This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Released July 24, 2023

**Apple Neural Engine**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

 CVE-2023-38136: Mohamed GHANNAM (@\_simo36)

 CVE-2023-38580: Mohamed GHANNAM (@\_simo36)

**Find My**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG Pte. Ltd.

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32381: an anonymous researcher

CVE-2023-32433: Zweig of Kunlun Lab

CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Description: This issue was addressed with improved state management.

CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr\_), and Boris Larin (@oct0xor) of Kaspersky

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain root privileges

Description: A path handling issue was addressed with improved validation.

CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to cause a denial-of-service

Description: A logic issue was addressed with improved checks.

CVE-2023-38593: Noah Roskin-Frazee

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: A website may be able to bypass Same Origin Policy

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma Soft Pvt. Ltd, Pune - India

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu

WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, Jikai Ren

WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher

**WebKit Web Inspector**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

CVE-2023-38606: About the security content of watchOS 9.6

The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.

Released July 24 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-38580: Mohamed GHANNAM (@\_simo36)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to determine a user’s current location

Description: A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.

CVE-2023-36862: Mickey Jin (@patch1t)

**AppSandbox**

Available for: macOS Ventura

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2023-32364: Gergely Kalman (@gergely\_kalman)

**Assets**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved data protection.

CVE-2023-35983: Mickey Jin (@patch1t)

**curl**

Available for: macOS Ventura

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating curl.

CVE-2023-28319

CVE-2023-28320

CVE-2023-28321

CVE-2023-28322

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

**Grapher**

Available for: macOS Ventura

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved checks.

CVE-2023-32418: Bool of YunShangHuaAn(云上华安)

CVE-2023-36854: Bool of YunShangHuaAn(云上华安)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG Pte. Ltd.

CVE-2023-38261: an anonymous researcher

CVE-2023-38424: Certik Skyfall Team

CVE-2023-38425: Certik Skyfall Team

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32381: an anonymous researcher

CVE-2023-32433: Zweig of Kunlun Lab

CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

**Kernel**

Available for: macOS Ventura

Impact: A user may be able to elevate privileges

Description: The issue was addressed with improved checks.

CVE-2023-38410: an anonymous researcher

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Description: This issue was addressed with improved state management.

CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr\_), and Boris Larin (@oct0xor) of Kaspersky

**Kernel**

Available for: macOS Ventura

Impact: A remote user may be able to cause a denial-of-service

Description: The issue was addressed with improved checks.

CVE-2023-38603: Zweig of Kunlun Lab

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A path handling issue was addressed with improved validation.

CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to cause a denial-of-service

Description: A logic issue was addressed with improved checks.

CVE-2023-38593: Noah Roskin-Frazee

**Model I/O**

Available for: macOS Ventura

Impact: Processing a 3D model may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-38258: Mickey Jin (@patch1t)

CVE-2023-38421: Mickey Jin (@patch1t)

**OpenLDAP**

Available for: macOS Ventura

Impact: A remote user may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-2953: Sandipan Roy

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A logic issue was addressed with improved restrictions.

CVE-2023-38259: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-38564: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-38602: Arsenii Kostromin (0x3c3e)

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to modify sensitive Shortcuts app settings

Description: An access issue was addressed with improved access restrictions.

CVE-2023-32442: an anonymous researcher

**sips**

Available for: macOS Ventura

Impact: Processing a file may lead to a denial-of-service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32443: David Hoyt of Hoyt LLC

**SystemMigration**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: The issue was addressed with improved checks.

CVE-2023-32429: Wenchao Li and Xiaolong Bai of Hangzhou Orange Shield Information Technology Co., Ltd.

**Voice Memos**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with additional permissions checks.

CVE-2023-38608: Yiğit Can YILMAZ (@yilmazcanyigit), Kirin (@Pwnrin), and Yishu Wang

**WebKit**

Available for: macOS Ventura

Impact: A website may be able to bypass Same Origin Policy

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma Soft Pvt. Ltd, Pune - India

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu

WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, Jikai Ren

WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher

_This issue was first addressed in Rapid Security Response macOS Ventura 13.4.1 (c)._

**WebKit Process Model**

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 258100  
CVE-2023-38597: 이준성(Junsung Lee) of Cross Republic

**WebKit Web Inspector**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

CVE-2023-38410: About the security content of macOS Ventura 13.5

The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. Processing a file may lead to unexpected app termination or arbitrary code execution.

Released July 24, 2023

**Assets**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved data protection.

CVE-2023-35983: Mickey Jin (@patch1t)

**curl**

Available for: macOS Big Sur

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating curl.

