Gentoo Linux Security Advisory 202210-42 - A buffer overflow in zlib might allow an attacker to cause remote code execution. Versions less than 1.2.12-r3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-42  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: zlib: Multiple vulnerabilities  
     Date: October 31, 2022  
     Bugs: #863851, #835958  
       ID: 202210-42

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A buffer overflow in zlib might allow an attacker to cause remote code  
execution.

Background  
==========

zlib is a widely used free and patent unencumbered data compression  
library.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  sys-libs/zlib              < 1.2.12-r3              >= 1.2.12-r3

Description  
===========

Multiple vulnerabilities have been discovered in zlib. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Maliciously crafted input handled by zlib may result in remote code  
execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All zlib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.12-r3"

References  
==========

[ 1 ] CVE-2018-25032  
      https://nvd.nist.gov/vuln/detail/CVE-2018-25032  
[ 2 ] CVE-2022-37434  
      https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-42

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-42

** UNSUPPORTED WHEN ASSIGNED ** Oracle Solaris version 10 1/13, when using the Common Desktop Environment (CDE), is vulnerable to a privilege escalation vulnerability. A low privileged user can escalate to root by crafting a malicious printer and double clicking on the the crafted printer's icon.

CVE-2022-43752: .:: Phrack Magazine ::.

A vulnerability, which was classified as critical, has been found in Axiomatic Bento4. Affected by this issue is the function AP4_DataBuffer::SetDataSize of the component Avcinfo. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212564.

Hi, developers of Bento4:  
I tested the binary Avcinfo with my fuzzer, and a crash incurred—heap-buffer-overflow. The following is the details. I think this error is different from both #731 and #610.

Detected heap-buffer-overflow in Avcinfo.

    root@4w41awdas71:/# ./Bento4/cmakebuild/avcinfo fuzz-avcinfo/out/crashes/POC_avcinfo_15644345
    =================================================================
    ==708228==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000011 at pc 0x0000004fb133 bp 0x7ffea9099cb0 sp 0x7ffea9099ca8
    READ of size 1 at 0x602000000011 thread T0
        #0 0x4fb132 in main (/Bento4/cmakebuild/avcinfo+0x4fb132)
        #1 0x7fa90b673c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #2 0x41d5a9 in _start (/Bento4/cmakebuild/avcinfo+0x41d5a9)
    
    0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
    allocated by thread T0 here:
        #0 0x4f58a8 in operator new[](unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fb503 in AP4_DataBuffer::SetDataSize(unsigned int) (/Bento4/cmakebuild/avcinfo+0x4fb503)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/Bento4/cmakebuild/avcinfo+0x4fb132) in main
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==708228==ABORTING
    
    

Ubuntu 18.04.6 LTS (docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)

CVE-2022-3785: A heap-buffer-overflow in Avcinfo · Issue #780 · axiomatic-systems/Bento4

A vulnerability classified as critical was found in Axiomatic Bento4 5e7bb34. Affected by this vulnerability is the function AP4_Mp4AudioDsiParser::ReadBits of the file Ap4Mp4AudioInfo.cpp of the component mp4hls. The manipulation leads to heap-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212563.

Hi, there.

There is an heap overflow in ReadBits, Ap4Mp4AudioInfo.cpp:66, in the newest master branch 5e7bb34, which seems to be incomplete fix of issue #194.

Here is the reproducing command:

POC:  
mp42hls\_ReadBits\_Ap4Mp4AudioInfo66.zip  
(unzip first)

Here is the reproduce trace reported by ASAN:

    ==64087==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000275 at pc 0x000000511365 bp 0x7fff4cecb370 sp 0x7fff4cecb368
     READ of size 1 at 0x602000000275 thread T0
         #0 0x511364 in AP4_Mp4AudioDsiParser::ReadBits(unsigned int)  /benchmark/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:66:56
         #1 0x511a50 in AP4_Mp4AudioDecoderConfig::ParseExtension(AP4_Mp4AudioDsiParser&)  /benchmark/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:159:20
         #2 0x513cdb in AP4_Mp4AudioDecoderConfig::Parse(unsigned char const*, unsigned int)  /benchmark/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:317:30
         #3 0x5a093c in AP4_Mpeg2TsAudioSampleStream::WriteSample(AP4_Sample&, AP4_DataBuffer&, AP4_SampleDescription*, bool, AP4_ByteStream&)  /benchmark/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:442:44
         #4 0x50991a in WriteSamples(AP4_Mpeg2TsWriter*, PackedAudioWriter*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int, unsigned char)  /benchmark/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1274:40
         #5 0x50991a in main  /benchmark/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:2188:14
         #6 0x7efd53469082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
         #7 0x41d8ed in _start ( /benchmark/Bento4/build-a/mp42hls+0x41d8ed)
     
     0x602000000275 is located 0 bytes to the right of 5-byte region [0x602000000270,0x602000000275)
     allocated by thread T0 here:
         #0 0x4f8017 in operator new[](unsigned long)  /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102:3
         #1 0x560ebf in AP4_DataBuffer::AP4_DataBuffer(void const*, unsigned int)  /benchmark/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:68:20
         #2 0x5a093c in AP4_Mpeg2TsAudioSampleStream::WriteSample(AP4_Sample&, AP4_DataBuffer&, AP4_SampleDescription*, bool, AP4_ByteStream&)  /benchmark/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:442:44
         #3 0x50991a in WriteSamples(AP4_Mpeg2TsWriter*, PackedAudioWriter*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int, unsigned char)  /benchmark/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1274:40
         #4 0x50991a in main  /benchmark/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:2188:14
         #5 0x7efd53469082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
     
     SUMMARY: AddressSanitizer: heap-buffer-overflow  /benchmark/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:66:56 in AP4_Mp4AudioDsiParser::ReadBits(unsigned int)
     Shadow bytes around the buggy address:
       0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd
       0x0c047fff8010: fa fa 04 fa fa fa fd fd fa fa 00 05 fa fa 05 fa
       0x0c047fff8020: fa fa 06 fa fa fa 00 fa fa fa fd fd fa fa 04 fa
       0x0c047fff8030: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 00
     =>0x0c047fff8040: fa fa 00 00 fa fa 05 fa fa fa 00 04 fa fa[05]fa
       0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     Shadow byte legend (one shadow byte represents 8 application bytes):
       Addressable:           00
       Partially addressable: 01 02 03 04 05 06 07 
       Heap left redzone:       fa
       Freed heap region:       fd
       Stack left redzone:      f1
       Stack mid redzone:       f2
       Stack right redzone:     f3
       Stack after return:      f5
       Stack use after scope:   f8
       Global redzone:          f9
       Global init order:       f6
       Poisoned by user:        f7
       Container overflow:      fc
       Array cookie:            ac
       Intra object redzone:    bb
       ASan internal:           fe
       Left alloca redzone:     ca
       Right alloca redzone:    cb
       Shadow gap:              cc
     ==64087==ABORTING

CVE-2022-3784: Heap overflow in mp4hls, ReadBits, Ap4Mp4AudioInfo.cpp:66 · Issue #806 · axiomatic-systems/Bento4

xfig 3.2.7 is vulnerable to Buffer Overflow.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, subin.kim@prosys.kr, Roland Rosenfeld <roland@debian.org>:  
Bug#992395; Package xfig. (Wed, 18 Aug 2021 06:15:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to "Potential Buffer Overflow vulnerability in xfig-3.2.7b" <subin.kim@prosys.kr>:  
New Bug report received and forwarded. Copy sent to subin.kim@prosys.kr, Roland Rosenfeld <roland@debian.org>. (Wed, 18 Aug 2021 06:15:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: xfig
Version: xfig
Severity: important

Dear Maintainer,

It seems that there exists a potential Buffer Overflow.
(src/w\_help.c:55)
sprintf(filename, "%s/html/%s/index.html", XFIGDOCDIR, getenv("LANG"));

the length of getenv("LANG") may become very long and cause Buffer Overflow while executing sprintf(...).


-System Information:
Debian Release: 11.0
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.4.0-19041-Microsoft
Locale: LANG=en\_US.UTF-8, LC\_CTYPE=en\_US.UTF-8 (charmap=UTF-8), LANGUAGE=en\_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages xfig depends on:
pn  fig2dev | transfig  <none>
ii  libc6               2.31-13
ii  libjpeg62-turbo     1:1.5.2-2+deb10u1
ii  libpng16-16         1.6.36-6
ii  libx11-6            2:1.6.7-1+deb10u2
ii  libxi6              2:1.7.9-1
pn  libxpm4             <none>
ii  libxt6              1:1.1.5-1+b3
ii  sensible-utils      0.0.14
pn  xaw3dg              <none>

Versions of packages xfig recommends:
pn  xfig-libs  <none>

Versions of packages xfig suggests:
pn  cups-client | lpr  <none>
pn  ghostscript        <none>
pn  gimp               <none>
pn  gsfonts-x11        <none>
pn  netpbm             <none>
pn  spell              <none>
pn  xfig-doc           <none>

**Reply sent** to Roland Rosenfeld <roland@debian.org>:  
You have taken responsibility. (Fri, 20 Aug 2021 12:09:03 GMT) (full text, mbox, link).

**Notification sent** to "Potential Buffer Overflow vulnerability in xfig-3.2.7b" <subin.kim@prosys.kr>:  
Bug acknowledged by developer. (Fri, 20 Aug 2021 12:09:03 GMT) (full text, mbox, link).

