has also released a new Security
Update, below.

   As mentioned earlier, it is not clear at this point whether Apple
will release Security Updates for the @stake-identified
vulnerabilities or any other issues listed below for Mac OS X 10.2
("Jaguar") or Mac OS X 10.1.

Aron Roberts
Workstation Software Support Group

P.S. The "blind typing into the Dock" issue below (CAN-2003-0880) --
which could potentially give someone at least limited control over a
Macintosh even when its password-protected screen saver was active --
had escaped being addressed in at least one earlier Security Update.
It is heartening to see that Apple has finally addressed it in Mac OS
X 10.3. 

---
Date: Tue, 28 Oct 2003 22:02:03 -0800
From: security-announce-request@lists.apple.com
Subject: security-announce digest, Vol 2 #35 - 2 msgs
To: security-announce@lists.apple.com
Sender: security-announce-admin@lists.apple.com
...
To subscribe or unsubscribe via the World Wide Web, visit
	http://www.lists.apple.com/mailman/listinfo/security-announce
or, via email, send a message with subject or body 'help' to
	security-announce-request@lists.apple.com
...
Today's Topics:
    1. APPLE-SA-2003-10-28 Mac OS X 10.3 Panther (Product Security)
    2. APPLE-SA-2003-10-28 Security Update 2003-10-28 (Apple Product Security)
--__--__--
Message: 1
Date: Tue, 28 Oct 2003 09:46:35 -0800
Subject: APPLE-SA-2003-10-28 Mac OS X 10.3 Panther
From: Product Security <product-security@apple.com>
To: <security-announce@lists.apple.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2003-10-28 Mac OS X 10.3 Panther
Mac OS X 10.3 Panther has been released, and it contains the following
security enhancements:
Finder: Fixes CAN-2003-0876 where folder permissions may not be
    preserved when copying a folder from a mounted volume such as a
    disk image.  Credit to Dave G. from @stake, Inc. for finding this
    issue.
Kernel: Fixes CAN-2003-0877 where if a system is running with core
    files enabled, a user with interactive shell access can overwrite
    arbitrary files, and read core files created by root-owned
    processes.  This may result in sensitive information such as
    authentication credentials being compromised. Core file creation is
    disabled by default on Mac OS X. Credit to Dave G. from @stake,
    Inc. for finding this issue.
slpd:  Fixes CAN-2003-0878 when Personal File Sharing is enabled, the
    slpd daemon may create a root-owned file in the /tmp directory.
    This could overwrite an existing file and allow a user to gain
    elevated privileges. Personal File Sharing is off by default in Mac
    OS X.  Credit to Dave G. from @stake, Inc. for finding this issue.
Kernel: Fixes CAN-2003-0895 where it may be possible for a local user
    to cause the Mac OS X kernel to crash by specifying a long command
    line argument. The machine will reboot on its own after several
    minutes. Credit to Dave G. from @stake, Inc. for finding this
    issue.
ktrace: Fixes CVE-2002-0701 a theoretical exploit when ktrace is
    enabled through the KTRACE kernel option, a local user might be
    able to obtain sensitive information.  No specific utility is
    currently known to be vulnerable to this particular problem.
nfs: Fixes CVE-2002-0830 for the Network File System where a remote
    user may be able to send RPC messages that cause the system to lock
    up.
zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS
    X that used the vulnerable gzprintf() function, the underlying
    issue in zlib has been fixed.
gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
    utility. No setuid root programs relied on gm4 and this fix is a
    preventative measure against a possible future exploit.
OpenSSH: Fixes CAN-2003-0386 where "from=" and "user@hosts"
    restrictions are potentially spoofable via reverse DNS for
    numerically specified IP addresses. Mac OS X 10.3 also incorporates
    prior fixes released for OpenSSH, and the version of OpenSSH as
    obtained via the "ssh -V" command is:
    OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
