Heap buffer overflow in media in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

**Chrome Releases**

Release updates from the Chrome team

CVE-2020-6452: Stable Channel Update for Desktop

Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2020-6423: 1043446 - chromium - An open-source project to help move the web forward.

Use after free in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

CVE-2020-6454: 1019161 - chromium - An open-source project to help move the web forward.

Use after free in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6448: Stable Channel Update for Desktop

In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.

Hi,

HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits
after version 2.1.3.

The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.

There is no configuration-based workaround for 2.1 and above.

This vulnerability makes it possible under certain circumstances to write
to a wide range of memory locations within the process' heap, with the
limitation that the attacker doesn't control the absolute address, so the
most likely result and by a far margin will be a process crash, but it is
not possible to completely rule out the faint possibility of a remote code
execution, at least in a lab-controlled environment. Felix was kind enough
to agree to delay the publication of his findings to the 20th of this month
in order to leave enough time to haproxy users to apply updates. But please
do not wait, as it is not very difficult to figure how to exploit the bug
based on the fix. Distros were notified and will also have fixes available
very shortly.

Three other important fixes are present in this version:
  - a non-portable way of calculating a list pointer that breaks with
    gcc 10 unless using -fno-tree-pta. This bug results in infinite loops
    at random places in the code depending how the compiler decides to
    optimize the code.

  - a bug in the way TLV fields are extracted from the PROXY protocol, as
    they could be mistakenly looked up in the subsequent payload, even
    though these would have limited effects since these ones would generally
    be meaningless for the transported protocol, but could be used to hide a
    source address from logging for example.

  - the "tarpit" rules were partially broken in that since 1.9 they wouldn't
    prevent a connection from being sent to a server while the 500 response
    is delivered to the client. Given that they are often used to block
    suspicious activity it's problematic.

The rest is less important, but still relevant to some users. Among those
noticeable I can enumerate:
  - the O(N^2) ACL unique-id allocator that could take several minutes to
    boot on certain very large configs was reworked to follow O(NlogN)
    instead.

  - the default global maxconn setting when not set in the configuration was
    incorrectly set to the process' soft limit instead of the hard limit,
    resulting in much lower connection counts on some setups after upgrade
    from 1.x to 2.x. It now properly follows the hard limit.

  - a new thread-safe random number generator that will avoid the risk that
    the "uuid" sample fetch function returns the exact same UUID in several
    threads.

  - issues in HTX mode affecting filters, namely cache and compression, that
    could lead to data corruption.

  - alignment issues causing bus error on Sparc64 were addressed

  - fixed a rare case of possible segfault on soft-stop when a finishing thread
    flushes its pools while another one is freeing some elements.


Please have a look at the changelog below for a more detailed list of fixes,
and do not forget to update, either from the sources or from your regular
distro channels.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/2.1/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.1.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git
   Changelog        : http://www.haproxy.org/download/2.1/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Balvinder Singh Rawat (1):
      DOC: correct typo in alert message about rspirep

Bjoern Jacke (1):
      DOC: fix typo about no-tls-tickets

Björn Jacke (1):
      DOC: improve description of no-tls-tickets

Carl Henrik Lunde (1):
      OPTIM: startup: fast unique\_id allocation for acl.

Christopher Faulet (26):
      BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH\_INFO 
param
      MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo 
regex
      MINOR: http-htx: Add a function to retrieve the headers size of an HTX 
message
      MINOR: filters: Forward data only if the last filter forwards something
      BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward 
them
      BUG/MINOR: http-htx: Don't return error if authority is updated without 
changes
      BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
      MINOR: http-ana: Match on the path if the monitor-uri starts by a /
      BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered
      BUG/MINOR: http-htx: Do case-insensive comparisons on Host header name
      MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server 
metrics
      MINOR: contrib/prometheus-exporter: Add the last heathcheck duration 
metric
      BUG/MINOR: filters: Use filter offset to decude the amount of forwarded 
data
      BUG/MINOR: filters: Forward everything if no data filters are called
      MINOR: htx: Add a function to return a block at a specific offset
      BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response 
payload
      BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the 
payload
      BUG/MINOR: http-ana: Reset request analysers on a response side error
      BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
      BUG/MINOR: http-rules: Preserve FLT\_END analyzers on reject action
      BUG/MINOR: http-rules: Fix a typo in the reject action function
      BUG/MINOR: rules: Preserve FLT\_END analyzers on silent-drop action
      BUG/MINOR: rules: Increment be\_counters if backend is assigned for a 
silent-drop
      MINOR: http-rules: Add a flag on redirect rules to know the rule direction
      MINOR: http-rules: Handle the rule direction when a redirect is evaluated
      BUG/MINOR: http-ana: Reset request analysers on error when waiting for 
response

Daniel Corbett (1):
      BUG/MINOR: stats: Fix color of draining servers on stats page

David Carlier (1):
      BUILD: on ARM, must be linked to libatomic.

