Security update for Apple's Xcode Developer Tools
Apple is planning to release a new version of its Xcode Developer Tools for Mac OS X 10.4.x and 10.5, in which two vulnerabilities, both more than a year old, are fixed. The Xcode development environment, partially based on GNU tools, can be used to generate applications for all previous versions of Mac OS X.
The newly announced version 2.5 no longer allows crafted TekHex files to provoke a buffer overflow in gdb. On executing the restore command, this buffer overflow could be exploited by an attacker to inject and execute code. In addition, the OpenBase database demo, supplied as part of the WebObjects package, in which bugs in gnutar allow users with restricted privileges to access arbitrary data, is deactivated.
The link included in Apple's security advisory, however, currently points to the download page for Xcode 3.0 for Mac OS X 10.5.
- APPLE-SA-2007-10-30 Xcode 2.5 Developer Tools, announcement from Apple
(mba)