=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN374
_____________________________________________________________________

DATE                      : 30/06/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running iTunes versions prior
                                                           to 6.0.5.

======================================================================

APPLE-SA-2006-06-29 iTunes 6.0.5

iTunes 6.0.5 is now available and, in addition to its other content,
fixes the following security issue:

CVE-ID:  CVE-2006-1467
Available for:  Mac OS X v10.2.8 or later, Windows XP / 2000
Impact:  An integer overflow in iTunes could cause a denial of
service or lead to the execution of arbitrary code
Description:  The AAC file parsing code in iTunes versions prior
to 6.0.5 contains an integer overflow vulnerability. Parsing a
maliciously-crafted AAC file could cause iTunes to terminate or
potentially execute arbitrary code. iTunes 6.0.5 addresses this
issue by improving the validation checks used when loading AAC
files. Credit to ATmaCA working with TippingPoint and the Zero Day
Initiative for reporting this issue.

iTunes 6.0.5 may be obtained from:
http://www.apple.com/itunes/download/

For Mac OS X:
The download file is named:  "iTunes6.0.5.dmg"
Its SHA-1 digest is:  668d53a8ca8126a852a470e4b9f7b13c0ecd3db3

For Windows 2000 or XP:
The download file is named:  "iTunesSetup.exe"
Its SHA-1 digest is:  0a82011b904e9fea33b1482deaea93094e008d96

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================