updated 06:45 pm EDT, Tue October 30, 2007
Xcode 2.5 released
Apple has released a new version of its Xcode Developer Tools, 2.5. The release fixes two security issues. First, a flaw where processing a file with maliciously crafted TekHex content may lead to an unexpected application termination or arbitrary code execution. The problem occurs because a buffer overflow exists in gdb's handling of files with Tektronix Hex Format (TekHex) content. By enticing a user to run gdb's "restore" command on a maliciously crafted TekHex file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of TekHex records.
The second security refinement deals with WebObjects. An unprivileged local user may be able to obtain system. The Xcode WebObjects package contains a demo version of OpenBase for use with WebObjects example code. This demo version of
OpenBase may allow a local user to obtain system privileges. This update addresses the issue by disabling the Apple-provided demo version of OpenBase.
Xcode 2.5 Developer Tools can be downloaded by Apple Developers (registration is free) from this download page.