CVE-2023-28319

CVE-2023-28320

CVE-2023-28321

CVE-2023-28322

**Grapher**

Available for: macOS Big Sur

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved checks.

CVE-2023-36854: Bool of YunShangHuaAn(云上华安)

CVE-2023-32418: Bool of YunShangHuaAn(云上华安)

**Kernel**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32381: an anonymous researcher

CVE-2023-32433: Zweig of Kunlun Lab

CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

**Kernel**

Available for: macOS Big Sur

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Description: This issue was addressed with improved state management.

CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr\_), and Boris Larin (@oct0xor) of Kaspersky

**Kernel**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG Pte. Ltd.

**libxpc**

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: A path handling issue was addressed with improved validation.

CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: macOS Big Sur

Impact: An app may be able to cause a denial-of-service

Description: A logic issue was addressed with improved checks.

CVE-2023-38593: Noah Roskin-Frazee

**OpenLDAP**

Available for: macOS Big Sur

Impact: A remote user may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-2953: Sandipan Roy

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to access user-sensitive data

Description: A logic issue was addressed with improved restrictions.

CVE-2023-38259: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-38602: Arsenii Kostromin (0x3c3e)

**sips**

Available for: macOS Big Sur

Impact: Processing a file may lead to a denial-of-service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32443: David Hoyt of Hoyt LLC

CVE-2023-36854: About the security content of macOS Big Sur 11.7.9

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

ModSecurity is an open-source Web Application Firewall (WAF) engine maintained by Trustwave. This blog post discusses an issue with four transformation actions that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in v3.0.10. ModSecurity v2 is not affected. 

**Vulnerability Details**

Included in ModSecurity functionality are dozens of transformation actions which support altering the representation of values so that further processing can be done on the modified values. This may be either more convenient to work with, or less prone to rule evasion.

The ModSecurity team was recently alerted to a possible DoS issue in four of these transformations in ModSecurity v3. Thanks to the reporter for the investigation and for responsibly disclosing the issue. The affected transformations are: removeWhitespace, removeNull, replaceNull, and removeCommentsChar.

The affected transformations were functionally correct. However, the implemented solutions would be inefficient if a malicious user were to submit a specially crafted HTTP request that triggered worst-case performance.

The most dramatic delays can typically be prevented through common configuration items such as SecRequestBodyNoFilesLimit with the default value of 131072 suggested in modsecurity.conf-recommended. However, even with this limit in place, a dozen or more executions of these transformations could result in multiple seconds of delay for a single HTTP transaction. If a large enough number of such malicious requests are running simultaneously, this could render the webserver unable to respond to legitimate requests in a timely manner.

**Mitigation**

For installations where immediate upgrade to the new version of the software is impractical, some mitigation possibilities are available.

The nature of the issue results in large values causing a much greater effect on resources than numerous smaller values. A separate ModSecurity rule could be included to limit the size of each value to be processed, but still allow legitimate content to be processed unimpeded. For example, if there are many rules with the affected transformations executing against the ARGS collection, a rule such as the following could be included before other phase 2 rules:

SecRule ARGS "@gt 16000" "id:1,phase:2,t:length,deny,status:403,msg:’ARG exceeds length limit'"

Optionally, combined with further reducing the configured value for SecRequestBodyNoFilesLimit, potential delays precipitated by worst-case input can be significantly reduced.

CVE-2023-38285: ModSecurity v3: DoS Vulnerability in Four Transformations (CVE-2023-38285)

Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a denial of service via a crafted file.

\[CVE ID\]

CVE-2023-37732

\[PRODUCT\]

yasm - 1.3.0.78.g4dc8

\[VERSION\]

yasm - 1.3.0.78.g4dc8

\[PROBLEM TYPE\]

Denial Of Service

\[DESCRIPTION\]

Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a

denial of service via a crafted file.

CVE-2023-37732: CVE-2023-37732

A buffer overflow in SumatraPDF Reader v3.4.6 allows attackers to cause a Denial of Service (DoS) via a crafted text file.

**CVE-2023-33802****SumatraPDF 3.4.6 -32-bit Denial Of Services (DoS)******Description****

*   In this bug, a crash is addressed which is manifested when we open two large size text files (first.txt & second.txt) as input to SumatraPDF 32 bit.
*   Run the following command, or you can manually open the both files in SumatraPDF 32 bit(3.4.6).

SumatraPDF.exe first.txt second.txt

****Crash Report for 32-bit version 3.4.6 application with WinDBG****

The following crash has been encountered.