Message #12 received at 992395-close@bugs.debian.org (full text, mbox, reply):

Source: xfig
Source-Version: 1:3.2.8a-1
Done: Roland Rosenfeld <roland@debian.org>

We believe that the bug you reported is fixed in the latest version of
xfig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992395@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Rosenfeld <roland@debian.org> (supplier of updated xfig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 20 Aug 2021 13:26:32 +0200
Source: xfig
Architecture: source
Version: 1:3.2.8a-1
Distribution: unstable
Urgency: medium
Maintainer: Roland Rosenfeld <roland@debian.org>
Changed-By: Roland Rosenfeld <roland@debian.org>
Closes: 992395
Changes:
 xfig (1:3.2.8a-1) unstable; urgency=medium
 .
   \* New upstream release 3.2.8a.
   \* 07\_missing-config.h, 08\_fig-format-doc, 09\_repair-table-doc are now
     incorporated upstream.
   \* Adapt file preservation to new upstream version.
   \* Update debian/copyright.
   \* Move xfig binary to /usr/libexec/xfig/xfig.
   \* Package test binaries and use them in autopkgtest.
   \* Update to Standards-Version 4.6.0 (no changes).
   \* 07\_LANG\_overflow: Avoid buffer overflow in LANG (Closes: #992395).
Checksums-Sha1:
 3c61e420b37da903f6a7e246fb0bacdab13c5ab8 2268 xfig\_3.2.8a-1.dsc
 0ac17ad33fdc8d570c187641e3d62ca9cd8faa2e 5380896 xfig\_3.2.8a.orig.tar.xz
 cd9de585ba1cf9f60cb888db8e6c23aedac8db8a 31736 xfig\_3.2.8a-1.debian.tar.xz
 7ec24ede8ad6c45982f1d6daecdf8eb2bbeb78db 8802 xfig\_3.2.8a-1\_source.buildinfo
Checksums-Sha256:
 5ccff8d437f6cca74c999902606c5288bc2faa3d4e369fbf5e9e41f06f528b83 2268 xfig\_3.2.8a-1.dsc
 ba43c0ea85b230d3efa5a951a3239e206d0b033d044c590a56208f875f888578 5380896 xfig\_3.2.8a.orig.tar.xz
 5bce4925951b4da43606ea0fdbc58e6d5bd586db5d3288f1b6abd2f69bc7dbe8 31736 xfig\_3.2.8a-1.debian.tar.xz
 8b72190e5c937543ef4692e84125a5bc816e234e68982b38f2c2d9f63e48f407 8802 xfig\_3.2.8a-1\_source.buildinfo
Files:
 47505378c399e92bd8320c9e7c3cfa26 2268 graphics optional xfig\_3.2.8a-1.dsc
 58dd2b6f9f17d7006c78156ce2da0073 5380896 graphics optional xfig\_3.2.8a.orig.tar.xz
 21becafff522811fd703ad707848b2c8 31736 graphics optional xfig\_3.2.8a-1.debian.tar.xz
 1ad72572a407e7d1ee3be3d287bbf4f4 8802 graphics optional xfig\_3.2.8a-1\_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAmEfkesACgkQAnE7z8pU
ELK3ihAAjb2QzTyLRtUVTT50trBehzl8WJvfo7txeYBvJZup+j0hd0T46EFlpZ7M
gTFTN2zxWf7w8WUYQyfSqM7anzl3otEEaLSQ3kE3vzo+ZH9T0J98m2F/OQbEqF1u
QLbZxQF4f8M98s3TY3qBrE8Q+jN9CxcAaHMD4raoUw5LVz6FJ8c/l/xg8AQN2ekK
YWwwhZnxRWJjM3mu6hK7Cj9ihOsrs6f9q10t08q6sKVnuWLTUuvl5mGB3cDd/zHk
YNJ724pBwqUNPU1sDfGl6/DWiuWjmJwaQ1H/MnPEnV/7Utu3adfvF7AAodmxuV91
Jvx5Tb9VqnY84eRdCi2zFFyMKk4Kv6VXNLcOtFbpg7chFcWApIm+NY4Ql5s21yZg
JJZgrVHEo1rjqGbNQ9dnQHN8qZCANeKbJ44eGDgFnYPrUr963TWHhbDOOcwgU4sS
/HQf6aeq6OtXU5gSpLW2yfex2PAPustTmedREnSLuI3V5yiQxNa3Z8fQe3I36AKR
f0M4PU0c8JFEucA4ocwnzKflGsEqwGd/0OOSiPLShCdE+iaBrbz7FaOnQBO81Oyx
KUEXbL19EgBvSiz1oXIuVxgoObcEx2PK+W8uw1RkWq7Y2yjfx2N+kuDvTsJAEDzA
xYOtje3y6/VKKGWBVlDz8rFJSBA0hSY68XS+xQTzFPnNIU5wFPw=
=/r76
-----END PGP SIGNATURE-----