Emeric Brun (1):
      BUG/MEDIUM: peers: resync ended with RESYNC\_PARTIAL in wrong cases.

Frédéric Lécaille (1):
      BUG/MINOR: peers: Use after free of "peers" section.

Ilya Shipitsin (4):
      DOC: configuration.txt: fix various typos
      DOC: assorted typo fixes in the documentation and Makefile
      DOC: assorted typo fixes in the documentation
      DOC: assorted typo fixes in the documentation

Jerome Magnin (4):
      MINOR: ist: add an iststop() function
      BUG/MINOR: http: http-request replace-path duplicates the query string
      MINOR: listener: add so\_name sample fetch
      BUG/MINOR: http\_ana: make sure redirect flags don't have overlapping bits

Lukas Tribus (2):
      BUG/MINOR: dns: ignore trailing dot
      DOC: ssl: clarify security implications of TLS tickets

Miroslav Zagorac (1):
      DOC: internals: Fix spelling errors in filters.txt

Olivier Houchard (8):
      BUG/MEDIUM: muxes: Use the right argument when calling the destroy method.
      BUG/MEDIUM: mt\_lists: Make sure we set the deleted element to NULL;
      MINOR: mt\_lists: Appease gcc.
      BUG/MEDIUM: pools: Always update free\_list in pool\_gc().
      MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into 
types/signal.h.
      BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in 
\_\_signal\_process\_queue().
      MINOR: memory: Change the flush\_lock to a spinlock, and don't get it in 
alloc.
      BUG/MINOR: connections: Make sure we free the connection on failure.

Tim Duesterhus (5):
      CLEANUP: cfgparse: Fix type of second calloc() parameter
      BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch
      BUG/MINOR: pattern: Do not pass len = 0 to calloc()
      BUG/MAJOR: proxy\_protocol: Properly validate TLV lengths
      DOC: proxy\_protocol: Reserve TLV type 0x05 as PP2\_TYPE\_UNIQUE\_ID

William Dauchy (1):
      BUG/MINOR: namespace: avoid closing fd when socket failed in my\_socketat

William Lallemand (2):
      BUG/MINOR: peers: init bind\_proc to 1 if it wasn't initialized
      BUG/MINOR: peers: avoid an infinite loop with peers\_fe is NULL

Willy Tarreau (38):
      SCRIPTS: make announce-release executable again
      SCRIPTS: announce-release: use mutt -H instead of -i to include the draft
      BUG/MEDIUM: shctx: make sure to keep all blocks aligned
      MINOR: compiler: move CPU capabilities definition from config.h and 
complete them
      BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access 
support
      BUILD: fix recent build failure on unaligned archs
      BUG/MINOR: sample: fix the json converter's endian-sensitivity
      BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch 
functions
      BUG/MINOR: connection: make sure to correctly tag local PROXY connections
      MINOR: compiler: add new alignment macros
      BUILD: ebtree: improve architecture-specific alignment
      BUG/MINOR: h2: reject again empty :path pseudo-headers
      BUG/MEDIUM: random: initialize the random pool a bit better
      MINOR: tools: add 64-bit rotate operators
      BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG
      MINOR: backend: use a single call to ha\_random32() for the random LB algo
      BUG/MINOR: checks/threads: use ha\_random() and not rand()
      BUG/MAJOR: list: fix invalid element address calculation
      MINOR: debug: report the task handler's pointer relative to main
      BUG/MEDIUM: debug: make the debug\_handler check for the thread in 
threads\_to\_dump
      MINOR: haproxy: export main to ease access from debugger
      BUILD: tools: remove obsolete and conflicting trace() from standard.c
      BUG/MINOR: wdt: do not return an error when the watchdog couldn't be 
enabled
      DOC: fix incorrect indentation of http\_auth\_\*
      BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard 
limits
      REGTEST: make the PROXY TLV validation depend on version 2.2
      BUILD: wdt: only test for SI\_TKILL when compiled with thread support
      BUG/MEDIUM: random: align the state on 2\*64 bits for ARM64
      BUG/MINOR: haproxy: always initialize sleeping\_thread\_mask
      BUG/MINOR: listener/mq: do not dispatch connections to remote threads 
when stopping
      BUG/MINOR: haproxy/threads: try to make all threads leave together
      BUILD: makefile: fix regex syntax in ARM platform detection
      BUILD: makefile: fix expression again to detect ARM platform
      REGTESTS: use "command -v" instead of "which"
      REGTEST: increase timeouts on the seamless-reload test
      BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection
      BUILD: ssl: only pass unsigned chars to isspace()
      BUG/CRITICAL: hpack: never index a header into the headroom after wrapping

---

CVE-2020-11100: [ANNOUNCE] haproxy-2.1.4

A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A file URL may be incorrectly processed.

Released March 24, 2020

**Accounts**

Available for: Apple TV 4K and Apple TV HD

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9772: Allison Husain of UC Berkeley

Entry added May 21, 2020

**ActionKit**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to use an SSH client provided by private frameworks

Description: This issue was addressed with a new entitlement.

CVE-2020-3917: Steven Troughton-Smith (@stroughtonsmith)

**AppleMobileFileIntegrity**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to use arbitrary entitlements

Description: This issue was addressed with improved checks.

CVE-2020-3883: Linus Henze (pinauten.de)

**Image Processing**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with system privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9768: Mohamed Ghannam (@\_simo36)

**IOHIDFamily**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3919: Alex Plaskett of F-Secure Consulting

Entry updated May 21, 2020

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to read restricted memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3914: pattern-f (@pattern\_F\_) of WaCai

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved state management.

CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team

**libxml2**

Available for: Apple TV 4K and Apple TV HD

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2020-3909: LGTM.com

CVE-2020-3911: found by OSS-Fuzz

**libxml2**

Available for: Apple TV 4K and Apple TV HD

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved size validation.

CVE-2020-3910: LGTM.com

**Sandbox**

Available for: Apple TV 4K and Apple TV HD

Impact: A local user may be able to view sensitive user information

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-3918: Augusto Alvarez of Outcourse Limited

Entry added May 1, 2020

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Some websites may not have appeared in Safari Preferences

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9787: Ryan Pickren (ryanpickren.com)

Entry added May 1, 2020

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2020-3895: grigoritchy

CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to read restricted memory

Description: A race condition was addressed with additional validation.

CVE-2020-3894: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2020-3899: found by OSS-Fuzz

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit)

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-3901: Benjamin Randazzo (@\_\_\_\_benjamin)

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A download's origin may be incorrectly associated

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3887: Ryan Pickren (ryanpickren.com)

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9783: Apple

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative

**WebKit Page Loading**

Available for: Apple TV 4K and Apple TV HD

Impact: A file URL may be incorrectly processed

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3885: Ryan Pickren (ryanpickren.com)

CVE-2020-3885: About the security content of tvOS 13.4

A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2020-3895: About the security content of tvOS 13.4

An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user's private browsing activity may be unexpectedly saved in Screen Time.

Released March 24, 2020

**Accounts**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9772: Allison Husain of UC Berkeley

Entry added May 21, 2020

**ActionKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to use an SSH client provided by private frameworks

Description: This issue was addressed with a new entitlement.

CVE-2020-3917: Steven Troughton-Smith (@stroughtonsmith)

**AppleMobileFileIntegrity**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to use arbitrary entitlements

Description: This issue was addressed with improved checks.

CVE-2020-3883: Linus Henze (pinauten.de)

**Bluetooth**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

Description: A logic issue was addressed with improved state management.

CVE-2020-9770: Jianliang Wu of PurSec Lab of Purdue University, Xinwen Fu and Yue Zhang of the University of Central Florida

**CoreFoundation**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to elevate privileges

Description: A permissions issue existed. This issue was addressed with improved permission validation.

CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG

**Icons**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Setting an alternate app icon may disclose a photo without needing permission to access photos

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-3916: Vitaliy Alekseev (@villy21)

**Image Processing**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to execute arbitrary code with system privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9768: Mohamed Ghannam (@\_simo36)

**IOHIDFamily**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3919: Alex Plaskett of F-Secure Consulting

Entry updated May 21, 2020

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to read restricted memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3914: pattern-f (@pattern\_F\_) of WaCai

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved state management.

CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team

**libxml2**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved size validation.

CVE-2020-3910: LGTM.com

**libxml2**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2020-3909: LGTM.com

CVE-2020-3911: found by OSS-Fuzz

**Mail**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A local user may be able to view deleted content in the app switcher

Description: The issue was resolved by clearing application previews when content is deleted.

CVE-2020-9780: an anonymous researcher, Dimitris Chaintinis

**Mail Attachments**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Cropped videos may not be shared properly via Mail

Description: An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video.

CVE-2020-9777

**Messages**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled

Description: A logic issue was addressed with improved state management.

CVE-2020-3891: Peter Scott

**Messages Composition**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Deleted messages groups may still be suggested as an autocompletion

Description: The issue was addressed with improved deletion.

CVE-2020-3890: an anonymous researcher

**Safari**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A user's private browsing activity may be unexpectedly saved in Screen Time

Description: An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling.