Microsoft (R) Windows Debugger Version 10.0.22000.194 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File \[C:\\Users\\Administrator\\Downloads\\sumatrapdf-3.4.6rel\\sumatrapdf-3.4.6rel\\out\\dbg32\\crashinfo\\sumatrapdfcrash.dmp\]
User Mini Dump File: Only registers, stack and portions of memory are available

Symbol search path is: srv\*
Executable search path is: 
Windows 10 Version 19044 MP (12 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb\_release.191206-1406
Machine Name:
Debug session time: Tue Sep 27 14:18:04.000 2022 (UTC + 5:30)
System Uptime: not available
Process Uptime: 0 days 0:04:07.000
..............
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(22a4.a40): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
eax=c0000034 ebx=020fe29c ecx=00000000 edx=00000000 esi=00000000 edi=0000029c
eip=772629fc esp=020fe0f0 ebp=020fe160 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200216
ntdll!NtWaitForSingleObject+0xc:
772629fc c20c00          ret     0Ch
0:000> !analyze -v
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*                                                                             \*
\*                        Exception Analysis                                   \*
\*                                                                             \*
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

\*\*\* WARNING: Unable to verify checksum for SumatraPDF.exe

KEY\_VALUES\_STRING: 1

    Key  : AV.Dereference
    Value: NullPtr

    Key  : AV.Fault
    Value: Write

    Key  : Analysis.CPU.mSec
    Value: 2827

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 3238

    Key  : Analysis.Init.CPU.mSec
    Value: 640

    Key  : Analysis.Init.Elapsed.mSec
    Value: 12340

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 118

    Key  : Timeline.Process.Start.DeltaSec
    Value: 247

    Key  : WER.OS.Branch
    Value: vb\_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 3.4.6.0


CONTEXT:  (.ecxr)
eax=00000000 ebx=01e76000 ecx=00000000 edx=00000000 esi=007914b5 edi=007914b5
eip=77257a6e esp=020ffbc8 ebp=020ffbd0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
ntdll!\_RtlUserThreadStart+0x1b:
77257a6e cc              int     3
Resetting default scope

EXCEPTION\_RECORD:  (.exr -1)
ExceptionAddress: 0089b083 (SumatraPDF!CrashMe+0x00000013)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter\[0\]: 00000001
   Parameter\[1\]: 00000000
Attempt to write to address 00000000

PROCESS\_NAME:  SumatraPDF.exe

WRITE\_ADDRESS:  00000000 

ERROR\_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION\_CODE\_STR:  c0000005

EXCEPTION\_PARAMETER1:  00000001

EXCEPTION\_PARAMETER2:  00000000

FAULTING\_THREAD:  ffffffff

STACK\_TEXT:  
0089b083 0089b083 SumatraPDF!CrashMe+0x13


FAULTING\_SOURCE\_LINE:  C:\\Users\\Administrator\\Downloads\\sumatrapdf-3.4.6rel\\sumatrapdf-3.4.6rel\\src\\utils\\BaseUtil.h

FAULTING\_SOURCE\_FILE:  C:\\Users\\Administrator\\Downloads\\sumatrapdf-3.4.6rel\\sumatrapdf-3.4.6rel\\src\\utils\\BaseUtil.h

FAULTING\_SOURCE\_LINE\_NUMBER:  200

FAULTING\_SOURCE\_CODE:  
   196: // but it seemed to confuse callstack walking
   197: inline void CrashMe() {
   198:     char\* p = nullptr;
   199:     // cppcheck-suppress nullPointer
>  200:     \*p = 0; // NOLINT
   201: }
   202: #if COMPILER\_MSVC
   203: #pragma warning(pop)
   204: #endif
   205: 


SYMBOL\_NAME:  SumatraPDF!CrashMe+13

MODULE\_NAME: SumatraPDF

IMAGE\_NAME:  SumatraPDF.exe

STACK\_COMMAND:  .ecxr ; kb ; \*\* Pseudo Context \*\* Pseudo \*\* Value: d \*\* ; kb

FAILURE\_BUCKET\_ID:  NULL\_POINTER\_WRITE\_CONTEXT\_MISMATCH\_c0000005\_SumatraPDF.exe!CrashMe

OS\_VERSION:  10.0.19041.1

BUILDLAB\_STR:  vb\_release

OSPLATFORM\_TYPE:  x86

OSNAME:  Windows 10

IMAGE\_VERSION:  3.4.6.0

FAILURE\_ID\_HASH:  {1595dcef-2e27\-85d9-39da-85ddbd1355a2}

Followup:     MachineOwner
---------

0:000\> !msec.exploitable

!exploitable 1.6.0.0
Warning: Unable to read from the TEB in the current thread.
Warning: Unable to read from the TEB in the current thread.
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at ntdll!\_RtlUserThreadStart+0x000000000000001b (Hash=0xcc3d4e45.0x55921273)

User mode write access violations that are near NULL are unknown.

*   The issue can be reproduced with and without PageHeap enabled on Windows 11 - 22563.1000 64-bit machine having version SumatraPDF 3.4.6 32-bit.

**Root\_Cause\_Analysis**

*   Below is the function, where it is crashing.

    if (s->buf == s->els) {
        newEls = (char\*)Allocator::Alloc(s->allocator, allocSize);
        if (newEls) {
            memcpy(newEls, s->buf, s->len + 1);
        }
    } else {
        newEls = (char\*)Allocator::Realloc(s->allocator, s->els, allocSize);
    }
    if (!newEls) {
        CrashAlwaysIf(gAllowAllocFailure.load() == 0);
        return nullptr;
    }

*   The CrashAlwaysIf macro is being called in the EnsureCap function as a way to handle a failure to allocate memory. When the Alloc or Realloc function returns a null pointer, indicating that memory allocation has failed, the CrashAlwaysIf macro is called to cause the program to crash intentionally because it internally calls CrashMe function that sets a null pointer to a non-null value, which will cause an access violation when the program tries to dereference the null pointer. This will trigger an exception and cause the program to crash.

****Result****

*   **Denial of Service**

****Affected Versions****

The vulnerability is tested to work on following version:

*   SumatraPDF 3.4.6 32-bit.

****Tested OS versions****

*   Windows 11 - 22563.1000 64 bit
*   Windows 10 - 10.0.19042.1586 64-bit

CVE-2023-33802: GitHub - CDACesec/CVE-2023-33802

A missing origin validation in Slate sandbox could be exploited by a malicious user to modify the page's content, which could lead to phishing attacks.

CVE-2023-30949: Palantir | Trust and Security Portal

Ubuntu Security Notice 6250-1 - Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. A local attacker could possibly use this to gain elevated privileges. It was discovered that the IP-VLAN network driver for the Linux kernel did not properly initialize memory in some situations, leading to an out-of- bounds write vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6250-1July 25, 2023linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm,linux-lowlatency, linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFSimplementation in the Ubuntu Linux kernel did not properly performpermission checks in certain situations. A local attacker could possiblyuse this to gain elevated privileges. (CVE-2023-2640)It was discovered that the IP-VLAN network driver for the Linux kernel didnot properly initialize memory in some situations, leading to an out-of-bounds write vulnerability. An attacker could use this to cause a denial ofservice (system crash) or possibly execute arbitrary code. (CVE-2023-3090)Mingi Cho discovered that the netfilter subsystem in the Linux kernel didnot properly validate the status of a nft chain while performing a lookupby id, leading to a use-after-free vulnerability. An attacker could usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2023-31248)Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation inthe Ubuntu Linux kernel did not properly perform permission checks incertain situations. A local attacker could possibly use this to gainelevated privileges. (CVE-2023-32629)Ruihan Li discovered that the memory management subsystem in the Linuxkernel contained a race condition when accessing VMAs in certainconditions, leading to a use-after-free vulnerability. A local attackercould possibly use this to cause a denial of service (system crash) orexecute arbitrary code. (CVE-2023-3269)Querijn Voet discovered that a race condition existed in the io_uringsubsystem in the Linux kernel, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-3389)It was discovered that the netfilter subsystem in the Linux kernel did notproperly handle some error conditions, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-3390)Tanguy Dubroca discovered that the netfilter subsystem in the Linux kerneldid not properly handle certain pointer data type, leading to an out-of-bounds write vulnerability. A privileged attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2023-35001)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   linux-image-6.2.0-1006-ibm      6.2.0-1006.6   linux-image-6.2.0-1008-aws      6.2.0-1008.8   linux-image-6.2.0-1008-azure    6.2.0-1008.8   linux-image-6.2.0-1008-oracle   6.2.0-1008.8   linux-image-6.2.0-1009-kvm      6.2.0-1009.9   linux-image-6.2.0-1009-lowlatency  6.2.0-1009.9   linux-image-6.2.0-1009-lowlatency-64k  6.2.0-1009.9   linux-image-6.2.0-1009-raspi    6.2.0-1009.11   linux-image-6.2.0-1010-gcp      6.2.0-1010.10   linux-image-6.2.0-26-generic    6.2.0-26.26   linux-image-6.2.0-26-generic-64k  6.2.0-26.26   linux-image-6.2.0-26-generic-lpae  6.2.0-26.26   linux-image-aws                 6.2.0.1008.9   linux-image-azure               6.2.0.1008.8   linux-image-gcp                 6.2.0.1010.10   linux-image-generic             6.2.0.26.26   linux-image-generic-64k         6.2.0.26.26   linux-image-generic-lpae        6.2.0.26.26   linux-image-ibm                 6.2.0.1006.6   linux-image-kvm                 6.2.0.1009.9   linux-image-lowlatency          6.2.0.1009.9   linux-image-lowlatency-64k      6.2.0.1009.9   linux-image-oracle              6.2.0.1008.8   linux-image-raspi               6.2.0.1009.12   linux-image-raspi-nolpae        6.2.0.1009.12   linux-image-virtual             6.2.0.26.26After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6250-1   CVE-2023-2640, CVE-2023-3090, CVE-2023-31248, CVE-2023-32629,   CVE-2023-3269, CVE-2023-3389, CVE-2023-3390, CVE-2023-35001Package Information:   https://launchpad.net/ubuntu/+source/linux/6.2.0-26.26   https://launchpad.net/ubuntu/+source/linux-aws/6.2.0-1008.8   https://launchpad.net/ubuntu/+source/linux-azure/6.2.0-1008.8   https://launchpad.net/ubuntu/+source/linux-gcp/6.2.0-1010.10   https://launchpad.net/ubuntu/+source/linux-ibm/6.2.0-1006.6   https://launchpad.net/ubuntu/+source/linux-kvm/6.2.0-1009.9   https://launchpad.net/ubuntu/+source/linux-lowlatency/6.2.0-1009.9   https://launchpad.net/ubuntu/+source/linux-oracle/6.2.0-1008.8   https://launchpad.net/ubuntu/+source/linux-raspi/6.2.0-1009.11

