oss-sec mailing list archives
Information on file, sqlite, libarchive, pcre issues for CVE IDs assigned by Apple?
From: Moritz Muehlenhoff <jmm () debian org>
Date: Wed, 28 Feb 2018 21:24:10 +0100
Hi, Apple has assigned a few CVE IDs for open source components not engineered at Apple: https://support.apple.com/en-us/HT208144 refers to file Available for: OS X Mountain Lion 10.8 and later Impact: Multiple issues in file Description: Multiple issues were addressed by updating to version 5.30. CVE-2017-7121: found by OSS-Fuzz CVE-2017-7122: found by OSS-Fuzz CVE-2017-7123: found by OSS-Fuzz CVE-2017-7124: found by OSS-Fuzz CVE-2017-7125: found by OSS-Fuzz CVE-2017-7126: found by OSS-Fuzz SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7127: an anonymous researcher https://support.apple.com/en-us/HT208221 refers to: libarchive Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6 Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution Description: Multiple memory corruption issues existed in libarchive. These issues were addressed through improved input validation. CVE-2017-13812: found by OSS-Fuzz libarchive Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6 Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution Description: A buffer overflow issue was addressed through improved memory handling. CVE-2017-13813: found by OSS-Fuzz CVE-2017-13816: found by OSS-Fuzz file Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6 Impact: Multiple issues in file Description: Multiple issues were addressed by updating to version 5.31. CVE-2017-13815 PCRE Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6 Impact: Multiple issues in pcre Description: Multiple issues were addressed by updating to version 8.40. CVE-2017-13846 Of the IDs mentioned above, only CVE-2017-10989 refers to specific, identifiable information. Does anyone on the list have additional information on any of these bugs; allowing to map them to upstream bug reports/patches? Why does the Apple CNA have a mandate to assign CVE IDs to generic FLOSS components not written by Apple to begin with? Especially if they're not participating in standard open source security information sharing practices. Cheers, Moritz
Current thread:
- Information on file, sqlite, libarchive, pcre issues for CVE IDs assigned by Apple? Moritz Muehlenhoff (Feb 28)