CVE-2020-9775: Andrian (@retroplasma), Marat Turaev, Marek Wawro (futurefinance.com) and Sambor Wawro of STO64 School Krakow Poland

Entry updated May 1, 2020

**Safari**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A user may grant website permissions to a site they didn't intend to

Description: The issue was addressed by clearing website permission prompts after navigation.

CVE-2020-9781: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)

**Sandbox**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A local user may be able to view sensitive user information

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-3918: an anonymous researcher, Augusto Alvarez of Outcourse Limited

Entry added May 1, 2020, updated May 21, 2020

**Web App**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A maliciously crafted page may interfere with other web contexts

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3888: Darren Jones of Dappological Ltd.

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Some websites may not have appeared in Safari Preferences

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9787: Ryan Pickren (ryanpickren.com)

Entry added May 1, 2020

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to read restricted memory

Description: A race condition was addressed with additional validation.

CVE-2020-3894: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2020-3899: found by OSS-Fuzz

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit)

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2020-3895: grigoritchy

CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-3901: Benjamin Randazzo (@\_\_\_\_benjamin)

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A download's origin may be incorrectly associated

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3887: Ryan Pickren (ryanpickren.com)

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9783: Apple

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative

**WebKit Page Loading**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A file URL may be incorrectly processed

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3885: Ryan Pickren (ryanpickren.com)

CVE-2020-9775: About the security content of iOS 13.4 and iPadOS 13.4

By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.

**Mozilla Foundation Security Advisory 2020-10**

Announced

March 10, 2020

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 68.6

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2020-6805: Use-after-free when removing data about origins**

Reporter

Brian Carpenter

Impact

high

**Description**

When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash.

**References**

*   Bug 1610880

**#CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion**

Reporter

Sergei Glazunov of Google Project Zero

Impact

high

**Description**

By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1612308

**#CVE-2020-6807: Use-after-free in cubeb during stream destruction**

Reporter

C.M.Chang

Impact

high

**Description**

When a device was changed while a stream was about to be destroyed, the stream-reinit task may have been executed after the stream was destroyed, causing a use-after-free and a potentially exploitable crash.

**References**

*   Bug 1614971

**#CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Ophir LOJKINE

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.

**References**

*   Bug 1607742

**#CVE-2019-20503: Out of bounds reads in sctp\_load\_addresses\_from\_init**

Reporter

Natalie Silvanovich of Google Project Zero

Impact

moderate

**Description**

The inputs to sctp_load_addresses_from_init are verified by sctp_arethere_unrecognized_parameters; however, the two functions handled parameter bounds differently, resulting in out of bounds reads when parameters are partially outside a chunk.

**References**

*   Bug 1613765

**#CVE-2020-6812: The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission**

Reporter

Jan-Ivar Bruaroey

Impact

moderate

**Description**

The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'.

**References**

*   Bug 1616661

**#CVE-2020-6814: Memory safety bugs fixed in Thunderbird 68.6**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Byron Campen, Jason Kratzer, and Christian Holler reported memory safety bugs present in Thunderbird 68.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 68.6

CVE-2020-6806: Security Vulnerabilities fixed in Thunderbird 68.6

Mozilla developers reported memory safety bugs present in Firefox and Thunderbird 68.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.

**Mozilla Foundation Security Advisory 2020-10**

Announced

March 10, 2020

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 68.6

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2020-6805: Use-after-free when removing data about origins**

Reporter

Brian Carpenter

Impact

high

**Description**

When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash.

**References**

*   Bug 1610880

**#CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion**

Reporter

Sergei Glazunov of Google Project Zero

Impact

high

**Description**

By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1612308

**#CVE-2020-6807: Use-after-free in cubeb during stream destruction**

Reporter

C.M.Chang

Impact

high

**Description**

When a device was changed while a stream was about to be destroyed, the `stream-reinit` task may have been executed after the stream was destroyed, causing a use-after-free and a potentially exploitable crash.

**References**

*   Bug 1614971

**#CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Ophir LOJKINE

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.

**References**

*   Bug 1607742

**#CVE-2019-20503: Out of bounds reads in sctp\_load\_addresses\_from\_init**

Reporter

Natalie Silvanovich of Google Project Zero

Impact

moderate

**Description**

The inputs to `sctp_load_addresses_from_init` are verified by `sctp_arethere_unrecognized_parameters`; however, the two functions handled parameter bounds differently, resulting in out of bounds reads when parameters are partially outside a chunk.

**References**

*   Bug 1613765

**#CVE-2020-6812: The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission**

Reporter

Jan-Ivar Bruaroey

Impact

moderate

**Description**

The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'.

**References**

*   Bug 1616661

**#CVE-2020-6814: Memory safety bugs fixed in Thunderbird 68.6**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Byron Campen, Jason Kratzer, and Christian Holler reported memory safety bugs present in Thunderbird 68.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 68.6

Tag

#google