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 18 Sep 2021 07:29:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Mon Oct 31 16:35:27 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-40241: #992395 - xfig: Potential Buffer Overflow vulnerability in src/w_help.c

Debian Linux Security Advisory 5267-1 - Nicky Mouha discovered a buffer overflow in 'sha3', a Python library for the SHA-3 hashing functions.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5267-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 30, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : pysha3CVE ID         : CVE-2022-37454Debian Bug     : 1023030Nicky Mouha discovered a buffer overflow in 'sha3', a Python library forthe SHA-3 hashing functions.For the stable distribution (bullseye), this problem has been fixed inversion 1.0.2-4.1+deb11u1.We recommend that you upgrade your pysha3 packages.For the detailed security status of pysha3 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/pysha3Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNeydYACgkQEMKTtsN8TjZM0RAAk28/0iK+MlZR4EtgLm8chSw8YsaDjyCC6yVv82fz5yjYRhNkCteunkH0ffN2B8EXRJN8pqRV89ptnwOkwW3KjaJ6un3new3Zg4sPFB2DULd3yoxD3YGlzbh/EmHsnDSN88M8TSSi6IGErBIrMNqKt0FORg9/whpujDOJToo5np8uV7/SZNEMo2BOLtLIoXjMB4erlaI5pEE9/mEr6hzXJNsiVy82GtGZESuFo0XWu3hsD6BCzBvWKvZIOuALuTE9BEPGWJBPAIAqDS48yEd8KXiSEex9zsxdAa2vhsFHJ3U1LvwxZY0DvjG5JSjImc9U/p7DrwHhSyuS/pUFkR47Hl+d5i6+9IcU3lvFjszrq9bX019HuF2/U9ZfgvNQL/LmUpxFEyEziE3xkMG/SBP809fJ+UAU1XRV4qj6Yd/dN9TBZXE4eTcjzVCnjxjEzJKjaMcNl1qMM5JanG69iuGdy61ubTA/vEjxNH3qQOnJmITc1RuLlpkiU7TVA6ggNJ59xPQLLvgJ0lTY0oOQ0+pGh8aTHixHQFa35ynES6i+gKULv6M+fa/oayRLpw+06fGoSxdPmM8LHp9c54pLN3KgPIIcb/Aimkl+ReUYnrSXsaerfmyXS3f0LEjfhSxozXAooTxRr3eh5pUpTd3fuooodn9Zh3o5E5QcTbK82UGkTLI==p4UM-----END PGP SIGNATURE-----

Debian Security Advisory 5267-1

Gentoo Linux Security Advisory 202210-32 - An integer overflow has been found in hiredis which could result in arbitrary code execution. Versions less than 1.0.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-32  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: hiredis, hiredis-py: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #873079, #816318  
       ID: 202210-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

An integer overflow has been found in hiredis which could result in  
arbitrary code execution.

Background  
==========

hiredis is a minimalistic C client library for the Redis database.

hiredis-py is a Python extension that wraps hiredis.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/hiredis           < 1.0.1                      >= 1.0.1  
  2  dev-python/hiredis         < 2.0.0                      >= 2.0.0

Description  
===========

Hiredis is vulnerable to integer overflow if provided maliciously  
crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing  
`multi-bulk` (array-like) replies, hiredis fails to check if `count *  
sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not,  
and the `calloc()` call doesn't itself make this check, it would result  
in a short allocation and subsequent buffer overflow.

Impact  
======

Malicious Redis commands could result in remote code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All hiredis users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/hiredis-1.0.1"

All hiredis-py users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/hiredis-2.0.0"

References  
==========

[ 1 ] CVE-2021-32765  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32765

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-32

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-32

Apple Security Advisory 2022-10-27-14 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-14 Additional information for APPLE-SA-2022-09-12-5 Safari 16

Safari 16 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213442.

Safari Extensions  
Available for: macOS Big Sur and macOS Monterey  
Impact: A website may be able to track users through Safari web  
extensions  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with  
Trend Micro Zero Day Initiative

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243236  
CVE-2022-32891: @real_as3617 and an anonymous researcher  
Entry updated October 27, 2022

WebKit Sandboxing  
Available for: macOS Big Sur and macOS Monterey  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: An access issue was addressed with improvements to the  
sandbox.  
WebKit Bugzilla: 243181  
CVE-2022-32892: @18楼梦想改造家 and @jq0904 of DBAppSecurity's WeBin lab  
Entry added October 27, 2022

