lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <5EDFD5C9-2933-4443-8F7A-5B575E6EFA89@lists.apple.com>
Date: Wed, 26 Jan 2022 16:00:28 -0800
From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org>
To: security-announce@...ts.apple.com
Subject: [FD] APPLE-SA-2022-01-26-3 macOS Big Sur 11.6.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2022-01-26-3 macOS Big Sur 11.6.3

macOS Big Sur 11.6.3 addresses the following issues. 
Information about the security content is also available at 
https://support.apple.com/HT213055.

Audio
Available for: macOS Big Sur
Impact: Parsing a maliciously crafted audio file may lead to
disclosure of user information
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30960: JunDong Xie of Ant Security Light-Year Lab

iCloud
Available for: macOS Big Sur
Impact: An application may be able to access a user's files
Description: An issue existed within the path validation logic for
symlinks. This issue was addressed with improved path sanitization.
CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab
(https://xlab.tencent.com)

IOMobileFrameBuffer
Available for: macOS Big Sur
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges. Apple is aware of a report that this issue
may have been actively exploited.
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM)
of MBition - Mercedes-Benz Innovation Lab, Siddharth Aeri
(@b1n4r1b01)

Kernel
Available for: macOS Big Sur
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs

Model I/O
Available for: macOS Big Sur
Impact: Processing a maliciously crafted STL file may lead to
unexpected application termination or arbitrary code execution
Description: An information disclosure issue was addressed with
improved state management.
CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro

PackageKit
Available for: macOS Big Sur
Impact: An application may be able to access restricted files
Description: A permissions issue was addressed with improved
validation.
CVE-2022-22583: an anonymous researcher, Ron Hass (@ronhass7) of
Perception Point, Mickey Jin (@patch1t)

TCC
Available for: macOS Big Sur
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: This issue was addressed with improved checks.
CVE-2021-30972: Xuxiang Yang (@another1024), Zhipeng Huo (@R3dF09),
and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab
(xlab.tencent.com), Wojciech Reguła (@_r3ggi), jhftss (@patch1t),
Csaba Fitzl (@theevilbit) of Offensive Security

Additional recognition

Kernel
We would like to acknowledge Tao Huang for their assistance.

Metal
We would like to acknowledge Tao Huang for their assistance.

PackageKit
We would like to acknowledge Mickey Jin (@patch1t) of Trend Micro for
their assistance.

Installation note:

This update may be obtained from the Mac App Store

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmHx05IACgkQeC9qKD1p
rhjtWQ//TmET3pnDZUsC66AAWcqn+nGUr6ChR/uSDIZRAUqxwBxLt+bRZWRdGaXt
1Ew0Lg1Ww/E/mC1t9FCiLMqrCKH6uwddwtM9uHAuM5pUgW7RssFqrVGSRv8Ge1+h
yWP4ZeSd6vy6QaGceNUU+W4XhIVgbcqeSrnFK3fjLFpWrlFk3WEVXyazxXckYKeN
i5SMI4w71oZymSILmZNaL79bUJa7oZcYQXG08x5KrFEDC3rV8OdollQvMYwKn3kG
kp+yW94rxna1ayhKkmiyNmnWbqWtGpJ/QEk44KeHWTz2mY/qAiWv4LpadGjccrdy
tF6O2Ugp+6kSA1VnT0hpcKhC/I6s5tuLXB9QKN01H1754gZvwusTZm+Uwt5Z4OzR
ZFeMPfJ7POx6HN2jORLh5Pa19f8DeqSJ+LqX95v5C/FyW2XjKc0X6HpCUCcdVD2p
qbuaFcrE5fb1q2gxa4/DG+c6oiElKMh+tivIDNW39/roNCfmhpex52hxRtRxh7N3
xl4GPqlhquyl+yav7lrFZOgDsegR64gBPjkkn0e2JnTnJNDgKa9Kg/PhMNfymF2F
k+t0/V/rl0w3Yv6wyWzG1b3Uwu0ermWBOmVfM39DfbGaTdXn9EIZW4YtuEAM6tcX
ljuc39qmE5yg6YHKmGyP8ms0lSIEK58NyAK3Aid/aip3RAuXMCE=
=+OmT
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