    0x0090702f
nidump:  Fixes CAN-2001-1412 where the nidump utility provides access
    to the crypted passwords used to authenticate logins.
System Preferences:  Fixes CAN-2003-0883 where after authenticating
    with an administrator password, the system will continue to allow
    access to secure Preference Panes for a short period of time.  This
    could allow a local user to access Preference Panes that they would
    not normally be able to use.  In Mac OS X 10.3 Security
    preferences, there is now a choice to "Require password to unlock
    each secure system preference". Credit to Anthony Holder for
    reporting this issue.
TCP timestamp: Fixes CAN-2003-0882 where the TCP timestamp is
    initialized with a constant number. This could allow a person to
    discover how long the system has been up based upon the ID in TCP
    packets.  In Mac OS X 10.3, the TCP timestamp is now initialized
    with a random number. Credit to Aaron Linville for reporting this
    issue and submitting a fix via the Darwin open source program.
Mail:  Fixes CAN-2003-0881 in the Mac OS X Mail application, if an
    account is configured to use MD5 Challenge Response, it will
    attempt to login using CRAM-MD5 but will silently fall back to
    plain-text if the hashed login fails. Credit to Chris Adams for
    reporting this issue.
Dock: Fixes CAN-2003-0880 when Full Keyboard Access is turned on via
    the Keyboard pane in System Preferences, Dock functions can be
    accessed blindly from behind Screen Effects.
Other security features:  Mac OS X 10.3 contains a number of other
    security features which may be found at:
    http://www.apple.com/macosx/features/security/
================================================
Further information on Mac OS X 10.3 may be obtained from:
http://www.apple.com/macosx/
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBP56rFXeI0z6bzFr0AQIvKAgAg781rk+PU4rGZAo4/5z6OCD6f8cdy7ra
cyP9Ojg8u58g4UisHF4cF9gvVq99TT5WXhMEHZHE+/TFetUj08xyY6q5FJa9VtNg
YcO66fwHGKjB7AlXJmux/nwV0r2x8hqyx2Q0PHCgPMo9MWtO3/tUM6Gpc8kA/JeH
Rd0Csw3ejm4zBIP/t5C5QY/20KZJ9i5S48Nw6neLmJf/mBAfjvMkZM1R+pPN/58A
BwSiuILg8qxE2kf4roMJUTSOf8ToFGTD8X5sp/p15YBzjvknVV5ls7XHCwlkz+iF
W04E3CFbeX9ixTtrHPzStPKAtiRwai1oqx0LRd2mApnYTvbl9lMCOw==
=PJi8
-----END PGP SIGNATURE-----
--__--__--
Message: 2
Date: Tue, 28 Oct 2003 13:58:21 -0800
Subject: APPLE-SA-2003-10-28 Security Update 2003-10-28
From: Apple Product Security <product-security@apple.com>
To: <security-announce@lists.apple.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2003-10-28 Security Update 2003-10-28
Security Update 2003-10-28 is available.
It addresses CAN-2003-0871 a potential vulnerability in the
implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server
v10.3 that could allow unauthorized access to a system.
The issue does not exist in earlier versions of Mac OS X or Mac OS X
Server.
================================================
Security Update 2003-10-28 may be obtained from:
   * Software Update pane in System Preferences
   * Apple's Software Downloads web site:
     http://www.info.apple.com/kbnum/n120266
     The download file is named: "SecurityUpd2003-10-28.dmg"
     Its SHA-1 digest is: 057243959189a3f0fcffca6fa384698f9213cd31
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBP57lg3eI0z6bzFr0AQItgAf/cSFZ9tJr3YVZFRpodupIC3AlJ6LnsFgL
kkQ6LVKBY7FeZUpFe05JDN0jzpuuCMhFs5NksvzCpKxWGaE/+IRbETwdq1vplDWC
dyfgxyvbVFoOfmRVZeLU8CAw5ulSO0/GGX1x1tm8kN6qDoMYfcRopWsLm3ECBzUz
V39qgr3XvLlcbb4P4+E0yPIQLsylkql6Ox24N309QaTIW5BO4VuYynIKQLegWjDU
sRVNdRifO5gpW2x53XR+aPsmIvkaIQvTRlZ7Rylnuhd2V6hQ9C3yXB6f7s161aoF
596Pi1FW6uUTNafcaBrITSydHAPb1Roi20NbhkS1zh7fgTJGEwByBw==
=eIOL
-----END PGP SIGNATURE-----
--__--__--
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: 
http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
End of security-announce Digest
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Wed Oct 29 10:49:34 2003

This archive was generated by hypermail 2.1.8 : Wed Oct 29 2003 - 10:49:34 PST