Safari 16 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKowACgkQ4RjMIDke  
NxlCEg/+KnbktSos4M/gMt7rkcCymB4Ul4mMw0XW6eJVBL34H3XiOM9i8OoRGbg2  
F3Ft4mxRWFlzA9SgNVuvMBVHREkOdeOJ37PDtfZp9bITGAtOww8K8Ng56VxhpPem  
gs5q+veUTu95cVXDfGebwQNYtXc76+Zg/+Ju9VmhFJg0XXrjC2mzAEC8Mz2yy91b  
9otf+UeDmdBUF3eLrygVAwtXE0/swZVaRMeDu2EYFuJWl/afN+ICOrHYLxtLa9dB  
1uvw+RbOhwFRdKB010tcUUhf+M06Tp6pHPvtWHdS+Xy3RxA1d4rMzdon4TmsdEdr  
dBpOiu0EOFLMXekVosIkkvKLXAWwH5C1Ogap7IchXnc8c+rEm6Hl1QuoH4QL0krD  
P+sGYV4457e+VASkaUDEr6yxXJj+8MILm4x+7akD767qhoKvzpIfrFKY2gMnWkvK  
JNUMzPXCYLkht39KWGEJk/b/HMvlwniBmXKGDVaTG/oNcMVFyRvx81qxrNlELxcw  
lYSfP5tICA0CBWyVXYvUy1JRe15QrelLmCwpcAvAz1Edqu90sAAsPybvrPJHcZxD  
2O+parML2rVJ6zOVBg1cOddohgnJEbT3PzDW48HRV8Ub5I8WzvIKqnS+R7VWkh66  
Av8d8ElI37WY2sfIsFwXvhsIYFLZL86nel5HVEflmog2K0g/Kd0=  
=lLIK  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-14

In wolfSSL versions prior to 5.5.1, malicious clients can cause a buffer overflow during a resumed TLS 1.3 handshake. If an attacker resumes a previous TLS session by sending a maliciously crafted Client Hello, followed by another maliciously crafted Client Hello. In total 2 Client Hellos have to be sent. One which pretends to resume a previous session and a second one as a response to a Hello Retry Request message.

# wolfssl before 5.5.1: CVE-2022-39173 Buffer overflow when refining  
cipher suites  
==================================================================================

## INFO  
=======

The CVE project has assigned the id CVE-2022-39173 to this issue.

Severity: high 7.5  
Affected version: before 5.5.1  
End of embargo: The embargo for this vulnerability ended 29th of September, 2022

## SUMMARY  
==========

In wolfSSL before 5.5.1 malicious clients can cause a buffer-overflow  
during a resumed TLS 1.3 handshake. If an attacker resumes a previous  
TLS session by sending a maliciously crafted Client Hello, followed by  
another maliciously crafted Client Hello. In total 2 Client Hellos  
have to be sent. One which pretends to resume a previous session and a  
second one as a response to a Hello Retry Request message.

The malicious Client Hellos contain a list of supported cipher suites,  
which contain at least `⌊sqrt(150)⌋ + 1 = 13` duplicates and less than  
150 ciphers in total. The buffer-overflow occurs in the `RefineSuites`  
function. An overflow of 44700 bytes has been confirmed. Therefore,  
large portions of the stack can get overwritten, including return  
addresses.

We confirmed the vulnerability by sending packets over TCP to a  
Wolfssl server, freshly built from the sources with the  
`--enable-session-ticket` flags (or simply `--enable-all`). We can  
provide sources for our software (tlspuffin) that produce those  
packets (and that automatically found the attack trace). The command  
given at the end of this document triggers the buffer overflow.

It is very likely that there is a way to craft an exploit which can  
cause a RCE. We have not yet created such an exploit as it would  
likely depend on the memory layout of the binary which uses wolfSSL.

Moreover, the size of the overflow can be fine-tuned in order to not  
smash the stack and continue the execution with a too large length of  
suites buffer and that will cause other routines that iterate over  
thus buffer (e.g., `FindSuiteSSL`) to misbehave. Hypothetically, this  
might be exploited to make the server use a cipher it should not  
accept such as `nullcipher` that would open up new attack vectors such  
as downgrade attacks.  
While this has not been confirmed yet, the buffer overflow itself has  
been confirmed.

## DETAILS  
==========

Line numbers below are valid for the wolfSSL Git tag  
[v5.4.0-stable](https://github.com/wolfSSL/wolfssl/tree/v5.4.0-stable).

