=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN333
_____________________________________________________________________

DATE                      : 26/05/2005

HARDWARE PLATFORM(S)      : APPLE.

OPERATING SYSTEM(S)       : Systems running Keynote versions 2 and 2.0.1.

======================================================================

APPLE-SA-2005-05-25 Keynote 2.0.2

Keynote 2.0.2 is now available and delivers the following security
improvement:

CVE-ID:  CAN-2005-1408

Impact:  A maliciously modified Keynote presentation could be
constructed to retrieve files from the local system

Description:  With a specially crafted Keynote presentation and the
use of the "keynote:" URI handler, it is possible that local files
could be read and then sent to an arbitrary network location.  This
issue has been addressed in two ways:  references to external
resources have been limited, and the registration of the "keynote:"
URI handler has been removed.  This issue does not affect Keynote
versions prior to Keynote 2.  Credit to David Remahl of
www.remahl.se/david for reporting this issue.

Keynote 2.0.2 is available at
http://www.apple.com/iwork/keynote/download/
for Keynote versions 2 and 2.0.1

The download file is named:  "Keynote2.0.2.dmg"
Its SHA-1 digest is:  48e5befa0ef44b91fe3abd21a948e7ec4795a711

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================