Vulnerability CVE-2008-0987


Published: 2008-03-18   Modified: 2011-08-04

Description:
Stack-based buffer overflow in Image Raw in Apple Mac OS X 10.5.2, and Digital Camera RAW Compatibility before Update 2.0 for Aperture 2 and iPhoto 7.1.2, allows remote attackers to execute arbitrary code via a crafted Adobe Digital Negative (DNG) image.

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: Apple
Product: Iphoto 
Version: 7.1.2;
Product: Aperture 
Version: 2;

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.us-cert.gov/cas/techalerts/TA08-079A.html
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
http://xforce.iss.net/xforce/xfdb/41294
http://www.vupen.com/english/advisories/2008/0957/references
http://www.vupen.com/english/advisories/2008/0924/references
http://www.securitytracker.com/id?1019684
http://www.securitytracker.com/id?1019683
http://www.securitytracker.com/id?1019659
http://www.securityfocus.com/bid/28363
http://www.securityfocus.com/bid/28304
http://support.apple.com/kb/HT1232
http://secunia.com/advisories/29469
http://secunia.com/advisories/29420
http://lists.apple.com/archives/security-announce/2008/Mar/msg00003.html
http://docs.info.apple.com/article.html?artnum=307562

Related CVE
CVE-2010-1821
Apple Mac OS X 10.6 through 10.6.3 and Mac OS X Server 10.6 through 10.6.3 allows local users to obtain system privileges.
CVE-2010-1816
Buffer overflow in ImageIO in Apple Mac OS X 10.6 through 10.6.3 and Mac OS X Server 10.6 through 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a crafted image.
CVE-2017-2387
The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...
CVE-2017-6975
Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack buffer overflow exploitation via a crafted access point. NOTE: because an operating system could potentially isolate itself from CVE-2017-6956 exploitation without patching Broadc...
CVE-2017-5949
JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 22, allows remote attackers to cause a denial of service (heap-based out-of-bounds write and application crash) or possibly have unspecified other impact via crafted JavaSc...
CVE-2016-10226
JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service (bitfield out-of-bounds read and application crash) via crafted JavaScript code that is mishandled in the operatorS...
CVE-2016-10222
runtime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service (segmentation violation and application crash) via crafted JavaScript code that triggers ...
CVE-2017-6974
An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the system-installation subsystem of the "System Integrity Protection" component. It allows attackers to modify the contents of a protected disk l...

Copyright 2017, cxsecurity.com