| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Jan 2022 16:00:28 -0800 From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org> To: security-announce@...ts.apple.com Subject: [FD] APPLE-SA-2022-01-26-3 macOS Big Sur 11.6.3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-01-26-3 macOS Big Sur 11.6.3 macOS Big Sur 11.6.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213055. Audio Available for: macOS Big Sur Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information Description: A buffer overflow issue was addressed with improved memory handling. CVE-2021-30960: JunDong Xie of Ant Security Light-Year Lab iCloud Available for: macOS Big Sur Impact: An application may be able to access a user's files Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com) IOMobileFrameBuffer Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved input validation. CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition - Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01) Kernel Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs Model I/O Available for: macOS Big Sur Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution Description: An information disclosure issue was addressed with improved state management. CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro PackageKit Available for: macOS Big Sur Impact: An application may be able to access restricted files Description: A permissions issue was addressed with improved validation. CVE-2022-22583: an anonymous researcher, Ron Hass (@ronhass7) of Perception Point, Mickey Jin (@patch1t) TCC Available for: macOS Big Sur Impact: A malicious application may be able to bypass certain Privacy preferences Description: This issue was addressed with improved checks. CVE-2021-30972: Xuxiang Yang (@another1024), Zhipeng Huo (@R3dF09), and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com), Wojciech Reguła (@_r3ggi), jhftss (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security Additional recognition Kernel We would like to acknowledge Tao Huang for their assistance. Metal We would like to acknowledge Tao Huang for their assistance. PackageKit We would like to acknowledge Mickey Jin (@patch1t) of Trend Micro for their assistance. Installation note: This update may be obtained from the Mac App Store Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmHx05IACgkQeC9qKD1p rhjtWQ//TmET3pnDZUsC66AAWcqn+nGUr6ChR/uSDIZRAUqxwBxLt+bRZWRdGaXt 1Ew0Lg1Ww/E/mC1t9FCiLMqrCKH6uwddwtM9uHAuM5pUgW7RssFqrVGSRv8Ge1+h yWP4ZeSd6vy6QaGceNUU+W4XhIVgbcqeSrnFK3fjLFpWrlFk3WEVXyazxXckYKeN i5SMI4w71oZymSILmZNaL79bUJa7oZcYQXG08x5KrFEDC3rV8OdollQvMYwKn3kG kp+yW94rxna1ayhKkmiyNmnWbqWtGpJ/QEk44KeHWTz2mY/qAiWv4LpadGjccrdy tF6O2Ugp+6kSA1VnT0hpcKhC/I6s5tuLXB9QKN01H1754gZvwusTZm+Uwt5Z4OzR ZFeMPfJ7POx6HN2jORLh5Pa19f8DeqSJ+LqX95v5C/FyW2XjKc0X6HpCUCcdVD2p qbuaFcrE5fb1q2gxa4/DG+c6oiElKMh+tivIDNW39/roNCfmhpex52hxRtRxh7N3 xl4GPqlhquyl+yav7lrFZOgDsegR64gBPjkkn0e2JnTnJNDgKa9Kg/PhMNfymF2F k+t0/V/rl0w3Yv6wyWzG1b3Uwu0ermWBOmVfM39DfbGaTdXn9EIZW4YtuEAM6tcX ljuc39qmE5yg6YHKmGyP8ms0lSIEK58NyAK3Aid/aip3RAuXMCE= =+OmT -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists