CVE-2016-5080: Memory corruption in code generated by Objective Systems Inc. ASN1C compiler for C/C++ [STIC-2016-0603]
Fundación Dr. Manuel Sadosky - Programa STIC Advisory www.fundacionsadosky.org.ar Heap memory corruption in ASN.1 parsing code generated by Objective Systems Inc. ASN1C compiler for C/C++ 1. *Advisory Information* Title: Heap memory corruption in ASN.1 parsing code generated by Objective Systems Inc. ASN1C compiler for C/C++ Advisory ID: STIC-2016-0603 Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2 Date published: 2016-07-18 Date of last update: 2016-07-19 Vendors contacted: Objective Systems Inc. Release mode: Coordinated release 2. *Vulnerability Information* Class: Heap-based Buffer Overflow [CWE-122] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Identifier: CVE-2016-5080 3. *Vulnerability Description* Abstract Syntax Notation One (ASN.1) is a technical standard and formal notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking[1]. It is a joint standard of the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), and International Telecommunication Union Telecommunication Standardization Sector ITU-T[2] used in technical standards for wireless communications such as GSM, UMTS and LTE, Lawful Interception, Intelligent Transportation Systems, signalling in fixed and mobile telecommunications networks (SS7), wireless broadband access (WiMAX), data security (X.509), network management (SNMP), voice over IP and IP-based videoconferencing (H.323), manufacturing, aviation, aerospace and several other areas[3]. Software components that generate, transmit and parse ASN.1 encoded data constitute a critical building block of software that runs on billions of mobile devices, telecommunication switching equipment and systems for operation and management of critical infrastructures. The ASN.1 specification is sufficiently complicated to make writing programs that parse ASN.1 encoded data a perilious and error-prone activity. Many technology vendors have adopted the practice of using computer-generated programs to parse ASN.1 encoded data. This is accomplished by using an ASN.1 compiler, a software tool that given as input a data specification written in ASN.1 generates as output the source code of a program that can be used to encode and decode in compliance with the specification. The output of an ASN.1 compiler is generally incorporated as a building block in a software system that transmits or processes ASN.1 encoded data. Objective Systems Inc. is a US-based private company[5] that develops and commercializes ASN1C, a ASN1 compiler for various programming languages, to vendors in the telecommunications, data networking, aviation, aerospace, defense and law enforcement sectors[6]. A vulnerability found in the runtime support libraries of the ASN1C compiler for C/C++ from Objective Systems Inc. could allow an attacker to remotely execute code in software systems, including embedded software and firmware, that use code generated by the ASN1C compiler. The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network. Objective Systems Inc. has addressed the issue and built a fixed interim version of the ASN1C for C/C++ compiler that is a available to customers upon request. The fixes will be incorporated in the next (v7.0.2) release of ASN1C for C/C++. For further information about vulnerable vendors and available fixes refer to the CERT/CC vulnerability note [4]. 4. *Vulnerable packages* Software systems that use ASN.1 parsing code generated with Objective Systems Inc. ASN1C compiler for C/C++ version 7.0 or below. Refer to the CERT/CC vulnerability note[4] for a list of potentially affected vendors. 5. *Vendor Information, Solutions and Workarounds* Vendor fixed the issue in an interim release of the ASN1C v7.0.1 compiler available to customers upon request[5]. The upcoming ASN1C v7.0.2 release will incorporate the fixes. 6. *Credits* This vulnerability was discovered and researched by Lucas Molas. The publication of this advisory was coordinated by Programa Seguridad en TIC. 7. *Technical Description* This document details a bug found in the latest release of Objective Systems Inc,. ASN1C compiler for C/C++ (v7.0.0), particularly in the 'rtxMemHeapAlloc' function contained in the pre-compiled 'asn1rt_a.lib' library, where two integer overflows have been detected, which could lead to corruption of heap memory in an attacker-controlled scenario. The component analyzed was the
