Headline
Apple Security Advisory 2023-01-24-1
Apple Security Advisory 2023-01-24-1 - tvOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2023-01-24-1 tvOS 16.3
tvOS 16.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213601.
AppleMobileFileIntegrity
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by enabling hardened runtime.
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing
(wojciechregula.blog)
ImageIO
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Processing an image may lead to a denial-of-service
Description: A memory corruption issue was addressed with improved
state management.
CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)
Kernel
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to leak sensitive kernel state
Description: The issue was addressed with improved memory handling.
CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.
Ltd. (@starlabs_sg)
Kernel
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to determine kernel memory layout
Description: An information disclosure issue was addressed by
removing the vulnerable code.
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.
Ltd. (@starlabs_sg)
Kernel
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-23504: Adam Doupé of ASU SEFCOM
Maps
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to bypass Privacy preferences
Description: A logic issue was addressed with improved state
management.
CVE-2023-23503: an anonymous researcher
Safari
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Visiting a website may lead to an app denial-of-service
Description: The issue was addressed with improved handling of
caches.
CVE-2023-23512: Adriatik Raci
Weather
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to bypass Privacy preferences
Description: The issue was addressed with improved memory handling.
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an
anonymous researcher
WebKit
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 245464
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming
Wang, JiKai Ren and Hang Shu of Institute of Computing Technology,
Chinese Academy of Sciences
WebKit
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 248268
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE
WebKit Bugzilla: 248268
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE
Additional recognition
Kernel
We would like to acknowledge Nick Stenning of Replicate for their
assistance.
WebKit
We would like to acknowledge Eliya Stein of Confiant for their
assistance.
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting “Settings ->
System -> Software Update -> Update Software.” To check the current
version of software, select “Settings -> General -> About.”
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPQS+MACgkQ4RjMIDke
Nxl2xhAAu5swycPjzTAolynfVnOR8FvGiVeCUFfn2JpEFVXRiIMcZgQga7bb7cEk
0Abcm9FfLAq4z7SBTXh9csi1erT0bbT2/DK8PhEDsZz9MInzxXUTN9+ZrWlN/PLJ
ZIQZh1gwUGkf31DAaBQ15QYo6XukzwV++t1AkeY5CQsTEXf/rJhYH7E3kNWsqj+5
B6vAw0Xw7hLsZwfAv7W2khhLtiBa5sxtuJKRPJ/4xjBKfWZaeVjjgsTC0LLUN/3l
qxFI8H4QxQPxXtAt2O2wPGnR3WhfmDlGqgnYkj4IM8FlRnGedpD5O/kPoZNzRtKt
z7pRORoHD+o3KOY3UkRZ19sJEWEkeWJxHO6htRf/IsgbX1/eQJnIqSuOeLRJ3EDY
xCTUfiTU0NU3Iy/iDgpwllq4oU8rYeFJiPU4RNzndX+Z3+V/Tu9mc3rBax3A8gGi
bN5dKB0bGNCV2MnOlpuy5E7u56cfMlH04Gtj0j8L05t9yxYKiCuBVNBL0KjJB/cF
wjAl0ZoK8auWTDFKPJHGRGWtqR0svrV4qw5lPpQc+w26+xh8LHL8HzHr+pxHEZ75
4CUxi9L7w4hWieZgHNyWUj4xIlqhrefk+M6QqwxwwKSB/z2eiaOBHSCaKDOvg9JU
6w6VML1ezs/zpC5H0//PXTqK2o8XkaBNKQ0Ljx6zejIVwFbwHVQ=
=WvwW
-----END PGP SIGNATURE-----
Related news
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
Red Hat Security Advisory 2023-2834-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include buffer overflow, bypass, code execution, information leakage, out of bounds write, and use-after-free vulnerabilities.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32886: A vulnerability was found in webkitgtkm, where a buffer overflow issue was addressed with improved memory handling. Processing maliciously crafted web content may lead to arbitrary code execution. * CVE-2022-32888: A vulnerability was found in webkitgtk, where an out-of-bounds read was addressed with improved bounds checking. Processing mali...
Red Hat Security Advisory 2023-2256-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include buffer overflow, bypass, code execution, information leakage, out of bounds write, and use-after-free vulnerabilities.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32886: A vulnerability was found in webkitgtkm, where a buffer overflow issue was addressed with improved memory handling. Processing maliciously crafted web content may lead to arbitrary code execution. * CVE-2022-32888: A vulnerability was found in webkitgtk, where an out-of-bounds read was addressed with improved bounds checking. Processing mali...
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.2, macOS Monterey 12.6.3, iOS 15.7.3 and iPadOS 15.7.3, watchOS 9.3, iOS 16.3 and iPadOS 16.3, macOS Big Sur 11.7.3. An app may be able to access information about a user’s contacts.
The issue was addressed with improved handling of caches. This issue is fixed in macOS Ventura 13.2, tvOS 16.3, iOS 16.3 and iPadOS 16.3, watchOS 9.3. Visiting a website may lead to an app denial-of-service.
Ubuntu Security Notice 5867-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
Debian Linux Security Advisory 5341-1 - Multiple vulnerabilities have been discovered in the WebKitGTK web engine. Francisco Alonso discovered that processing maliciously crafted web content may lead to arbitrary code execution. YeongHyeon Choi, Hyeon Park, SeOk JEON, YoungSung Ahn, JunSeo Bae and Dohyun Lee discovered that processing maliciously crafted web content may lead to arbitrary code execution.
Debian Linux Security Advisory 5340-1 - Multiple vulnerabilities have been discovered in the WebKitGTK web engine. Francisco Alonso discovered that processing maliciously crafted web content may lead to arbitrary code execution. YeongHyeon Choi, Hyeon Park, SeOk JEON, YoungSung Ahn, JunSeo Bae and Dohyun Lee discovered that processing maliciously crafted web content may lead to arbitrary code execution.
Apple Security Advisory 2023-01-23-8 - Safari 16.3 addresses code execution vulnerabilities.
Apple Security Advisory 2023-01-23-8 - Safari 16.3 addresses code execution vulnerabilities.
Apple Security Advisory 2023-01-23-8 - Safari 16.3 addresses code execution vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-6 - macOS Big Sur 11.7.3 addresses buffer overflow, bypass, and code execution vulnerabilities.
Apple Security Advisory 2023-01-23-6 - macOS Big Sur 11.7.3 addresses buffer overflow, bypass, and code execution vulnerabilities.
Apple Security Advisory 2023-01-23-6 - macOS Big Sur 11.7.3 addresses buffer overflow, bypass, and code execution vulnerabilities.
Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
Apple Security Advisory 2023-01-23-2 - iOS 15.7.3 and iPadOS 15.7.3 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2023-01-23-2 - iOS 15.7.3 and iPadOS 15.7.3 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2023-01-23-2 - iOS 15.7.3 and iPadOS 15.7.3 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.