Date: Mon, 14 Dec 2020 17:15:58 -0800
From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org>
To: security-announce@...ts.apple.com
Subject: [FD] APPLE-SA-2020-12-14-1 iOS 14.3 and iPadOS 14.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-12-14-1 iOS 14.3 and iPadOS 14.3

iOS 14.3 and iPadOS 14.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212003.

App Store
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch (7th generation)
Impact: An enterprise application installation prompt may display the
wrong domain
Description: A logic issue was addressed with improved state
management.
CVE-2020-29613: Ryan Pickren (ryanpickren.com)

CoreAudio
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-27948: JunDong Xie of Ant Security Light-Year Lab

FontParser
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: An information disclosure issue was addressed with
improved state management.
CVE-2020-27946: Mateusz Jurczyk of Google Project Zero

FontParser
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed with improved input validation.
CVE-2020-27943: Mateusz Jurczyk of Google Project Zero
CVE-2020-27944: Mateusz Jurczyk of Google Project Zero

ImageIO
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to heap
corruption
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-29617: XingWei Lin of Ant Security Light-Year Lab
CVE-2020-29619: XingWei Lin of Ant Security Light-Year Lab

ImageIO
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-29618: XingWei Lin of Ant Security Light-Year Lab

ImageIO
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-29611: Ivan Fratric of Google Project Zero

Security
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch (7th generation)
Impact: Unauthorized code execution may lead to an authentication
policy violation
Description: This issue was addressed with improved checks.
CVE-2020-27951: Apple

WebRTC
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-15969: an anonymous researcher

Installation note:

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.

The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 14.3 and iPadOS 14.3".

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl/YBhIACgkQZcsbuWJ6
jjA04Q/+IXkFUXAM2+3hUaOJqMziK6ICFLncPlf2oUMVpEd6ioff6mqjs7nu9piI
yDcAmefcSqNd2pXxsNfhHMBAVPyrD4i0kGVgYq95U46rHezuNV33SEhyOPzVr0H4
4uwFd2KhedQvqyIBowRsc7JDITqvToK97oKufzoEUM8pCPeTeUYmYPuec5Gx8Q55
jkMWi8Km5LcW6I+OPEHZoh0121RFoRmTjVi91o9xYUH5C13PVrTsY15bLtLlVhM/
mPF22YY2c4JPig010kTFQn3btt63K2VDDCuYwytQhIh1zhqOu6Nd1I/Z0L2SxgXm
ZFW0Z3Jt7KL8+CEFpVLcRCEHc/1oMbvg9LwKT5zP0oMgRWlGL+ikpJy0ZvnXl3u/
rxnik5nME+Ez/mKVVAqcD2pooPmhx/Rwo4dtdoMZrJOwFPMzuJ8BlGzmFHCrCiKu
22Rbe134LYa1wUKrTqTEpg/YdvDDwoH54vdVK3HniIeNJGaSjkh6PRhGYkTvTuje
JeDAC4qUQLN8M2TsMN+18DrsFT6c3dfZmLm+gnYPBM7FYtu4tDfrjBMyf0Tu9xXp
kit6ODbvY33k3oyqWIaK0icELt/qIhyj7C3shKSRXJsgqyS7qrAcfJWOLD12TVyO
Q52KK16VlyH/EDwVILD2ntPTyXLb7NjTYIyrbM/7ROcuslHOJyU=
=YdmF
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists