SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Apple macOS/OS X Vendors:   Apple
Mac OS X Finder May Display Misleading Ownership Information
SecurityTracker Alert ID:  1015123
SecurityTracker URL:  http://securitytracker.com/id/1015123
CVE Reference:   CVE-2005-2749   (Links to External Site)
Date:  Nov 1 2005
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): OS X 10.4.2
Description:   A vulnerability was reported in Mac OS X in Finder. The system may display misleading file ownership information.

The Finder utility may display incorrect file and group ownership information in the Finder Get Info window. In certain cases, the displayed ownership information is not synchronized with the actual ownership information.

Systems prior to Mac OS X v10.4 are not affected.

Impact:   The system may display misleading file ownership information.
Solution:   The vendor has issued a fix as part of Mac OS X v10.4.3, available via the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.4.2
The download file is named: "MacOSXUpdate10.4.3.dmg"
Its SHA-1 digest is: d5f641c111621705dd0da4ecdd733a1f47c576a3

For Mac OS X Server v10.4.2
The download file is named: "MacOSXServerUpdate10.4.3.dmg"
Its SHA-1 digest is: a2cea3387079e92618b02196e7683c85377d512f

Vendor URL:  docs.info.apple.com/article.html?artnum=61798 (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  APPLE-SA-2005-10-31 Mac OS X v10.4.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-10-31 Mac OS X v10.4.3

Mac OS X v10.4.3 and Mac OS X Server v10.4.3 are now available and
deliver the following security enhancements:

Finder
CVE-ID:  CVE-2005-2749
Available for:  Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact:  File ownership information may be misleading
Description:  Under certain situations, the file and group ownership
information displayed in the Finder Get Info window may not be
correct. This update addresses the issue by synchronizing the
displayed ownership with the actual ownership in all situations.
This issue does not affect systems prior to Mac OS X v10.4.

Software Update
CVE-ID:  CVE-2005-2750
Available for:  Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact:  Important Software Updates may not install
Description:  Software Update can be instructed by the user to
ignore specific updates. If all applicable updates have been marked
in this way, Software Update will exit without providing an an
opportunity to reset the status of these updates so that they may
be installed. This update addresses the issue by asking whether the
ignored updates list should be reset when this situation is
encountered. This issue does not affect systems prior to Mac OS X
v10.4.

memberd
CVE-ID:  CVE-2005-2751
Available for:  Mac OS X Server v10.4.2
Impact:  Changes to group membership are delayed for hours
Description:  In certain situations, changes to a group's membership
may not be immediately reflected in access control checks. This may
result in an authenticated user being able to access files or other
resources even after they have been removed from a group. This
update addresses the issue by invalidating the group membership
cache at appropriate times. This issue does not affect systems
prior to Mac OS X v10.4.

Keychain
CVE-ID:  CVE-2005-2739
Available for:  Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact:  Keychain Access will continue displaying plaintext
passwords after lock timeout
Description:  Keychain Access is a utility distributed with Mac OS X
that is used to view keychain items and change keychain settings.
If a keychain automatically locks due to a timeout while viewing a
password stored inside it, that password will remain visible. This
update patches Keychain Access so that passwords are hidden when
keychains lock. This issue does not affect systems prior to Mac OS
X v10.4. Credit to Eric Hall of DarkArt Consulting Services for
reporting this issue.

Kernel
CVE-ID:  CVE-2005-1126, CVE-2005-1406, CVE-2005-2752
Available for:  Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact:  Kernel memory may be disclosed to local users
Description:  Certain kernel interfaces may return data that
includes sensitive information in uninitialized memory. These
issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van
Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of
the FreeBSD team for reporting these issues.

Mac OS X v10.4.3 may be obtained from the Software Update pane in
System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.2
The download file is named:  "MacOSXUpdate10.4.3.dmg"
Its SHA-1 digest is:  d5f641c111621705dd0da4ecdd733a1f47c576a3

For Mac OS X v10.4 and Mac OS X v10.4.1
The download file is named:  "MacOSXUpdateCombo10.4.3.dmg"
Its SHA-1 digest is:  1264c6c4583aa163a6e8465fbad7d0ff58b32086

For Mac OS X Server v10.4.2
The download file is named:  "MacOSXServerUpdate10.4.3.dmg"
Its SHA-1 digest is:  a2cea3387079e92618b02196e7683c85377d512f

For Mac OS X Server v10.4 and Mac OS X Server v10.4.1
The download file is named:  "MacOSXSrvrUpdCombo10.4.3.dmg"
Its SHA-1 digest is:  6dbc793d6613861d7e1954c477f11215db1bb569

Information will also be posted to the Apple Product Security
web site:  http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)

iQEVAwUBQ2aaL4HaV5ucd/HdAQJ+Hgf/efHQVD9Kbi3pAwoZQna3jk5tp7kqFSfS
6/MgxTz8b8AhYQAReuKQpK4uQEc2Zy3lgWOLwaaPFcfX2wunKR3we27DSUK0Nmyz
KhHf0Rr7bAnDd8kcU6DnRQEQgKb2PNZ0D6Va5Q3/19e/wFE6hI2Tm3aW7vyKPiQo
KnstC0s6KT3J2bPeaXWEJH3RTqEa5ki1sO6gDejsO9Ym4niAvSNNYooa3f/afUYU
MQqgOuXSQqKiBWQiijMrJz5ytix1jTGplkr4pEppYnfqHxTtKGY5MjXmjfX8luM9
Dj3D+bRqVQHZ6YfY9f7fKx/5rRZDXxTViHCISPh6466QJzxf26GPvg==
=EDGT
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC