APPLE-SA-02-02-2024-1 visionOS 1.0.2

Posted by Apple Product Security via Fulldisclosure on Feb 04

APPLE-SA-02-02-2024-1 visionOS 1.0.2

visionOS 1.0.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT214070.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to
arbitrary code...

Out-of-bounds read & write in the glibc's qsort()

Posted by Qualys Security Advisory via Fulldisclosure on Feb 04

Qualys Security Advisory

For the algorithm lovers: Nontransitive comparison functions lead to
out-of-bounds read & write in glibc's qsort()

========================================================================
Contents
========================================================================

Summary
Background
Experiments
Analysis
Patch
Discussion
Acknowledgments
Timeline

CUT MY LIST IN TWO PIECES
THAT'S HOW YOU START...

CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()

Posted by Qualys Security Advisory via Fulldisclosure on Feb 04

Qualys Security Advisory

CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()

========================================================================
Contents
========================================================================

Summary
Analysis
Proof of concept
Exploitation
Acknowledgments
Timeline

========================================================================
Summary...

Research about usage & possible issues of the NVD

Posted by Andreas Hammer on Feb 04

Hello there!

The University of Erlangen-Nuremberg (Germany) is conducting a research
study to investigate the usage and possible issues of the NVD (National
Vulnerability Database). If you are using the NVD regularly, we would
greatly appreciate your participation which contributes to the
improvement of vulnerability management. You can read more about the
survey here:

https://www.cs1.tf.fau.de/2024/01/29/survey-on-usage-of-nvd/

The...

TROJAN.WIN32 BANKSHOT / Remote Stack Buffer Overflow (SEH)

Posted by malvuln on Feb 04

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/f2fd6a7b400782bb43499e722fb62cf4.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32 BankShot
Vulnerability: Remote Stack Buffer Overflow (SEH)
Description: The malware listens on TCP port 1978 and creates a local
Windows service running with SYSTEM integrity. Third-party adversaries who
can reach the...

[KIS-2024-01] XenForo <= 2.2.13 (ArchiveImport.php) Zip Slip Vulnerability

Posted by Egidio Romano on Feb 04

------------------------------------------------------------
XenForo <= 2.2.13 (ArchiveImport.php) Zip Slip Vulnerability
------------------------------------------------------------

[-] Software Link:

https://xenforo.com

[-] Affected Versions:

Version 2.2.13 and prior versions.

[-] Vulnerability Description:

The vulnerability is located in the
/src/XF/Service/Style/ArchiveImport.php script. Specifically, into the...

NULL pointer dereference in the function handle_viminfo_register() of vim

Posted by Christian Brabandt on Feb 04

Meng Ruijie wrote:

Meng,

This particular problem was fixed in Vim v9.0.1740
https://github.com/vim/vim/commit/0a0764684591c7c6a5d722b628f11dc96208e853

I have no idea, why this issue is worth a CVE, because if an attacker
can modify your .viminfo file to make Vim crash, he already has the
possibilities to do much more harm directly. So I don't think this is
particular useful CVE. I'd also like to dispute this.

Thanks,
Christian

Re: Buffer Overflow in graphviz via via a crafted config6a file

Posted by Matthew Fernandez on Jan 27

More specifically, this issue is an out-of-bounds read.

AFAICT the issue was actually introduced in Graphviz 2.36. It was fixed
in commit a95f977f5d809915ec4b14836d2b5b7f5e74881e (essentially
reverting cf95714837f06f684929b54659523c2c9b1fc19f that introduced the
issue), but there has been no release yet since then. The next release
will be 10.0.0. So affected versions would be [2.36, 10.0.0).

To exploit this issue, you need to modify a...

CVEs based on commit messages

Posted by Mark Esler on Jan 27

Dear Meng Rujie,

In regards to your recent FD posts, are you requesting CVEs based on the
presence of strings in commit messages such as "null pointer dereference"?

Are you reaching out to each upstream project before assigning a CVE? Do
you believe that every null pointer bug is a vulnerability? What impact
are you hoping to achieve?

Please reconsider how you are requesting CVEs.

CVE assignment based on commit message allows...

Re: null pointer deference in nano via read_the_list()

Posted by Mark Esler on Jan 27

Hi Meng,

In your recent mass posts to FD, are you reporting vulnerabilities or
bug reports which have words like "segfault" in the title? What benefit
do you see this having? Have you spoken to each upstream project before
requesting a CVE be assigned?

Thank you,
Mark Esler

Re: NULL pointer dereference in freedesktop Mesa via check_xshm()

Posted by Dan Cross on Jan 27

I find it very difficult to believe that every NULL pointer error in
existence is a security vulnerability.

- Dan C.

Re: Null pointer dereference in Xedit

Posted by Alan Coopersmith on Jan 27

I will be asking that this CVE be withdrawn on behalf of the X.Org security team.

While it is a low-priority bug, we did not see any security exposure
when this bug was first brought to our attention because there is no
way for an attacker to change the contents of the lisp.lsp file or to
cause a *.lsp file to be loaded for another user.

The bug report states "replace /usr/local/lib/X11/xedit/lisp/lisp.lsp with
the attached version,"...

Buffer overflow in Sane

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
A buffer overflow existed in Sane v.1.2.1 via a crafted config file to the init_options() function.

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
sane

[Affected Product Code Base]
sane - 1.2.1

[Reference]
https://gitlab.com/sane-project/backends/-/issues/709

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46052 to this
vulnerability.

null pointer deference in tex-live

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
A null pointer deference existed in tex-live v.944e257 via a crafted file to the texk/web2c/pdftexdir/tounicode.c
function.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
tex-live

[Affected Product Code Base]
tex-live - 944e257

[Reference]
https://tug.org/pipermail/tex-live/2023-August/049406.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned...

null pointer deference in MiniZinc via a crafted Preferences.json file

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
A null pointer deference existed in MiniZinc v.2.7.6 via a crafted Preferences.json file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
MiniZinc

[Affected Product Code Base]
MiniZinc - 2.7.6

[Reference]
https://github.com/MiniZinc/libminizinc/issues/729

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46050 to this...

null pointer deference in LLVM

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
A null pointer deference existed in LLVM v.15.0.0 via a crafted pdflatex.fmt file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
llvm

[Affected Product Code Base]
llvm - LLVM-15

[Reference]
https://github.com/llvm/llvm-project/issues/67388

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46049 to this
vulnerability.

null pointer deference in tex-live via a crafted cmr10.pfb

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
A null pointer deference occurred in tex-live 944e257 via a crafted cmr10.pfb config file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
tex-live

[Affected Product Code Base]
tex-live - 944e257

[Reference]
https://tug.org/pipermail/tex-live/2023-August/049400.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46048 to this...

null pointer deference in Sane via a crafted config file

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
A null pointer deference occurred in Sane v.1.2.1 via a crafted config file to the sanei_configure_attach() function.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
sane

[Affected Product Code Base]
sane - 1.2.1

[Reference]
https://gitlab.com/sane-project/backends/-/issues/708

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46047...

null pointer deference in MiniZinc via a crafted .mzn file

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
Null pointer deference happens in MiniZinc v.2.7.6 via a crafted .mzn file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
MiniZinc

[Affected Product Code Base]
MiniZinc - 2.7.6

[Reference]
https://github.com/MiniZinc/libminizinc/issues/730

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46046 to this
vulnerability.

Buffer Overflow in graphviz via via a crafted config6a file

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
Buffer Overflow vulnerability in graphviz v.2.43.0 allows a remote attacker to execute arbitrary code via a crafted
config6a file.

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
graphviz

[Affected Product Code Base]
graphviz - 2.43.0

[Reference]
https://gitlab.com/graphviz/graphviz/-/issues/2441

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name...

NULL pointer dereference in QT via the function QXcbConnection::initializeAllAtoms()

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
QT v6.2, v6.5, and v6.6 was discovered to contain a NULL pointer dereference via the function
QXcbConnection::initializeAllAtoms().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
qt

[Affected Product Code Base]
qt - 6.6, 6.5, 6.2

[Reference]
https://bugreports.qt.io/browse/QTBUG-115599

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name...

null pointer deference in nano via read_the_list()

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
Nano v6.2 was discovered to contain a segmentation violation via the function read_the_list().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
nano

[Affected Product Code Base]
nano - 6.2

[Reference]
https://savannah.gnu.org/bugs/index.php?64465

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-45932 to this
vulnerability.

NULL pointer dereference in freedesktop Mesa via check_xshm()

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
freedesktop Mesa v23.0.4 was discovered to contain a NULL pointer dereference via the function check_xshm().

[Vulnerability Type]
NULL pointer dereference

[Vendor of Product]
freedesktop

[Affected Product Code Base]
Mesa - 23.0.4

[Reference]
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9859

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-45931 to...

null pointer deference in gnome gtk via parse_settings() at xsettings-client.c

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
gnome gtk ac60bc60 was discovered to contain a segmentation violation via the function parse_settings() at
xsettings-client.c.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
gnome

[Affected Product Code Base]
gtk - ac60bc60

[Reference]
https://gitlab.gnome.org/GNOME/gtk/-/issues/5983

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name...

SEGV in S-Lang via fixup_tgetstr()

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
S-Lang v2.3.2 was discovered to contain a SEGV via the function fixup_tgetstr().

[VulnerabilityType Other]
SEGV

[Vendor of Product]
S-Lang

[Affected Product Code Base]
S-Lang - 2.3.2

[Reference]
http://lists.jedsoft.org/lists/slang-users/2023/0000002.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-45929 to this
vulnerability.

null pointer deference in gnome gtk via init_randr15() at gdkscreen-x11.c

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
gnome gtk f2a28891 was discovered to contain a segmentation violation via the function init_randr15() at
gdkscreen-x11.c.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
gnome

[Affected Product Code Base]
gtk - f2a28891

[Reference]
https://gitlab.gnome.org/GNOME/gtk/-/issues/5984

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name...

arithmetic exception in S-lang via the function tt_sprintf()

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
S-Lang v2.3.2 was discovered to contain an arithmetic exception via the function tt_sprintf().

[VulnerabilityType Other]
FPE

[Vendor of Product]
S-Lang

[Affected Product Code Base]
S-Lang - 2.3.2

[Reference]
http://lists.jedsoft.org/lists/slang-users/2023/0000003.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-45927 to this
vulnerability.

null pointer deference in gnome gdk-pixbuf

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
gnome gdk-pixbuf 4fc028aa was discovered to contain a segmentation violation via the function
gdk_pixbuf_io_init_modules().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
gnome

[Affected Product Code Base]
gdk-pixbuf - 4fc028aa

[Reference]
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/230

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the...

null pointer deference in GNU Midnight at /tty/x11conn.c

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
GNU Midnight Commander v4.8.29-146-g299d9a2fb was discovered to contain a segmentation violation via the function
x_error_handler() at /tty/x11conn.c.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
GNU

[Affected Product Code Base]
Midnight Commander - 4.8.29-146-g299d9a2fb

[Reference]
https://midnight-commander.org/ticket/4484

[CVE Reference]
The Common Vulnerabilities and Exposures project...

NULL pointer dereference in glXGetDrawableScreen() of OpenGL libglvnd

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
OpenGL libglvnd bb06db5a was discovered to contain a NULL pointer dereference via the function glXGetDrawableScreen().

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
OpenGL

[Affected Product Code Base]
libglvnd - bb06db5a

[Reference]
https://gitlab.freedesktop.org/glvnd/libglvnd/-/issues/242

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name...

NULL pointer dereference in XIQueryDevice() of gnome gtk

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
gnome gtk 824e9833 was discovered to contain a NULL pointer dereference via the function XIQueryDevice().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
gnome

[Affected Product Code Base]
gtk - 824e9833

[Reference]
https://gitlab.gnome.org/GNOME/gtk/-/issues/5962

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-45923 to this...

NULL pointer dereference in __glXGetDrawableAttribute() of Mesa

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
freedesktop Mesa v23.0.4 was discovered to contain a NULL pointer dereference via the function
__glXGetDrawableAttribute().

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
freedesktop

[Affected Product Code Base]
Mesa - 23.0.4

[Reference]
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9857

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name...

NULL pointer dereference in the function handle_viminfo_register() of vim

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
A NULL pointer dereference in the function handle_viminfo_register() of vim v9.0 allows attackers to cause a Denial of
Service (DoS) via crafted file.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
vim

[Affected Product Code Base]
vim - 9.0

[Reference]
https://github.com/vim/vim/issues/12652

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the...

Null pointer deference in XGetWMHints() of Xfig

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
Xfig v3.2.8 was discovered to contain a segmentation violation via the function XGetWMHints().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
SourceForge

[Affected Product Code Base]
Xfig - 3.2.8

[Reference]
https://sourceforge.net/p/mcj/tickets/155/

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-45920 to this
vulnerability.

Buffer Overflow in glXQueryServerString() of mesa

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
freedesktop Mesa v23.0.4 was discovered to contain a segmentation violation via the function glXQueryServerString().

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
freedesktop

[Affected Product Code Base]
Mesa - 23.0.4

[Reference]
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9858

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-45919 to...

NULL pointer dereference in tgetstr() of ncurses

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
ncurses v6.4-20230610 was discovered to contain a NULL pointer dereference via the function tgetstr().

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
ncurses

[Affected Product Code Base]
ncurses - 6.4-20230610

[Reference]
https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name...

Null pointer deference in freedesktop mesa

Posted by Meng Ruijie on Jan 26

[Vulnerability description]
freedesktop Mesa v23.0.4 was discovered to contain a NULL pointer dereference via the function
dri2GetGlxDrawableFromXDrawableId(). This vulnerability is triggered when the X11 server sends an
DRI2_BufferSwapComplete event unexpectedly when the application is using DRI3.

[VulnerabilityType Other]
null pointer deference

[Vendor of Product]
freedesktop

[Affected Product Code Base]
Mesa - 23.0.4

[Reference]...

Yet another fork()/malloc() bomb in javascript + SIGILL in Chrome

Posted by Georgi Guninski on Jan 26

Searching the web for `javascript fork malloc bomb` returns results,
e.g. [here][1]: and [here][2]:

We got a javascript fork malloc bomb which crashed Chrome 121 on linux
with SIGILL and about one in five runs the virtual machine freezes.
SIGILL almost always is a sign of memory corruption :)
On android it crashes the current tab without explanation.
Firefox 121 on linux also crashes the current tab.

In all cases except the sporadic freezes,...

TrojanSpy Win32 Nivdort / Insecure Permissions - EoP (SYSTEM)

Posted by malvuln on Jan 26

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/15bda00b57e2ed729a45f7cfa62165da.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: TrojanSpy Win32 Nivdort
Vulnerability: Insecure Permissions - EoP (SYSTEM)
Family: Nivdort
Type: PE32
MD5: 15bda00b57e2ed729a45f7cfa62165da
Vuln ID: MVID-2024-0668
Dropped files: dqrpgvnkh, egjrdhynfm, nhefhloix, rvoyf6ljtqg4zejno.exe...

APPLE-SA-01-22-2024-9 tvOS 17.3

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-01-22-2024-9 tvOS 17.3

tvOS 17.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214055.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to execute arbitrary code with...

APPLE-SA-01-22-2024-8 watchOS 10.3

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-01-22-2024-8 watchOS 10.3

watchOS 10.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214060.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for devices with Apple Neural Engine: Apple Watch Series 9 and
Apple Watch Ultra 2
Impact: An app...

APPLE-SA-01-22-2024-7 macOS Monterey 12.7.3

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-01-22-2024-7 macOS Monterey 12.7.3

macOS Monterey 12.7.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214057.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: macOS Monterey
Impact: An app may be able to access sensitive user data...

APPLE-SA-01-22-2024-6 macOS Ventura 13.6.4

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-01-22-2024-6 macOS Ventura 13.6.4

macOS Ventura 13.6.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214058.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with...

APPLE-SA-01-22-2024-5 macOS Sonoma 14.3

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-01-22-2024-5 macOS Sonoma 14.3

macOS Sonoma 14.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214061.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: macOS Sonoma
Impact: An app may be able to execute arbitrary code with kernel...

APPLE-SA-01-22-2024-4 iOS 15.8.1 and iPadOS 15.8.1

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-01-22-2024-4 iOS 15.8.1 and iPadOS 15.8.1

iOS 15.8.1 and iPadOS 15.8.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214062.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation),...

APPLE-SA-01-22-2024-3 iOS 16.7.5 and iPadOS 16.7.5

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-01-22-2024-3 iOS 16.7.5 and iPadOS 16.7.5

iOS 16.7.5 and iPadOS 16.7.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214063.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro...

APPLE-SA-01-22-2024-2 iOS 17.3 and iPadOS 17.3

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-01-22-2024-2 iOS 17.3 and iPadOS 17.3

iOS 17.3 and iPadOS 17.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214059.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for devices with Apple Neural Engine: iPhone XS and later,
iPad Pro...

APPLE-SA-01-22-2024-1 Safari 17.3

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-01-22-2024-1 Safari 17.3

Safari 17.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214056.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Safari
Available for: macOS Monterey and macOS Ventura
Impact: A user's private browsing activity may be visible in Settings...

[Full Disclosure] CVE-2024-22903: Unpatched Command Injection in Vinchin Backup & Recovery Versions 7.2 and Earlier

Posted by Valentin Lobstein via Fulldisclosure on Jan 26

CVE ID: CVE-2024-22903

Title: Command Injection Vulnerability in SystemHandler.class.php of Vinchin Backup & Recovery Versions 7.2 and Earlier

Description:
A significant security vulnerability, CVE-2024-22903, has been identified in the `deleteUpdateAPK` function within the
`SystemHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This
function, designed to delete APK files, is prone to...

