=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN506
_____________________________________________________________________

DATE                      : 12/11/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running iLife 8.0, Aperture 2.

======================================================================

APPLE-SA-2008-11-10 iLife Support 8.3.1

iLife Support 8.3.1 is now available and addresses the following
security issues:

ImageIO
CVE-ID:  CVE-2008-2327
Available for:  iLife 8.0 or Aperture 2,
on Mac OS v10.4.9 through v10.4.11
Impact:  Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple uninitialized memory access issues exist in
libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously
crafted TIFF image may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
proper memory initialization and additional validation of TIFF
images. These issues are already addressed in systems running Mac OS
X v10.5.5. Credit: Apple.

ImageIO
CVE-ID:  CVE-2008-2332
Available for:  iLife 8.0 or Aperture 2,
on Mac OS v10.4.9 through v10.4.11
Impact:  Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exits in the handling of TIFF
images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved processing of TIFF
images. This issue is already addressed in systems running Mac OS X
v10.5.5. Credit to Robert Swiecki of Google Security Team for
reporting this issue.

ImageIO
CVE-ID:  CVE-2008-3608
Available for:  iLife 8.0 or Aperture 2,
on Mac OS v10.4.9 through v10.4.11
Impact:  Viewing a large maliciously crafted JPEG image may lead to
an unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in ImageIO's handling
of embedded ICC profiles in JPEG images. Viewing a large maliciously
crafted JPEG image may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved processing of ICC profiles. This issue is already addressed
in systems running Mac OS X v10.5.5. Credit: Apple.

iLife Support 8.3.1 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The download file is named: "iLifeSupport.dmg"
Its SHA-1 digest is: 2911f4608c3c69eb8056a5bf6d5186a4f403517d

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================