lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <C34B1156-1F79-4E41-8C94-516129497522@lists.apple.com>
Date: Tue, 29 Oct 2019 16:00:55 -0700
From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org>
To: security-announce@...ts.apple.com
Subject: [FD] APPLE-SA-2019-10-29-1 iOS 13.2 and iPadOS 13.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2019-10-29-1 iOS 13.2 and iPadOS 13.2

iOS 13.2 and iPadOS 13.2 are now available and address the following:

Accounts
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8787: Steffen Klee of Secure Mobile Networking Lab at
Technische Universität Darmstadt

App Store
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A local attacker may be able to login to the account of a
previously logged in user without valid credentials.
Description: An authentication issue was addressed with improved
state management.
CVE-2019-8803: Kiyeon An, 차민규 (CHA Minkyu)

Associated Domains
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Improper URL processing may lead to data exfiltration
Description: An issue existed in the parsing of URLs. This issue was
addressed with improved input validation.
CVE-2019-8788: Juha Lindstedt of Pakastin, Mirko Tanania, Rauli
Rikama of Zero Keyboard Ltd

Audio
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8785: Ian Beer of Google Project Zero
CVE-2019-8797: 08Tc3wBB working with SSD Secure Disclosure

AVEVideoEncoder
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8795: 08Tc3wBB working with SSD Secure Disclosure

Books
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Parsing a maliciously crafted iBooks file may lead to
disclosure of user information
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2019-8789: Gertjan Franken of imec-DistriNet, KU Leuven

Contacts
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing a maliciously contact may lead to UI spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-7152: Oliver Paukstadt of Thinking Objects GmbH (to.com)

File System Events
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8798: ABC Research s.r.o. working with Trend Micro's Zero
Day Initiative

Graphics Driver
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8784: Vasiliy Vasilyev and Ilya Finogeev of Webinar, LLC

Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2019-8794: 08Tc3wBB working with SSD Secure Disclosure

Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8786: an anonymous researcher

Screen Time
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A local user may be able to record the screen without a
visible screen recording indicator
Description: A consistency issue existed in deciding when to show the
screen recording indicator. The issue was resolved with improved
state management.
CVE-2019-8793: Ryan Jenkins of Lake Forrest Prep School

Setup Assistant
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An attacker in physical proximity may be able to force a user
onto a malicious Wi-Fi network during device setup
Description: An inconsistency in Wi-Fi network configuration settings
was addressed.
CVE-2019-8804: Christy Philip Mathew of Zimperium, Inc

WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2019-8813: an anonymous researcher

WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8782: Cheolung Lee of LINE+ Security Team
CVE-2019-8783: Cheolung Lee of LINE+ Graylab Security Team
CVE-2019-8808: found by OSS-Fuzz
CVE-2019-8811: Soyeon Park of SSLab at Georgia Tech
CVE-2019-8812: an anonymous researcher
CVE-2019-8814: Cheolung Lee of LINE+ Security Team
CVE-2019-8816: Soyeon Park of SSLab at Georgia Tech
CVE-2019-8819: Cheolung Lee of LINE+ Security Team
CVE-2019-8820: Samuel Groß of Google Project Zero
CVE-2019-8821: Sergei Glazunov of Google Project Zero
CVE-2019-8822: Sergei Glazunov of Google Project Zero
CVE-2019-8823: Sergei Glazunov of Google Project Zero

WebKit Process Model
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8815: Apple

Additional recognition

CFNetwork
We would like to acknowledge Lily Chen of Google for their
assistance.

Kernel
We would like to acknowledge Jann Horn of Google Project Zero for
their assistance.

WebKit
We would like to acknowledge Dlive of Tencent's Xuanwu Lab and Zhiyi
Zhang of Codesafe Team of Legendsec at Qi'anxin Group for their
assistance.

Installation note:

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.

The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 13.2 and iPadOS 13.2".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQJdBAEBCABHFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl24p5UpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQBz4uGe3y0M3v+g/+
Mffrv0Z/ZyoODELKoxbPFVk0AsQoZoOk5k2h84WaUyA9hJ007Ptv2ENTAU6xIOf4
F1ksBThWEeDJ/ucvJBbE5+V+F+8AkOhRLvvBvoH+u8x2vhUQK3Li5ojCgBptEHWU
BnCFBHpbYXKxlyudqGfK3lLv3LChkNQpteYIB3asnY9H2uxHeofus8pOtGWuiG50
n8jdM8TriFlPamPOtHCvRT09j5OYOsZpS6eVFey6nWaWhaYQfbo0gk4cBaTjzmUW
4NvWYbxK9w/OmQN/QXdJ+H3cLqPhWBh5pmXrWlZTCYXlkD9XggsQL1/P7chkS/gp
LdmG1VktxfWQQtfvwtzB2en3Xwd4xnkOcEcCdEIanQushCTagGNjNJN6a6PQy5lh
FUHT8bDHBHV1bsirxGhV8lPk9byghCwcoC69ptCfPohDAVr20nVrPoxklWDlVYiC
C3tbp2obFI2IV6LKPD4DUyPUo/VOv33j9+en8stZghLF7IuTJYm7V7PMuauxmXX4
wxrhDmrrA/H3GHeP/qHTlb0TcUurP3PoLU1GRn1djDccL607Gd49ezrvTIQxpU8N
ZzgAdXeNgy3vjR88w6ZqUmpNWN8WItfwWQ7cRV+CiFGywcA+J23mzUWUNyYVLHUv
/NnyM25nIe8IOrwFa2S/PaaMFr2fCvZeUkuG2/IYFh0=
=QoQv
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