Multiple SQL injection vulnerabilities in WordPress Video Player
Multiple SQL injection vulnerabilities in WordPress Video Player David Vaartjes & Yorick Koster, July 2016 Abstract It was discovered that WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database. OVE ID OVE-20160712-0004 Tested versions This issue was successfully tested on WordPress Video Player WordPress plugin version 1.5.16. Fix This issue is resolved in WordPress Video Player 1.5.18. Details https://sumofpwn.nl/advisory/2016/multiple_sql_injection_vulnerabilities_in_wordpress_video_player.html Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
Cross-Site Request Forgery in Icegram WordPress Plugin
Cross-Site Request Forgery in Icegram WordPress Plugin Yorick Koster, July 2016 Abstract A Cross-Site Request Forgery vulnerability was found in the Icegram WordPress Plugin. This issue allows an attacker to overwrite any WordPress option with the value true. An attacker may use this issue to enable (vulnerable) WordPress features that are disabled in the target site. OVE ID OVE-20160712-0032 Tested versions This issue was successfully tested on the Icegram - Popups, Optins, CTAs & lot more... WordPress Plugin version 1.9.18. Fix This issue is resolved in Icegram 1.9.19. Details https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_icegram_wordpress_plugin.html Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
Multiple Cross-Site Scripting vulnerabilities in Ninja Forms WordPress Plugin
Multiple Cross-Site Scripting vulnerabilities in Ninja Forms WordPress Plugin Han Sahin, July 2016 Abstract Multiple reflected Cross-Site Scripting (XSS) vulnerabilities have been found in the Ninja Forms WordPress Plugin. By using this issue an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. OVE ID OVE-20160714-0017 Tested versions This issue was successfully tested on Ninja Forms WordPress Plugin version 2.9.51. Fix This issue is resolved in Ninja Forms v2.9.52 (18 July 2016). Details https://sumofpwn.nl/advisory/2016/multiple_cross_site_scripting_vulnerabilities_in_ninja_forms_wordpress_plugin.html Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
Executable installers are vulnerable^WEVIL (case 35): eclipse-inst-win*.exe vulnerable to DLL and EXE hijacking
Hi @ll,
eclipse-inst-win32.exe (and of course eclipse-inst-win64.exe
too) loads and executes multiple DLLs (in version 4.5 also
CMD.EXE) from its "application directory".
* version 4.5 ("Mars") on Windows 7:
UXTheme.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll,
Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll
* version 4.6 ("Neon") on Windows 7:
IEFrame.dll, Version.dll
* version 4.5 on Windows XP:
ClbCatQ.dll, SetupAPI.dll, UXTheme.dll, RichEd20.dll
(version 4.6 not tested on Windows Embedded POSReady 2009
alias Windows XP).
For the vulnerable command line "cmd /c start " see
and CVE-2014-0315
For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
,
and for
"prior art" about this well-known and well-documented vulnerability.
If an attacker places the DLLs named above and/or CMD.EXE in the
users "Downloads" directory (for example per drive-by download
or social engineering) this vulnerability becomes a remote code
execution.
Proof of concept/demonstration:
~~~
On a fresh (but fully patched) Windows installation (where a Java
Runtime is NOT installed) perform the following actions:
1. visit , download
, save it
as UXTheme.dll in your "Downloads" directory, then copy it as
RichEd20.dll, SetupAPI.dll, ClbCatQ.dll, WindowsCodecs.dll,
AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll,
SAMLib.dll, IEFrame.dll, Version.dll;
2. Download
and save it as CMD.EXE in your "Downloads" directory;
3. download eclipse-inst-win32.exe and save it in your "Downloads"
directory;
4. run eclipse-inst-win32.exe per double-click from your "Downloads"
directory;
5. click [Yes] in the message box
| Eclipse Installer
| (?) The required 32-bit Java 1.7.0 virtual machine could not be found.
| Do you want to browse your system for it?
6. notice the message boxes displayed from the DLLs placed in step 1
and CMD.EXE placed in step 2.
PWNED!
See and
as well as
and the not yet
finished for details
about these well-known and well-documented BEGINNER'S errors!
Mitigation:
~~~
DUMP executable installers, build packages for the target OS' native
installer instead!