The bug we found is in the `RefineSuites` function. In the following  
we want to explain why the function is able to overflow the `suites`  
array.  
```c  
/* Refine list of supported cipher suites to those common to server and client.  
 *  
 * ssl         SSL/TLS object.  
 * peerSuites  The peer's advertised list of supported cipher suites.  
 */  
static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites)  
{  
    byte   suites[WOLFSSL_MAX_SUITE_SZ];  
    word16 suiteSz = 0;  
    word16 i, j;

    XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ);

    for (i = 0; i < ssl->suites->suiteSz; i += 2) {  
        for (j = 0; j < peerSuites->suiteSz; j += 2) {  
            if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] &&  
                ssl->suites->suites[i+1] == peerSuites->suites[j+1]) {  
                suites[suiteSz++] = peerSuites->suites[j+0];  
                suites[suiteSz++] = peerSuites->suites[j+1];  
            }  
        }  
    }

    ssl->suites->suiteSz = suiteSz;  
    XMEMCPY(ssl->suites->suites, &suites, sizeof(suites));  
#ifdef WOLFSSL_DEBUG_TLS  
    [...]  
#endif  
}  
```  
tls13.c:4355

The `RefineSuites` function expects a `WOLFSSL` struct which contains  
a list of acceptable ciphers suites (`ssl->suites->suites`), as well  
as an array of peer cipher suites (`peerSuites`). Both inputs are  
bounded by `WOLFSSL_MAX_SUITE_SZ`, which is equal to 300 bytes or 150  
cipher suites.

Let us assume that `ssl->suites` consists of a single cipher suite  
like `TLS_AES_256_GCM_SHA384` and the `peerSuites` list contains the  
same cipher repeated thirteen times. The `RefineSuites` function will  
iterate for each element in `ssl->suites` over `peerSuites` and append  
the suite to `suites` if it is a match. The `suites` array has a  
maximum length of `WOLFSSL_MAX_SUITE_SZ == 300 bytes == 150 suites`.

With the just mentioned example input, the length of `suites` will now  
equal thirteen. The `suites` array is now copied to the `WOLFSSL`  
struct in the last line of the listing above. Therefore, `ssl->suites`  
contains now thirteen times the `TLS_AES_256_GCM_SHA384` cipher suite.

Let us now call the same `RefineSuites` function again on the modified  
`WOLFSSL` struct and the same `peerSuites` list. The `RefineSuites`  
function will iterate for each element in `ssl->suites` over  
`peerSuites` and append the suite to `suites` if it is a match.  
Because `ssl->suites` contains already 13 times the  
`TLS_AES_256_GCM_SHA384` cipher suite, in total 13 x 13 = 169 cipher  
suites are written to `suites`. 169 cipher suites require 338 bytes,  
which is more than what's available on the stack. The `suites` buffer  
overflows.

The maximum size of `peerSuites` is 150 cipher suites. Therefore, an  
overflow of 44700 bytes is possible and has been confirmed.

The buffer `ssl->suites->suites` is supposed to be reset to only  
contain the acceptable ciphers at each session start, and thus  
initially contains no duplicate. However, by provoking a `HELLO CLIENT  
RETRY REQUEST`, it is possible to make the server call `RefineSuites`  
twice as explained next.

## TRIGGERING THE BUFFER OVERFLOW  
=================================

In order to cause the above buffer-overflow, it is required to call  
`RefineSuites` twice. Malicious clients need to perform the handshake  
in a certain way to reach this situation.  
The buffer overflow at the attacked server can be obtained at least in  
the following situation:

1. Resume the previous session by sending a second Client Hello  
(`CH2`) with the following criteria:  
   - Exclude the `support_group_extension`, to cause a Hello Retry Request  
   - Include a binder which cryptographically binds this session to  
the previous one.  
   - Include a list of cipher suites that contains a repetition of `n`  
times the same cipher `c` with `13 <= n < 150`, deemed acceptable by  
the server.

   The server will parse this message, enters the state  
`SERVER_HELLO_RETRY_REQUEST_COMPLETE` and stores at least `n` times  
the cipher `c` in `ssl->suites->suites` by calling `RefineSuites`.

2. Sending a third Client Hello (`CH3`) with the same criteria as in step 2.  
   The server will parse this message and because  
`ssl->suites->suites` already contains `n` times the cipher `c`,  
`RefineSuites` will write in `suites` at least until `suites[nˆ2]`  
which overflows since `nˆ2 > 300`.

## DETAILS ABOUT STEP 1.  
========================

During step 2., we want to cause the server to perform a Hello Retry Request.

This is possible by not sending a supported group in the `CH2`. By not  
sending a support group extension, the function  
`TLSX_SupportedGroups_Find` will return false.

```c  
static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name)  
{  
    ...  
        /* Check consistency now - extensions in any order. */  
        if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group))  
            continue;  
    ...  
```  
tls.c:8374

This will cause clientKSE to be `NULL` and `doHelloRetry` will be set to 1.

```c  
int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry)  
{  
    ...  
    /* No supported group found - send HelloRetryRequest. */  
    if (clientKSE == NULL) {  
        /* Set KEY_SHARE_ERROR to indicate HelloRetryRequest required. */  
        *doHelloRetry = 1;  
        return TLSX_KeyShare_SetSupported(ssl);  
    }  
    ...  
```  
tls.c:9273

