KDE patches Month of Apple Bugs bug
A number of manufacturers have reacted to the general problem in the specifications for Portable Document Format (PDF) files, discovered as part of the Month of Apple Bugs project, and have released updates. This includes the developers of KDE, who have released an update for kpdf and KOffice (kword), which share code with the xpdf application, which is affected by the bug. A document containing a crafted "catalog dictionary" or incorrect page attributes can cause the application to enter an endless loop, resulting in the application hanging.
In addition, the team behind MOAB have published details of a third vulnerability, with which users -- or malware which has penetrated the system -- can obtain root privileges. As for the bill of materials (BOM) vulnerability, this problem arises from the fact that the repair mode of Apple's Disk Management Framework resets file privileges to the original state. This time round, the bug report illustrates this via binaries with SUID root in the Applications folder, to which users in the Admin group have write privileges.
The first user created on a Mac system is automatically a member of this group - unless he is subsequently removed by means of a system setting. A binary can then easily be overwritten with another application and, by using the repair function, be reassigned the correct user and SUID bit (diskutil repairPermissions /).
In addition, according to the MOAB team, there is also a format string vulnerability in the Colloquy chat client for the Mac, which can be exploited to inject code using prepared INVITE requests. Colloquy 2.1 under PPC and Intel is affected. Build 3558, released today, appears, however, to fix the problem.
- kpdf/kword/xpdf denial of service vulnerability, security advisory from KDE
- the Month of Apple Bugs, overview of all bugs found