Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_save_keys integer overflow and resultant buffer overflow.

CVE-2022-48331:

Buffer Overflow in Widevine Trustlet (drm\_save\_keys @ 0x69b0)

 

CVE:

CVE-2022-48331

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M) and 5.1.1 (LYZ28N).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s drm_save_keys() command. This command closely resembles drm_verify_keys(), which has been featured in other blog entries (refer to CVE-2022-48333 and CVE-2022-48334).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50001: // drm\_save\_keys() command
    if ((0x2a10 < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        ...
        drm\_save\_keys(
            req\_buf + 4,    req\_buf\[1\], // feature\_name
            req\_buf + 0x44, req\_buf\[2\], // file\_name
            req\_buf + 0x84, req\_buf\[3\], // msg
            resp\_buf + 4                // prt\_path (result)
        );
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50001, it jumps to the drm_save_keys() function.

The structure of the Request Buffer for this command is the following:

struct widevine\_drm\_save\_keys\_cmd {
    uint32\_t cmd\_id;
    uint32\_t feature\_name\_len;
    uint32\_t file\_name\_len;
    uint32\_t msg\_len;
    char feature\_name\[0x100\];
    char file\_name\[0x100\];
    char msg\_data\[0x100\];
};

It contains three buffers (_i.e._, feature_name, file_name and msg_data) and three integers indicating the effective length of each buffer. It is important to note that even though the maximum size of each buffer is 256 bytes, the client has control over the values of feature_name_len, file_name_len and msg_len, since they are directly taken from the Request Buffer.

The main functionality of drm_save_keys() is securely storing encryption keys or DRM-related data. It performs the following high-level tasks:

> *   Validate input parameters and check for any constraints that may prevent key storage.
>     
> *   Construct a file path using the provided feature name and file name.
>     
> *   Write the message data, which may contain encryption keys or DRM-related information, to a Secure File System (SFS).
>     
> *   Compute and store a CRC value for the written data to ensure data integrity and error detection.
>     

The bug is present in the validation of input parameters while constructing the SFS file path:

heap\_buf \= malloc(0x100);
...
memzero(heap\_buf, 0x80);
prefix\_len \= strncpy(heap\_buf, &persist\_prefix, 0x80);
total\_len \= prefix\_len + feature\_name\_len; // Signed int
if (total\_len < 0x100) {
    prefix\_len \= strlen(&persist\_prefix);
    memcpy(heap\_buf + prefix\_len, feature\_name, feature\_name\_len);    ...
}

In this code snippet, a heap buffer is allocated and the persist_prefix string is copied into it using the strncpy() function. This string is initialized with the value "/persist/data/" by default, so that it’s length is 14. The buffer is then filled with the provided feature name, ensuring the total length does not exceed the specified limit. This is done using total_len by adding the length of the persist_prefix string and feature_name_len, which is directly specified by the client through the Request Buffer.

The bug is present in this calculation. Since total_len is a signed integer, this calculation causes an integer overflow if the sum of prefix_len and feature_name_len is large enough, resulting in a negative value for total_len. As a result, the subsequent if statement passes even if the actual total length of the string is greater than the allocated buffer size.

Since the check is if (total_len < 0x100), for the condition 14 + feature_name_len < 0x100 to be triggered, the value of feature_name_len must be within the inclusive range of -14 to 241.

The code after the check calculates again the prefix_len and calls the memcpy() function to copy the contents of the feature_name string into the buffer, immediately following the persist_prefix, using feature_name_len. Since this value can be large enough, it can cause a buffer overflow in this copy operation:

The range of values for feature_name_len that can cause a buffer overflow extends from -14 (0xfffffff2) to -1 (0xffffffff).

The user has full control over the **value** of feature_name_len and the **contents** of the feature_name buffer in the Request Buffer.

Since there are 14 specific and large feature_name_len values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50001;  // drm\_save\_keys;
req\->feature\_name\_len \= 0xffffffff;
req\->file\_name\_len \= 1;
req\->msg\_len \= 1;
...

The Commmand ID 0x50001 is specified to invoke drm_save_keys(), and feature_name_len is set to 0xffffffff so that the sum of prefix_len + feature_name_len overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "drm\_save\_keys: feature\_name 0xfff00010, feature\_name\_len 4294967295, file\_name 0xfff00110, file\_name\_len 1, msg\_data 0xfff00210
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

CVE-2022-48331: Cyber Intelligence - Hardware and Software Security Assessments

A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in macOS Ventura 13.4. An app may be able to bypass Privacy preferences

Released May 18, 2023

**Accessibility**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: macOS Ventura

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Associated Domains**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32371: James Duffy (mangoSecure)

**Contacts**

Available for: macOS Ventura

Impact: An app may be able to observe unprotected user data

Description: A privacy issue was addressed with improved handling of temporary files.

