Mac OS 10.5.5 packs plethora of security fixes

With the release of Mac OS X 10.5.5 on Monday, Apple provided patches for almost three dozen software flaws.

Some of the fixes are specific to Apple features, such as image processing and Finder. Other fixes are updates to various open-source projects, including Bind, ClamAV, OpenSSH and Ruby.

Version 10.5.5 can be obtained from the Apple software downloads page.

ATS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 to v10.5.4, and Mac OS X Server v10.5 to v10.5.4.

The update addresses the issue in CVE-2008-2305 in which viewing a document containing a maliciously crafted font may lead to arbitrary code execution.

Apple credited Chris Ries of Carnegie Mellon University Computing Services for reporting this vulnerability.

Bind
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 to v10.5.4, and Mac OS X Server v10.5 to v10.5.4.

The update upgrades users to Bind version 9.4.2-P2, which addresses performance issues associated with Bind version 9.4.2-P1.

ClamAV
This patch affects users of Mac OS X Server v10.4.11 and Mac OS X Server v10.5 to v10.5.4.

The update addresses the vulnerabilities detailed within CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, and CVE-2008-3215 by updating Mac OS users to ClamAV version 0.93.3.

Directory services
This patch affects users of Mac OS X v10.5 to v10.5.4 and Mac OS X Server v10.5 to v10.5.4.

The update addresses the vulnerability detailed in CVE-2008-2329, in which a person with access to the login screen may be able to list user names.

Apple said an information-disclosure issue exists in Login Window when it is configured to authenticate users with Active Directory. "By supplying wildcard characters in the user-name field, a list of user names from Active Directory may be displayed."

Directory services II
This patch affects users of Mac OS X Server v10.4.11, and Mac OS X Server v10.5 to v10.5.4.

The update addresses the insecure file operation vulnerability within CVE-2008-2330, in which a local user may obtain the server password if an OpenLDAP system administrator runs 'slapconfig'.

Finder
This patch affects users of Mac OS X v10.5 to v10.5.4 and Mac OS X Server v10.5 to v10.5.4.

The update addresses the details within CVE-2008-2331 in which the Get Info window may not display the actual privileges for a file.

Apple said: "Finder does not update the displayed permissions under some circumstances in a Get Info window. After clicking the lock button, changes to the file system Sharing & Permissions will take effect, but will not be displayed. This issue does not affect systems prior to Mac OS X v10.5."

Apple credited Michel Colman for reporting the vulnerability.

Finder II
This patch affects users of Mac OS X v10.5 to v10.5.4 and Mac OS X Server v10.5 to v10.5.4, specifically those running Mac OS X v10.5.2, MacBook Air running Mac OS X v10.5.3, and MacBook Air running Mac OS X v10.5.4.

The update addresses a vulnerability detailed within CVE-2008-3613, in which an attacker with access to the local network may cause a denial of service.

Apple credited Yuxuan Wang of Sogou for reporting the vulnerability.

ImageIO
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 to v10.5.4, and Mac OS X Server v10.5 to v10.5.4.

The update addresses the issue detailed within CVE-2008-2327, in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

Apple said multiple, uninitialised memory-access issues exist in LibTIFF's handling of LZW-encoded TIFF images.

ImageIO II
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 to v10.5.4, and Mac OS X Server v10.5 to v10.5.4.

The update addresses the issue detailed within CVE-2008-2332, in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

Apple said there's a memory-corruption issue that exits in ImageIO's handling of TIFF images.

Apple credited Robert Swiecki of Google Security Team for reporting this vulnerability.

ImageIO III
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 to v10.5.4, and Mac OS X Server v10.5 to v10.5.4.

The update addresses the vulnerability detailed within CVE- CVE-2008-3608, in which viewing a large, maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution.

Apple said there's a memory-corruption issue that exists in ImageIO's handling of embedded ICC profiles in JPEG images.

ImageIO IV
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 to v10.5.4, and Mac OS X Server v10.5 to v10.5.4.

The update addresses the vulnerability detailed within CVE-2008-1382, in which libpng in ImageIO is updated to version 1.2.29.

Apple added that CVE-2008-1382 is not known to affect the use of libpng in ImageIO, so this update is applied as a precautionary measure.

Kernel
This patch affects users of Mac OS X v10.5 to v10.5.4, and Mac OS X Server v10.5 to v10.5.4.

The update addresses the vulnerability detailed within CVE-2008-3609, in which files may be accessed by a local user who does not have the proper permissions.

Apple said cached credentials are not always flushed when a vnode is recycled.

Apple credited Nevin ':-)' Liber, Thomas Pelaia of Oak Ridge National Lab, Thomas Tempelmann, and Ram Kolli for reporting this vulnerability.

Libresolv
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 to v10.5.4, and Mac OS X Server v10.5 to v10.5.4.

The update addresses the vulnerability detailed within CVE-2008-1447, in which libresolv is susceptible…