[Full Disclosure] CVE-2024-22902: Default Root Credentials in Vinchin Backup & Recovery v7.2 and Earlier

Posted by Valentin Lobstein via Fulldisclosure on Jan 26

CVE ID: CVE-2024-22902

Title: Default Root Credentials Vulnerability in Vinchin Backup & Recovery v7.2

Suggested Description:
Vinchin Backup & Recovery version 7.2 has been identified as being configured with default root credentials, posing a
significant security vulnerability.

Additional Information:
There is no documentation or guidance from Vinchin on changing the root password for this version. The use of password
authentication...

[Full Disclosure] CVE-2024-22901: Default MYSQL Credentials in Vinchin Backup & Recovery v7.2 and Earlier

Posted by Valentin Lobstein via Fulldisclosure on Jan 26

CVE ID: CVE-2024-22901

Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2

Description:
A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup & Recovery version 7.2.
The software has been found to use default MYSQL credentials, which could lead to significant security risks.

Additional Information:
Vinchin has not addressed previous disclosures, including...

Re: ODR violation in Redis Raft

Posted by Jeffrey Walton on Jan 18

I fail to see how a One Definition Rule (ODR) violation results in a
Remote Code Execution.

Can you share your PoC, please?

Jeff

Minor firefox DoS - semi silently polluting ~/Downloads with files (part 2)

Posted by Georgi Guninski on Jan 18

Minor firefox DoS - semi silently polluting ~/Downloads with files (part 2)

Tested on: firefox 121 and chrome 120 on GNU/linux

Date: Thu Jan 18 08:38:28 AM UTC 2024

This is barely a DoS, but since it might affect Chrome too we decided
to disclose it.

If firefox user visits a specially crafted page, then firefox
may create many files in `~/Downloads`,
The user is notified about this in a small dialog, but there is
no option to stop the...

Legends of IdleOn - I Reject Your RNG And Substitute My Own

Posted by Soatok Dreamseeker on Jan 17

Hello Full Disclosure mailing list!

Legends of IdleOn is a popular free-to-play game on Android, iOS, Steam,
and Web. While playing around with it last year, I got curious and noticed
a trivial way to manipulate the random number generator.

After six months of radio silence from the developer, including asking the
Discord moderators for help getting the developer's attention, I've decided
to publish this publicly:...

Buffer over-read in dtls_sha256_update of TinyDTLS

Posted by Meng Ruijie on Jan 17

[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. A buffer over-read exists in the dtls_sha256_update
function. This bug allows remote attackers to cause a denial of service (crash) and possibly read sensitive information
by sending a malformed packet with an over-large fragment length field, due to servers incorrectly handling malformed
packets.

[Vulnerability Type]
Buffer Overflow

[Vendor of...

Misues same epoch number within TCP lifetime in TinyDTLS

Posted by Meng Ruijie on Jan 17

[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. DTLS servers allow remote attackers to reuse the
same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability
allows remote attackers to obtain sensitive application (data of connected clients).

[VulnerabilityType Other]
Improper Handling of exception conditions

[Vendor of Product]...

Assertion failure in check_certificate_request() of TinyDTLS

Posted by Meng Ruijie on Jan 17

[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. An assertion failure in check_certificate_request()
causes the server to exit unexpectedly (a denial of service).

[VulnerabilityType Other]
Improper Handling of exception conditions

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls...

Buffer over-read in TinyDTLS

Posted by Meng Ruijie on Jan 17

[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. Incorrect handling of over-large packets in
dtls_ccm_decrypt_message() causes a buffer over-read that can expose sensitive information.

[Vulnerability Type]
Buffer Overflow

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls servers...

Infinite loop leading to buffer overflow in TinyDTLS

Posted by Meng Ruijie on Jan 17

[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. An infinite loop bug exists during the handling of a
ClientHello handshake message. This bug allows remote attackers to cause a denial of service by sending a malformed
ClientHello handshake message with an odd length of cipher suites, which triggers an infinite loop (consuming all
resources) and a buffer over-read that can disclose sensitive...

Mishandle epoch number in TinyDTLS servers

Posted by Meng Ruijie on Jan 17

About CVE-2021-42142:

[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. DTLS servers mishandle the early use of a large
epoch number. This vulnerability allows remote attackers to cause a denial of service and false-positive packet drops.

[VulnerabilityType Other]
Improper Handling of exception conditions

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]...