See
as well as for the long
sad story of these vulnerabilities.
stay tuned
Stefan Kanthak
Timeline:
~
2016-02-12vulnerability report sent to Eclipse Foundation
NO RESPONSE
2016-02-22vulnerability report resent to Eclipse Foundation
2016-02-23answer from Eclipse Foundation:
"we investigate"
2016-02-24provided guidance to fix both vulnerabilities
2016-02-28developer opens bug
2016-07-01second vulnerability report sent to Eclipse Foundation:
recently released installer 4.6 "Neon" still vulnerable!
2016-07-12answer from developer:
"We analyzed this again and came to the conclusion
that the code of our installer is now safe (i.e.,
with the fix from bug 488644). Indications are that
your new check shows a problem much later in the
process and that the list of loaded DLLs is totally
different (i.e., not the one that you originally
reported).
Moreover we're convinced that it is a security problem
in rundll32.exe itself."
2016-07-12OUCH!
It's DEFINITIVELY your "fixed" installer which STILL
loads DLLs from its application directory; it's NOT
safe, but VULNERABLE!
NO RESPONSE
2016-07-19report published
Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)
Document Title: === Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186) References (Source): http://www.vulnerability-lab.com/get_content.php?id=1869 Security Release: https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6186 CVE-ID: === CVE-2016-6186 Release Date: = 2016-07-19 Vulnerability Laboratory ID (VL-ID): 1869 Common Vulnerability Scoring System: 3.5 Product & Service Introduction: === django CMS is a modern web publishing platform built with Django, the web application framework for perfectionists with deadlines. django CMS offers out-of-the-box support for the common features you’d expect from a CMS, but can also be easily customised and extended by developers to create a site that is tailored to their precise needs. (Copy of the Homepage: http://docs.django-cms.org/en/release-3.3.x/upgrade/3.3.html ) Abstract Advisory Information: == The vulnerability laboratory core research team discovered an application-side vulnerability (CVE-2016-6186) in the official Django v3.3.0 Content Management System. Vulnerability Disclosure Timeline: == 2016-07-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-07-04 Vendor Notification (Django Security Team) 2016-07-07: Vendor Response/Feedback (Django Security Team) 2016-07-18: Vendor Fix/Patch (Django Service Developer Team) 2016-07-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Divio AG Product: Django Framework - Content Management System 3.3.0 Divio AG Product: Django Framework - Content Management System MDB, 1.10, 1.9, 1.8 and 1.7 Exploitation Technique: === Remote Severity Level: === Medium Technical Details & Description: A persistent input validation web vulnerability has been discovered in the official Django v3.3.0 Content Management System. The security vulnerability allows remote attackers or privileged user accounts to inject own malicious script codes to the application-side of the vulnerable modules web context. The persistent web vulnerability is located in the `Name` value of the `Editors - Code Snippet` module POST method request. Remote attackers are able to inject own malicious script code to the snippets name input field to provoke a persistent execution. The injection point is the snippets add module of the editor. The execution point occurs in the `./djangocms_snippet/snippet/` data listing after the add. The data context is not escaped or parsed on add to select and thus results in an execute of any payload inside of the option tag. The attacker vector of the vulnerability is persistent because of the data is stored on add and request method to inject is POST. The vulnerability can be exploited against other privileged user accounts of the django application by interaction with already existing snippets on add. Already added elements become visible for the other user accounts as well on add interaction. The unescaped data is stored in the database of the web-application but when rendered in the frontend or in the edit mode, it's properly escaped. The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the vulnerability requires a low privileged web-application user account and only low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Editor - Snippets (Add) Vulnerable Input(s): [+] Name Parameter(s): [+] select Affected Module(s): [+] Snippets Options Listing [./djangocms_snippet/snippet/] - option Proof of Concept (PoC): === The application-side validation web vulnerability can be exploited by low and high privileged web-application user accounts with low user interaction. For security demonstration or to reproduce the application-side web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Login to your django cms website with version 3.3.0 2. Open the structure module 3. Click to edit a page module Note: Now the editor opens with the main default plugins 4. Mark a text
APPLE-SA-2016-07-18-6 iTunes 12.4.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2016-07-18-6 iTunes 12.4.2 iTunes 12.4.2 for Windows is now available and addresses the following: libxml2 Impact: Multiple vulnerabilities in libxml2 Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4448 : Apple CVE-2016-4483 : Gustavo Grieco CVE-2016-4614 : Nick Wellnhofe CVE-2016-4615 : Nick Wellnhofer CVE-2016-4616 : Michael Paddon CVE-2016-4619 : Hanno Boeck libxml2 Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: An access issue existed in the parsing of maliciously crafted XML files. This issue was addressed through improved input validation. CVE-2016-4449 : Kostya Serebryany libxslt Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1684 : Nicolas Grégoire CVE-2016-4608 : Nicolas Grégoire CVE-2016-4609 : Nick Wellnhofer CVE-2016-4610 : Nick Wellnhofer CVE-2016-4612 : Nicolas Grégoire iTunes 12.4.2 may be obtained from: https://www.apple.com/itunes/download/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXjXBGAAoJEIOj74w0bLRGW7cP/i8zSs+ajIAlGBZBMD4f7hyI joCRGfQ5KiAKAvLAcMZ+nxsbr40MSczWlAvyQRZ7sPj6vT34xaLtodRfwNoXJzdE PeOUMLLdWG7uyiuFZfnfz6tf1DiEhk3ikWCyZaiAPz2eiM2cVU+3MbDh5rKI5Hz/ ik7sUkh88WbpxZwPuXvgQ5tWOkT1x197mlNx213Y0GKFRjg6pEHXljiNYkbXFnhA mDtvS4AIRLYvpBfhg/W4k9ZTSGYmpBooma7Mi5DGPU99TlhDJjo+1eI4OG8sof5U HOM8RxTIzePYfW8CC2jkmC0M4qR0DYe9GZcL/N7gCD20q5Du7d0QYwg0hTSsLigh o+NAy5WetVKRVnnNqdfyoLi5VLoXMwNMHSSr372QIhgIjDMoXNKCpwciqS6ueB7z gIJpLTm/RWwgex0J+0oD9N5/Y26fYb5T6pObZLElGK608a+G7oyULVkmahLXRA68 te8+ruysbjS4fQwqbdhIa1YioX9xgvdewotTURg8SWfmtLHe/Oca+2jBV+jVEYyo Fisob0WozgA9OWLao1ku00AhdcRMOceMb/OZR54TkBLN+vYt/k7VSxL2y1uq3ODD KTq2cFxnG7wUgqzXOnp6pko0XpE4Eil4I6Eb3AUrL998dXdkUSAbHNYqIIowFT6Y mEQIIZf2AaJBiNPamC86 =49i5 -END PGP SIGNATURE-
APPLE-SA-2016-07-18-5 Safari 9.1.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2016-07-18-5 Safari 9.1.2 Safari 9.1.2 is now available and addresses the following: WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a malicious website may disclose image data from another website Description: A timing issue existed in the processing of SVG. This issue was addressed through improved validation. CVE-2016-4583 : Roeland Krak WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a malicious website may lead to user interface spoofing Description: An origin inheritance issue existed in parsing of about: URLs. This was addressed through improved validation of security origins. CVE-2016-4590 : xisigr of Tencent's Xuanwu Lab (www.tencent.com) WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4586 : Apple CVE-2016-4589 : Tongbo Luo and Bo Qu of Palo Alto Networks CVE-2016-4622 : Samuel Gross working with Trend Micro’s Zero Day Initiative CVE-2016-4623 : Apple CVE-2016-4624 : Apple WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may result in the disclosure of process memory Description: A memory initialization issue was addressed through improved memory handling. CVE-2016-4587 : Apple WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted webpage may lead to a system denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2016-4592 : Mikhail WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may compromise user information on the file system Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks. CVE-2016-4591 : ma.la of LINE Corporation WebKit JavaScript Bindings Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may lead to script execution in the context of a non-HTTP service Description: A cross-protocol cross-site scripting (XPXSS) issue existed in Safari when submitting forms to non-HTTP services compatible with HTTP/0.9. This issue was addressed by disabling scripts and plugins on resources loaded over HTTP/0.9. CVE-2016-4651 : Obscure WebKit Page Loading Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4584 : Chris Vienneau WebKit Page Loading Available for: OS X El Capitan v10.11.6 Impact: A malicious website may exfiltrate data cross-origin Description: A cross-site scripting issue existed in Safari URL redirection. This issue was addressed through improved URL validation on redirection. CVE-2016-4585 : Takeshi Terada of Mitsui Bussan Secure Directions, Inc. (www.mbsd.jp) Safari 9.1.2 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXjXBBAAoJEIOj74w0bLRGvW8QAMqOAKm8CnLcqepi5pjP08WT DZavcy5OGT/jah0WRuDSLSWgjWDQvGTsuIXvPr0sJp4ZU+KfpLRr/PP4jaHCEAgb UOf1n42FcVsVdXwNUdyzpEvvRDd3RKzjVDWIi7VAB+dH3sM42C3qPcffJs2+sjOG EQElvmMfAg4chSSCL6+y3l3uNabMk5oJeXJWICB8d1EtZpe5Epyp8GoYOh/JB2IG Lt4Rw0rVG8BYYXWe8vJ0vbHSWMEaixQoDzsxFTxZUUCWBl0GqjM/Bjij+TyHf+lc bb+4zfXPo8WKHad7M9ifl1+s8IzYUmdN3RZ8FFc02M7/i+rU0/HsmuRUxXG6dox3 r9sQKWeWr2xPmiU2pT0XPq95f2iLgt6rAFEfcK0zhLq3QbT5GQh9oyHwjc4c83+H FGUQ8BrstJIGVRqERxI48kvhiH12PRAilEswFAAr9lJu5X+rmw/glSyYfcslkF49 rDZBAGLEFvCNuwjkAsTelvwiC3tAERhfjh33OENMgS43dVOQfwVpOWolOHN4Tqa4 oLIDzx+0+yVjs/IIAZmTdRLV7yDjat1CRN80FOBHkjuqbD8kL8hU45cvoclUjc6J n4rOP1EG4SHph+DLfQiRVKbYWjOSOHWb3KMnkx+J5tuSVpe6FT/lpediznhacs+9 ukIIF2wGmuLEumkEjPi3 =2Qoy -END PGP SIGNATURE-
APPLE-SA-2016-07-18-4 tvOS 9.2.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2016-07-18-4 tvOS 9.2.2 tvOS 9.2.2 is now available and addresses the following: CoreGraphics Available for: Apple TV (4th generation) Impact: A remote attacker may be able to execute arbitrary code Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) ImageIO Available for: Apple TV (4th generation) Impact: A remote attacker may be able to execute arbitrary code Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) ImageIO Available for: Apple TV (4th generation) Impact: A remote attacker may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2016-4632 : Evgeny Sidorov of Yandex IOAcceleratorFamily Available for: Apple TV (4th generation) Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved validation. CVE-2016-4627 : Ju Zhu of Trend Micro IOHIDFamily Available for: Apple TV (4th generation) Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4626 : Stefan Esser of SektionEins Kernel Available for: Apple TV (4th generation) Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1863 : Ian Beer of Google Project Zero CVE-2016-1864 : Ju Zhu of Trend Micro CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team Kernel Available for: Apple TV (4th generation) Impact: A local user may be able to cause a system denial of service Description: A null pointer dereference was addressed through improved input validation. CVE-2016-1865 : Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent, CESG libxml2 Available for: Apple TV (4th generation) Impact: Multiple vulnerabilities in libxml2 Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4448 : Apple CVE-2016-4483 : Gustavo Grieco CVE-2016-4614 : Nick Wellnhofe CVE-2016-4615 : Nick Wellnhofer CVE-2016-4616 : Michael Paddon CVE-2016-4619 : Hanno Boeck libxml2 Available for: Apple TV (4th generation) Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: An access issue existed in the parsing of maliciously crafted XML files. This issue was addressed through improved input validation. CVE-2016-4449 : Kostya Serebryany libxslt Available for: Apple TV (4th generation) Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1684 : Nicolas Grégoire CVE-2016-4607 : Nick Wellnhofer CVE-2016-4608 : Nicolas Grégoire CVE-2016-4609 : Nick Wellnhofer CVE-2016-4610 : Nick Wellnhofer CVE-2016-4612 : Nicolas Grégoire Sandbox Profiles Available for: Apple TV (4th generation) Impact: A local application may be able to access the process list Description: An access issue existed with privileged API calls. This issue was addressed through additional restrictions. CVE-2016-4594 : Stefan Esser of SektionEins WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to a system denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2016-4592 : Mikhail WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4586 : Apple CVE-2016-4588 : Apple CVE-2016-4589 : Tongbo Luo and Bo Qu of Palo Alto Networks CVE-2016-4622 : Samuel Gross working with Trend Micro’s Zero Day Initiative CVE-2016-4623 : Apple CVE-2016-4624 : Apple WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: A memory initialization issue was addressed through improved memory handling. CVE-2016-4587 : Apple WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may compromise user information on the file system Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks. CVE-2016-4591 : ma.la of LINE Corporation WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may disclose image