Finally, the server enters the state  
`SERVER_HELLO_RETRY_REQUEST_COMPLETE` in the function  
`VerifyServerSuite` while verifying the server suite when processing  
`CH2`.

```c  
    /* Make sure server cert/key are valid for this suite, true on success  
     * Returns 1 for valid server suite or 0 if not found  
     * For asynchronous this can return WC_PENDING_E  
     */  
    static int VerifyServerSuite(WOLFSSL* ssl, word16 idx)  
    {  
        ...  
        if (IsAtLeastTLSv1_3(ssl->version) &&  
                                      ssl->options.side == WOLFSSL_SERVER_END) {  
            int doHelloRetry = 0;  
            /* Try to establish a key share. */  
            int ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry);  
            if (doHelloRetry) {  
                ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;  
            }

            ...  
        }  
        ...  
```  
tls.c:30688

## DETAILS ABOUT STEP 2.  
====================

The server is now in a state in which it expects another Client Hello  
(`CH3`) from the client.

The server is now in the state `SERVER_HELLO_RETRY_REQUEST_COMPLETE`  
and will process the third ClientHello (`CH3`) with the call of  
`ProcessReply` before reaching the `TLS13_ACCEPT_SECOND_REPLY_DONE`  
state.

```c  
int wolfSSL_accept_TLSv13(WOLFSSL* ssl)  
{  
    ...  
        case TLS13_ACCEPT_FIRST_REPLY_DONE :  
            if (ssl->options.serverState ==  
                                          SERVER_HELLO_RETRY_REQUEST_COMPLETE) {  
                ssl->options.clientState = CLIENT_HELLO_RETRY;  
                while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {  
                    if ((ssl->error = ProcessReply(ssl)) < 0) {  
                        WOLFSSL_ERROR(ssl->error);  
                        return WOLFSSL_FATAL_ERROR;  
                    }  
                }  
            }

            ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE;  
            WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");  
            FALL_THROUGH;  
    ...  
```  
tls13.c:10909

## VULNERABILITY VARIANTS  
=========================

### Adjusting the overflow  
Note that the length of the list of ciphers in `CH2` does not  
necessarily have to be the same as the one of `CH1` and can be  
adjusted to fine-tune the size of the overflow.

### Make the server parse `CH2`  
Note also that, on the contrary to `CH1`, `CH2` does not necessarily  
have to put the server in the `SERVER_HELLO_RETRY_REQUEST_COMPLETE`  
state (which should be forbidden by the TLS 1.3 RFC) or make it return  
an error, and can thus contain a supported group, which could be  
included to possibly make the server continue the processing of `CH2`  
without returning an error.  
We have confirmed that we can make the server parses `CH2` until the  
end and starts computing a Server Hello with `ssl->suites->suiteSz`  
that exceeds 300.

### Resuming an existent session  
It is also possible to trigger the vulnerability by trying to resume  
an existent and genuine session established through a full initial  
handshake (step 0.):  
0. Sending an initial genuine Client Hello (`CH1`) to the server and  
then completing a full handshake, thus establishing a PSK.

## EXPLOITATION  
===============

We suspect that it is possible to craft an exploit which could lead to  
RCE if any of the above bytes coincides with the memory address of  
executable code. Depending on the memory layout of the binary it could  
be possible to gain RCE.  
More bytes could be used to overflow `suites` if more ciphers were  
configured to be accepted with the server, e.g., with options like  
`--enable-blake2`.

We confirmed that this could also be exploited to smash the stack and  
cause the server to crash with a segmentation fault by using a large  
list of ciphers.

Finally, by fine-tuning the length of the overflow and by including  
the supported group in `CH3`, it could be possible to make the server  
process `CH3` with a `ssl->suites->suites->suiteSz` value that exceeds  
300. This way, routines like `FindSuiteSSL` that will iterate over  
`ssl->suites->suites` (allocated on 300 bytes) until  
`ssl->suites->suiteSz` (>300) will also iterate over bytes that  
contain other fields such as `ssl->suites->hashSigAlgo`. It is likely  
that this could be exploited to make such routines return arbitrary  
values. For example, it might be exploited to make the server use a  
cipher it should not accept such as `nullcipher`; thus breaking  
confidentiality.

## FURTHER CONCERNS  
==================

We observed that the server is accepting the `CH2` Client Hello  
message and issues a Hello Retry Request, even though `CH2` does not  
contain supported groups. Clients are not allowed to add the supported  
groups extension in the retry Client Hello (`CH3`) according to the  
RFC 8446 in section  
[4.1.2](https://www.rfc-editor.org/rfc/rfc8446#section-4.1.2). The  
addition of supported groups is not allowed when retrying the Client  
Hello.  
We suggest aborting the handshake when receiving `CH2` instead of  
offering the client a retry.

wolfSSL Buffer Overflow

Apple Security Advisory 2022-10-27-13 - watchOS 9 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-13 watchOS 9

watchOS 9 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213486.

Accelerate Framework  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
CVE-2022-42795: ryuzaki

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32907: Natalie Silvanovich of Google Project Zero, Antonio  
Zekic (@antoniozekic) and John Aakerblom (@jaakerblom), ABC Research  
s.r.o, Yinyi Wu, Tommaso Bianco (@cutesmilee__)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32858: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32898: Mohamed Ghannam (@_simo36)  
CVE-2022-32899: Mohamed Ghannam (@_simo36)  
CVE-2022-32889: Mohamed Ghannam (@_simo36)

Contacts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security

Exchange  
Available for: Apple Watch Series 4 and later  
Impact: A user in a privileged network position may be able to  
intercept mail credentials  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32928: an anonymous researcher

GPU Drivers  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-32903: an anonymous researcher

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: A denial-of-service issue was addressed with improved  
validation.  
CVE-2022-1622

Image Processing  
Available for: Apple Watch Series 4 and later  
Impact: A sandboxed app may be able to determine which app is  
currently using the camera  
Description: The issue was addressed with additional restrictions on  
the observability of app states.  
CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de)  
CVE-2022-32911: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-32914: Zweig of Kunlun Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32894: an anonymous researcher

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32883: Ron Masas of breakpointhq.com

MediaLibrary  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to elevate privileges  
Description: A memory corruption issue was addressed with improved  
input validation.  
CVE-2022-32908: an anonymous researcher

Notifications  
Available for: Apple Watch Series 4 and later  
Impact: A user with physical access to a device may be able to access  
contacts from the lock screen  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32879: Ubeydullah Sümer

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved restrictions.  
CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive Security

Siri  
Available for: Apple Watch Series 4 and later  
Impact: A user with physical access to a device may be able to use  
Siri to obtain some call history information  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32870: Andrew Goldberg of The McCombs School of Business,  
The University of Texas at Austin (linkedin.com/in/andrew-goldberg-/)

SQLite  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause a denial-of-service  
Description: This issue was addressed with improved checks.  
CVE-2021-36690

Watch app  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read a persistent device identifier  
Description: This issue was addressed with improved entitlements.  
CVE-2022-32835: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Weather  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32875: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer(@p1umer), afang(@afang5472),  
xmzyshypnc(@xmzyshypnc1)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 242047  
CVE-2022-32888: P1umer (@p1umer)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with  
Trend Micro Zero Day Initiative

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243236  
CVE-2022-32891: @real_as3617, an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

Wi-Fi  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32925: Wang Yu of Cyberserval

Additional recognition

AppleCredentialManager  
We would like to acknowledge @jonathandata1 for their assistance.

FaceTime  
We would like to acknowledge an anonymous researcher for their  
assistance.

Kernel  
We would like to acknowledge an anonymous researcher for their  
assistance.

Mail  
We would like to acknowledge an anonymous researcher for their  
assistance.

Sandbox  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security for their assistance.

UIKit  
We would like to acknowledge Aleczander Ewing for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

WebRTC  
We would like to acknowledge an anonymous researcher for their  
assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpMACgkQ4RjMIDke  
Nxmucg/+L8XHGSij8F6IoUuvCuJ3u1IUfHXE5LK0BafEddVzKS87fct6KP7L3kvE  
SfdJVCOrmfVImKn3etfpDgwgZoYqF8cxeb9PO7ObVT/15GBBfuAGc+rNZ3oAeWDJ  
iYFiiWZrDnj9gz6bo0jn4dN9q8/X9iIjUCujPdkrFzXqa+KkVub9wv6/jtJGQA3O  
YgDIaV0UvcJss0uhJR9GX+A3+4zeJgUiNq2a/1qf1nOFh/O59pbHNWYnHzB91/FE  
8V+EJgfxaK/M3zDfonPI9SMa26lO+VJejOnco98of7Kk+yNoOy6xTIkBLLBURMqN  
Jxz0I3WNxjM5TQ61WzINvd198gqjyac2nVg1S4Gqkekk6VXwmQR5zaqQmzePQqp3  
qw+qhICNqFSUJPyIDQwnuCaf1MlfEj57ustS5d8g5M1fNXBlnrtJVpI/CcPIAYvo  
7pQZy/6QptmrPp6Lgv6k/Vtxi/H5s8/tHCnhtvczbdpH6lsPmCJlDSdzsK1L8krP  
82WcjBulywZWfZ4IBNi52lD+EWlmzHomcYVGQcbd0/1FLE8h5meKCvYxM5ovfk1F  
PloJY8FQgJ3b+NcTQuTD4dZ7rc+Le5WqqD4EAgYbOKgAD6Fqy47eY8yNcYJw0qXP  
5jll4mfHUJe7NHc9frZKrdpH0Cl8o9lRdRPpM+kLqteQlpNOjao=  
=Ty+V  
-----END PGP SIGNATURE-----

Tag

#buffer_overflow