[Macpartners] Fwd: APPLE-SA-2007-10-30 Xcode 2.5 Developer Tools
Patrick McNeal
mcneal at MIT.EDU
Thu Nov 1 13:03:19 EDT 2007
Apple's released a new version of XCode 2.x that contains two security
fixes. This new version, 2.5, can be downloaded by logging into
Apple's ADC site, selecting Downloads and then Developer Tools.
Begin forwarded message:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> APPLE-SA-2007-10-30 Xcode 2.5 Developer Tools
>
> Xcode 2.5 Developer Tools is now available and addresses the
> following issues:
>
> gdb
> CVE-ID: CVE-2006-2362
> Available for: Mac OS X v10.4.x, Mac OS X v10.5
> Impact: Processing a file with maliciously crafted TekHex content
> may lead to an unexpected application termination or arbitrary code
> execution
> Description: A buffer overflow exists in gdb's handling of files
> with Tektronix Hex Format (TekHex) content. By enticing a user to run
> gdb's "restore" command on a maliciously crafted TekHex file, an
> attacker may cause an unexpected application termination or arbitrary
> code execution. This update addresses the issue by performing
> additional validation of TekHex records.
>
> WebObjects
> CVE-ID: CVE-2006-5327, CVE-2006-5328
> Available for: Mac OS X v10.4.x, Mac OS X v10.5
> Impact: An uprivileged local user may be able to obtain system
> privileges
> Description: The Xcode WebObjects package contains a demo version of
> OpenBase for use with WebObjects example code. This demo version of
> OpenBase may allow a local user to obtain system privileges. This
> update addresses the issue by disabling the Apple-provided demo
> version of OpenBase. Credit to Kevin Finisterre of Netragard for
> reporting these issues.
>
> Xcode 2.5 Developer Tools may be obtained from the Apple Developer
> web site:
> http://developer.apple.com/tools/download/
> Login is required, and membership is free.
>
> The download file is named: "xcode25_8m2558_developerdvd.dmg"
> Its SHA-1 digest is: 30884704b0a4b098f02ccbb753958cd5331b8982
>
> Information will also be posted to the Apple Product Security
> web site:
> http://docs.info.apple.com/article.html?artnum=61798
>
> This message is signed with Apple's Product Security PGP key,
> and details are available at:
> http://www.apple.com/support/security/pgp/
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.3 (Build 2932)
>
> iQEVAwUBRyer9cgAoqu4Rp5tAQgP6wf/dUDjYS9SYVa0nNM16LtUIi9eHEFSwxus
> eRNxLoKRpOx9SZbOtoYiPlJOCubMdsV30fEU895c/TYqt6ZWc+9YKq/F7Jz7qdNN
> GBLY6qC1h+tFwUr92hu7H8WZ9wZP1CaI5SO+KQd58HuMNq7L/ywRFfiFX3IVmmY7
> zBU2jo/sOGKA/lbirnFRYbK0V9xT0ElPjVjbH79dJhmwM1QOqIe0SiEO2Edq3w3A
> 2qAasLDGkGpthtTKADgF9cNjVXf0i7si0pST/bkbrWipmoh4Ml2JDmy+sTnCijEt
> IByh8HhjSd1t9EOL2OmMvKDhTcDfkA7ZwC8O8vwmFE+2Jkww4X8FzQ==
> =AxY1
> -----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Patrick McNeal
Macintosh Platform Coordinator - Software Release Team
Client Support Services, Information Services and Technology
Massachusetts Institute of Technology
N42-250E
Cambridge, MA 02139
+1 617 253-0196
mcneal at mit.edu
More information about the Macpartners
mailing list