APPLE-SA-2016-07-18-3 watchOS 2.2.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2016-07-18-3 watchOS 2.2.2 watchOS 2.2.2 is now available and addresses the following: CoreGraphics Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A remote attacker may be able to execute arbitrary code Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) ImageIO Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A remote attacker may be able to execute arbitrary code Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) ImageIO Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A remote attacker may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2016-4632 : Evgeny Sidorov of Yandex IOAcceleratorFamily Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved validation. CVE-2016-4627 : Ju Zhu of Trend Micro IOAcceleratorFamily Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local user may be able to read kernel memory Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2016-4628 : Ju Zhu of Trend Micro IOHIDFamily Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4626 : Stefan Esser of SektionEins Kernel Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local user may be able to cause a system denial of service Description: A null pointer dereference was addressed through improved input validation. CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent Kernel Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1863 : Ian Beer of Google Project Zero CVE-2016-1864 : Ju Zhu of Trend Micro CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team libxml2 Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Multiple vulnerabilities in libxml2 Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4448 : Apple CVE-2016-4483 : Gustavo Grieco CVE-2016-4614 : Nick Wellnhofe CVE-2016-4615 : Nick Wellnhofer CVE-2016-4616 : Michael Paddon CVE-2016-4619 : Hanno Boeck libxml2 Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: An access issue existed in the parsing of maliciously crafted XML files. This issue was addressed through improved input validation. CVE-2016-4449 : Kostya Serebryany libxslt Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1684 : Nicolas Grégoire CVE-2016-4607 : Nick Wellnhofer CVE-2016-4608 : Nicolas Grégoire CVE-2016-4609 : Nick Wellnhofer CVE-2016-4610 : Nick Wellnhofer CVE-2016-4612 : Nicolas Grégoire Sandbox Profiles Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local application may be able to access the process list Description: An access issue existed with privileged API calls. This issue was addressed through additional restrictions. CVE-2016-4594 : Stefan Esser of SektionEins Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/en-us/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
APPLE-SA-2016-07-18-2 iOS 9.3.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2016-07-18-2 iOS 9.3.3 iOS 9.3.3 is now available and addresses the following: Calendar Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A maliciously crafted calendar invite may cause a device to unexpectedly restart Description: A null pointer dereference was addressed through improved memory handling. CVE-2016-4605 : Henry Feldman MD at Beth Israel Deaconess Medical Center CoreGraphics Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A remote attacker may be able to execute arbitrary code Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) FaceTime Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic. CVE-2016-4635 : Martin Vigo ImageIO Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) ImageIO Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A remote attacker may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2016-4632 : Evgeny Sidorov of Yandex IOAcceleratorFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to read kernel memory Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2016-4628 : Ju Zhu of Trend Micro IOAcceleratorFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved validation. CVE-2016-4627 : Ju Zhu of Trend Micro IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4626 : Stefan Esser of SektionEins Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1863 : Ian Beer of Google Project Zero CVE-2016-1864 : Ju Zhu of Trend Micro CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to cause a system denial of service Description: A null pointer dereference was addressed through improved input validation. CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent libxml2 Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Multiple vulnerabilities in libxml2 Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4448 : Apple CVE-2016-4483 : Gustavo Grieco CVE-2016-4614 : Nick Wellnhofe CVE-2016-4615 : Nick Wellnhofer CVE-2016-4616 : Michael Paddon CVE-2016-4619 : Hanno Boeck libxml2 Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: An access issue existed in the parsing of maliciously crafted XML files. This issue was addressed through improved input validation. CVE-2016-4449 : Kostya Serebryany libxslt Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1684 : Nicolas Grégoire CVE-2016-4607 : Nick Wellnhofer CVE-2016-4608 : Nicolas Grégoire CVE-2016-4609 : Nick Wellnhofer CVE-2016-4610 : Nick Wellnhofer
APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004 OS X El Capitan v10.11.6 and Security Update 2016-004 is now available and addresses the following: apache_mod_php Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple issues existed in PHP versions prior to 5.5.36. These were addressed by updating PHP to version 5.5.36. CVE-2016-4650 Audio Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4647 : Juwei Lin (@fuzzerDOTcn) of Trend Micro Audio Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to determine kernel memory layout Description: An out-of-bounds read was addressed through improved input validation. CVE-2016-4648 : Juwei Lin(@fuzzerDOTcn) of Trend Micro Audio Available for: OS X El Capitan v10.11 and later Impact: Parsing a maliciously crafted audio file may lead to the disclosure of user information Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2016-4646 : Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative Audio Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to cause a system denial of service Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4649 : Juwei Lin(@fuzzerDOTcn) of Trend Micro bsdiff Available for: OS X El Capitan v10.11 and later Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: An integer overflow existed in bspatch. This issue was addressed through improved bounds checking. CVE-2014-9862 : an anonymous researcher CFNetwork Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to view sensitive user information Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed through improved restrictions. CVE-2016-4645 : Abhinav Bansal of Zscaler Inc. CoreGraphics Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) CoreGraphics Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to elevate privileges Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. CVE-2016-4652 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative FaceTime Available for: OS X El Capitan v10.11 and later Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic. CVE-2016-4635 : Martin Vigo Graphics Drivers Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4634 : Stefan Esser of SektionEins ImageIO Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2016-4632 : Evgeny Sidorov of Yandex ImageIO Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) ImageIO Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4629 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) CVE-2016-4630 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) Intel Graphics Driver Available for: OS X El Capitan v10.11 and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4633 : an anonymous
[SECURITY] [DSA 3622-1] python-django security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3622-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 18, 2016 https://www.debian.org/security/faq - - Package: python-django CVE ID : CVE-2016-6186 It was discovered that Django, a high-level Python web development framework, is prone to a cross-site scripting vulnerability in the admin's add/change related popup. For the stable distribution (jessie), this problem has been fixed in version 1.7.7-1+deb8u5. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJXjSyHAAoJEAVMuPMTQ89ESKkP+wTDvZVf9kX/fFhyRrxqOoZU WWt1MgVN0vpRCPGHXouOdCzjU5TqwfdtG2sgu2IPucF0q+lB2xxLMcDpyrPPPuK9 pq8hrk0ZkwCtthVeeorLaakNmu/PrzMZ1Bs7JbkbghES83/+KiMLjDXlwVewD28W 09D/SHwjaXUq94LJ2FNE2z+NnhRtJI47ASrHqLXHB+EmXsAgRRKSv6SqIs/e5uOa +Zdg5oPYw6JaRlKmY11O2G51Xo9pENBsSHiZDrC7YeSf7Nqt8i82/V1f2lHCnWak Yn9eiKT8+k6dqoIIvDGun1jQLGqFvL6IGMPsL094ZGgASE0ePGVFCxKcmCy7zGuB gThVAiJCAl8htRu9zoX1zp1cQ6J/Nh8KV5+OpCe+Be0ZdRqalX29Z1iryB1pkfzg aD+Z8AnaNdcdaV0QHtDLjL//mUseLnBTKaDaDWVbQpZJPD7CVMkGbsnyQrk1Cv5F V8GNloBtyHwD7I19DTEjq780hPvc//3O037WtpXIRdLpge2N6EUvuUYVJS4vHjPV MfGiIMbZnIZwtBfP0VMFswEo4mAVPWCAdgwSKYt6q417NgxMKdhyCX2ESXGSJK1t ZssFxOSZkYHUlW9jg6DHA5/vQZKIIUhDNzYnHaVrbyhpgtRBIEIuMYGBfNFleVLY O3zjiwqVzI9aXTQe00ep =qvZN -END PGP SIGNATURE-