CVE-2023-32386: Kirin (@Pwnrin)

**Core Location**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**CUPS**

Available for: macOS Ventura

Impact: An unauthenticated user may be able to access recently printed documents

Description: An authentication issue was addressed with improved state management.

CVE-2023-32360: Gerhard Muth

**dcerpc**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32387: Dimitrios Tatsis of Cisco Talos

**DesktopServices**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32414: Mickey Jin (@patch1t)

**GeoServices**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurface**

Available for: macOS Ventura

Impact: An app may be able to leak sensitive kernel state

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32410: hou xuewei (@p1ay8y3ar) vmk msu

**IOSurfaceAccelerator**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: macOS Ventura

Impact: A sandboxed app may be able to observe system-wide network connections

Description: The issue was addressed with additional permissions checks.

CVE-2023-27940: James Duffy (mangoSecure)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: macOS Ventura

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32369: Jonathan Bar Or of Microsoft, Anurag Bohra of Microsoft, and Michael Pearse of Microsoft

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32405: Thijs Alkemade (@xnyhps) from Computest Sector 7

**Metal**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

CVE-2023-32375: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-32382: Mickey Jin (@patch1t)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a 3D model may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2023-32380: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32355: Mickey Jin (@patch1t)

**PDFKit**

Available for: macOS Ventura

Impact: Opening a PDF file may lead to unexpected app termination

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-32385: Jonathan Fritz

**Perl**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32395: Arsenii Kostromin (0x3c3e)

**Photos**

Available for: macOS Ventura

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Screen Saver**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A permissions issue was addressed by removing vulnerable code and adding additional checks.

CVE-2023-32363: Mickey Jin (@patch1t)

**Security**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved entitlements.

CVE-2023-32367: James Duffy (mangoSecure)

**Shell**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32397: Arsenii Kostromin (0x3c3e)

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: macOS Ventura

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: macOS Ventura

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**Weather**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: macOS Ventura

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

_This issue was first addressed in Rapid Security Response macOS 13.3.1 (a)._

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

_This issue was first addressed in Rapid Security Response macOS 13.3.1 (a)._

**Wi-Fi**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32363: About the security content of macOS Ventura 13.4

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. An app may be able to execute arbitrary code with kernel privileges

Released May 18, 2023

**AppleMobileFileIntegrity**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Core Location**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**GeoServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**Metal**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**Sandbox**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Siri**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**Weather**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

**Wi-Fi**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-27930: About the security content of tvOS 16.5

This issue was addressed by restricting options offered on a locked device. This issue is fixed in watchOS 9.5. An attacker with physical access to a locked Apple Watch may be able to view user photos or contacts via accessibility features

Released May 18, 2023

**Accessibility**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: Apple Watch Series 4 and later

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**Core Location**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**Face Gallery**

Available for: Apple Watch Series 4 and later

Impact: An attacker with physical access to a locked Apple Watch may be able to view user photos or contacts via accessibility features

Description: This issue was addressed by restricting options offered on a locked device.

CVE-2023-32417: Zitong Wu (吴梓桐) from Zhuhai No.1 High School (珠海市第一中学)

**GeoServices**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: Apple Watch Series 4 and later

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: Apple Watch Series 4 and later

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: Apple Watch Series 4 and later

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**Metal**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: Apple Watch Series 4 and later

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**Photos**

Available for: Apple Watch Series 4 and later

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Shortcuts**

Available for: Apple Watch Series 4 and later

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: Apple Watch Series 4 and later

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**StorageKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: Apple Watch Series 4 and later

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: Apple Watch Series 4 and later

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

**Wi-Fi**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32417: About the security content of watchOS 9.5

A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, iOS 15.7.6 and iPadOS 15.7.6, macOS Ventura 13.4, Safari 16.5, tvOS 16.5, iOS 16.5 and iPadOS 16.5. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of Safari 16.5.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 16.5**

Released May 18, 2023

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 18, 2023

CVE-2023-32373: About the security content of Safari 16.5

A denial-of-service issue was addressed with improved memory handling. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4. Opening a PDF file may lead to unexpected app termination

Released May 18, 2023

**Accessibility**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Associated Domains**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32371: James Duffy (mangoSecure)

**Cellular**

Available for: iPhone 8 and iPhone X

Impact: A remote attacker may be able to cause arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-32419: Amat Cama of Vigilant Labs

**Core Location**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**GeoServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**Metal**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PDFKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Opening a PDF file may lead to unexpected app termination

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-32385: Jonathan Fritz

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved checks.

CVE-2023-32365: Jiwon Park

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Security**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved entitlements.

CVE-2023-32367: James Duffy (mangoSecure)

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: an anonymous researcher

**Weather**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

_This issue was first addressed in Rapid Security Response iOS 16.4.1 (a) and iPadOS 16.4.1 (a)._

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

_This issue was first addressed in Rapid Security Response iOS 16.4.1 (a) and iPadOS 16.4.1 (a)._

**Wi-Fi**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32385: About the security content of iOS 16.5 and iPadOS 16.5

The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, macOS Monterey 12.6.6. A sandboxed app may be able to observe system-wide network connections

Released May 18, 2023

**Accessibility**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**AppleEvents**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Contacts**

Available for: macOS Monterey

Impact: An app may be able to observe unprotected user data

Description: A privacy issue was addressed with improved handling of temporary files.

CVE-2023-32386: Kirin (@Pwnrin)

**CUPS**

Available for: macOS Monterey

Impact: An unauthenticated user may be able to access recently printed documents

Description: An authentication issue was addressed with improved state management.

CVE-2023-32360: Gerhard Muth

**dcerpc**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32387: Dimitrios Tatsis of Cisco Talos

**Dev Tools**

Available for: macOS Monterey

Impact: A sandboxed app may be able to collect system logs

Description: This issue was addressed with improved entitlements.

CVE-2023-27945: Mickey Jin (@patch1t)

**GeoServices**

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**ImageIO**

Available for: macOS Monterey

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurface**

Available for: macOS Monterey

Impact: An app may be able to leak sensitive kernel state

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32410: hou xuewei (@p1ay8y3ar) vmk msu

**Kernel**

Available for: macOS Monterey

Impact: A sandboxed app may be able to observe system-wide network connections

Description: The issue was addressed with additional permissions checks.

CVE-2023-27940: James Duffy (mangoSecure)

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**LaunchServices**

Available for: macOS Monterey

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**libxpc**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32369: Jonathan Bar Or of Microsoft, Anurag Bohra of Microsoft, and Michael Pearse of Microsoft

**libxpc**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32405: Thijs Alkemade (@xnyhps) from Computest Sector 7

**Metal**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: macOS Monterey

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32375: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-32382: Mickey Jin (@patch1t)

CVE-2023-32368: Mickey Jin (@patch1t)

**Model I/O**

Available for: macOS Monterey

Impact: Processing a 3D model may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2023-32380: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32355: Mickey Jin (@patch1t)

**Perl**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32395: Arsenii Kostromin (0x3c3e)

**Sandbox**

Available for: macOS Monterey

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Jeff Johnson, Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), and Csaba Fitzl (@theevilbit) of Offensive Security

**Shell**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32397: Arsenii Kostromin (0x3c3e)

**Telephony**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

CVE-2023-27940: About the security content of macOS Monterey 12.6.6

A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. An app may be able to modify protected parts of the file system

Released May 18, 2023

**Accessibility**

Available for: macOS Big Sur

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**AppleEvents**

Available for: macOS Big Sur

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Big Sur

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Contacts**

Available for: macOS Big Sur

Impact: An app may be able to observe unprotected user data

Description: A privacy issue was addressed with improved handling of temporary files.

CVE-2023-32386: Kirin (@Pwnrin)

**CoreCapture**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-28181: Tingting Yin of Tsinghua University

**CUPS**

Available for: macOS Big Sur

Impact: An unauthenticated user may be able to access recently printed documents

Description: An authentication issue was addressed with improved state management.

CVE-2023-32360: Gerhard Muth

**dcerpc**

Available for: macOS Big Sur

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32387: Dimitrios Tatsis of Cisco Talos

**Dev Tools**

Available for: macOS Big Sur

Impact: A sandboxed app may be able to collect system logs

Description: This issue was addressed with improved entitlements.

CVE-2023-27945: Mickey Jin (@patch1t)

**GeoServices**

Available for: macOS Big Sur

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: macOS Big Sur

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurface**

Available for: macOS Big Sur

Impact: An app may be able to leak sensitive kernel state

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32410: hou xuewei (@p1ay8y3ar) vmk msu

**Kernel**

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**Kernel**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**LaunchServices**

Available for: macOS Big Sur

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**libxpc**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32369: Jonathan Bar Or of Microsoft, Anurag Bohra of Microsoft, and Michael Pearse of Microsoft

**libxpc**

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32405: Thijs Alkemade (@xnyhps) from Computest Sector 7

**Metal**

Available for: macOS Big Sur

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: macOS Big Sur

Impact: Processing a 3D model may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2023-32380: Mickey Jin (@patch1t)

**Model I/O**

Available for: macOS Big Sur

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32382: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Big Sur

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32355: Mickey Jin (@patch1t)

**Perl**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32395: Arsenii Kostromin (0x3c3e)

**Sandbox**

Available for: macOS Big Sur

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Jeff Johnson, Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), and Csaba Fitzl (@theevilbit) of Offensive Security

**Shell**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32397: Arsenii Kostromin (0x3c3e)

**Telephony**

Available for: macOS Big Sur

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

CVE-2023-32369: About the security content of macOS Big Sur 11.7.7

LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via the function bit_wcs2nlen at bits.c.

Hello, I was testing my fuzzer and found two bugs in dwg2SVG.

**environment**

ubuntu 20.04, GCC 9.4.0, libredwg latest commit 9df4ec3

compile with

    ./autogen.sh && ./configure --disable-shared && make -j$(nproc)
    

##BUG1

    ./dwg2SVG ../pocs/poc0.bit_utf8_to_TU
    =================================================================
    ==19712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000dc at pc 0x5603ca37f05a bp 0x7fff049b1c90 sp 0x7fff049b1c80
    WRITE of size 2 at 0x6020000000dc thread T0
        #0 0x5603ca37f059 in bit_utf8_to_TU /libredwg/src/bits.c:2883
        #1 0x5603cae6faab in dwg_is_valid_tag /libredwg/src/dwg_api.c:22059
        #2 0x5603cae6faab in dwg_is_valid_tag /libredwg/src/dwg_api.c:22048
        #3 0x5603ca7744de in dwg_decode_ATTRIB_private /libredwg/src/dwg.spec:204
        #4 0x5603ca8fe1ec in dwg_decode_ATTRIB /libredwg/src/dwg.spec:187
        #5 0x5603cacaa3a2 in decode_preR13_entities /libredwg/src/decode.c:6520
        #6 0x5603cacf559c in decode_preR13 /libredwg/src/decode_r11.c:719
        #7 0x5603cac76a6a in dwg_decode /libredwg/src/decode.c:217
        #8 0x5603ca362d77 in dwg_read_file /libredwg/src/dwg.c:261
        #9 0x5603ca35857c in main /libredwg/programs/dwg2SVG.c:979
        #10 0x7fc02854f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #11 0x5603ca358c1d in _start (/validate/dwg2SVG/dwg2SVG+0x206c1d)
    
    0x6020000000dc is located 0 bytes to the right of 12-byte region [0x6020000000d0,0x6020000000dc)
    allocated by thread T0 here:
        #0 0x7fc028979a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x5603ca37e83a in bit_utf8_to_TU /libredwg/src/bits.c:2856
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /libredwg/src/bits.c:2883 in bit_utf8_to_TU
    Shadow bytes around the buggy address:
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
    =>0x0c047fff8010: fa fa 02 fa fa fa 01 fa fa fa 00[04]fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==19712==ABORTING
    

##BUG2

    ./dwg2SVG ../pocs/poc1.bit_wcs2nlen
    ==19713==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000097a at pc 0x55781f6dd09d bp 0x7ffc201cb2e0 sp 0x7ffc201cb2d0
    READ of size 2 at 0x60400000097a thread T0
        #0 0x55781f6dd09c in bit_wcs2nlen /libredwg/src/bits.c:1834
        #1 0x5578201d2abb in dwg_is_valid_tag /libredwg/src/dwg_api.c:22060
        #2 0x5578201d2abb in dwg_is_valid_tag /libredwg/src/dwg_api.c:22048
        #3 0x55781fad74de in dwg_decode_ATTRIB_private /libredwg/src/dwg.spec:204
        #4 0x55781fc611ec in dwg_decode_ATTRIB /libredwg/src/dwg.spec:187
        #5 0x55782000d3a2 in decode_preR13_entities /libredwg/src/decode.c:6520
        #6 0x55782005859c in decode_preR13 /libredwg/src/decode_r11.c:719
        #7 0x55781ffd9a6a in dwg_decode /libredwg/src/decode.c:217
        #8 0x55781f6c5d77 in dwg_read_file /libredwg/src/dwg.c:261
        #9 0x55781f6bb57c in main /libredwg/programs/dwg2SVG.c:979
        #10 0x7faa3dcaf082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #11 0x55781f6bbc1d in _start (/validate/dwg2SVG/dwg2SVG+0x206c1d)
    
    0x60400000097a is located 0 bytes to the right of 42-byte region [0x604000000950,0x60400000097a)
    allocated by thread T0 here:
        #0 0x7faa3e0d9a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x55781f6e183a in bit_utf8_to_TU /libredwg/src/bits.c:2856
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /libredwg/src/bits.c:1834 in bit_wcs2nlen
    Shadow bytes around the buggy address:
      0x0c087fff80d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff80e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff80f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8100: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8110: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
    =>0x0c087fff8120: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00[02]
      0x0c087fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==19713==ABORTING
    

**POC**

poc.zip

**Credit**

Han Zheng (Hexhive, NCNIPC of China)

CVE-2023-36271: [FUZZ] two bugs in dwg2SVG · Issue #681 · LibreDWG/libredwg

LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via the function bit_utf8_to_TU at bits.c.

Tag

#buffer_overflow