=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN272
_____________________________________________________________________

DATE                      : 20/04/2005

HARDWARE PLATFORM(S)      : APPLE.

OPERATING SYSTEM(S)       : Mac OS running iSync 1.5.

======================================================================

APPLE-SA-2005-04-19 Security Update 2005-004

Security Update 2005-004 is now available and delivers the following
security enhancement:

iSync
Available for:  iSync 1.5
CVE-ID:  CAN-2005-0193
Impact:  A buffer overflow in iSync could lead to local privilege
escalation
Description:  The iSync helper tool mRouter contains a buffer
overflow vulnerability. This could result in the execution of
arbitrary commands as root by local system users.  Security Update
2005-004 fixes this problem by providing a patched version of
mRouter.  iSync 1.4 is also affected by this vulnerability, and
customers are encouraged to update to the freely available iSync 1.5
version, then apply Security Update 2005-004.  Credit to Braden
Thomas for reporting this issue.

Security Update 2005-004 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The download file is named:  "SecUpd2005-004Pan.dmg"
Its SHA-1 digest is:  5ef91d98b43ff8d139b2b18782487fc5d13eb21a

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================