[38154] in bugtraq
Fwd: APPLE-SA-2005-01-11 iTunes 4.7.1
daemon@ATHENA.MIT.EDU (David Ahmad)
Tue Jan 11 18:16:07 2005
Date: Tue, 11 Jan 2005 15:21:52 -0700
From: David Ahmad <da@securityfocus.com>
To: bugtraq@securityfocus.com
Message-ID: <20050111222152.GB17621@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2005-01-11 iTunes 4.7.1
iTunes 4.7.1 is now available and delivers the following security
enhancement:
CVE-ID: CAN-2005-0043
Impact: Malicious playlists can cause iTunes to crash and could
execute arbitrary code
Description: iTunes supports several common playlist formats.
iTunes 4.7.1 fixes a buffer overflow in the parsing of m3u and pls
playlist files that could allow earlier versions of iTunes to crash
and execute arbitrary code. Credit to Sean de Regge
(seanderegge[at]hotmail.com) for discovering this issue, and to
iDEFENSE Labs for reporting it to us.
Available for: Mac OS X, Microsoft Windows XP, Microsoft Windows
2000
iTunes 4.7.1 may be obtained from the Software Update pane in System
Preferences, or Apple's iTunes download site:
http://www.apple.com/itunes/download/
The download file is named: "iTunes4.7.1.dmg"
Its SHA-1 digest is: 2ae8c815f18756c24dfbc1ac7d837b75b828b92a
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQEVAwUBQeQviJyw5owIz4TQAQIMrgf/fYmI5LZy5DM5a61kbXgnzq5OpQQPaidH
disRa8UbjGrr+sSvEytQaxgO5vbDsZWgDGYeeaHTUeyiBdznO/b7X9moUC0uXEtC
/a/CC2219AYeoQLJCMWhiIbrkL3OQ8QHoV3KaMlcg98tHgsrZKg1ssqEZszkjNrV
Jj1dm3hYn2/DHPqzhGy2+l4Lp/8Bdg2VwXJjCLrqD6cgcSAX0HVdVq+CM2VQ1DGH
O9PjkspNxoTR2iV0VbJdc+q/Mi1HXlouNaURgR01oBYGqZoQ2mxYGMLIthgVoyri
E/c5iyPq4lwDnhyjii4fajLO/3BW6MY7RVoNWv2ipYjVi1RPQ6d6iQ==
=SryY
-----END PGP SIGNATURE-----
--
David Mirza Ahmad
Symantec
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