Ubuntu Security Notice USN-6250-1

Debian Linux Security Advisory 5458-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions, information disclosure, reduced cryptographic strength of the AES implementation, directory traversal or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5458-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJuly 25, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-17CVE ID         : CVE-2023-22006 CVE-2023-22036 CVE-2023-22041 CVE-2023-22044                  CVE-2023-22045 CVE-2023-22049Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in bypass of sandbox restrictions, informationdisclosure, reduced cryptographic strength of the AES implementation,directory traversal or denial of service.For the oldstable distribution (bullseye) additional build dependenciesneed to be backported, a fixed package will be provided when these areready as 17.0.8+7-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 17.0.8+7-1~deb12u1.We recommend that you upgrade your openjdk-17 packages.For the detailed security status of openjdk-17 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-17Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTAGOoACgkQEMKTtsN8Tjb8nRAAvq9DlNtduOec61Hw9i0O8plyHPvMGuz7iG9usczk95ENCOfasp/VbIF4pqCSnwVwbSF02vSiodXETzjiK9+qHYHGiXCQ8j0U/Tiav5/wcx9O9h1CIhcuEsMp7pULUjSq52kh3wbTf7/UU8ogiSTxjZ6GY6wrEJJC6GnjKc3SAyc/D1uo85mG2ubkkD/G1w9V0egcCiopo/DejU/zzrTMc0/SiG3xksA8cmCICu0R2hvY6vLASZ42qwO3DYtWEQE4imDsUhhw3fXOs4zxT5mbLVZd2wO8+S7LY3y6uiEXL44inYHugljnG/0kea3NjiUPIm0ffdaq9DMYfoGHvho5tiFTMF5Y9p7Llhl0mZ13B2IS+tyADBuJhTmcp4JaB0Ls95w6ZU9LCMLIN9TBjBOK2r0i25oiNmgxlvg/ZJ3+S3L6oUypAFLYokNxvFCt/04mWsVdYZir32zD7sZ2jqk0ehqF6aMLPBqvLc/ic89oZXg+mcsXdB54wsnAorLo5H5ZN5P6yEJ9tILFlOPanUewZCr8oWmJkTe8ogYEQIkUkryXxD5GF3lAfpxsbmLKNvFe5sWloXJEvCm9CzBkmoJtAsgAyNY5O2gQwEG6gna6t5sKN0cYK5+LXK8fPWSkXLDYqgUSVeJGL+V0aU2wE5qTfovbv8nH30IoEB6kSBofv+k==Fjqe-----END PGP SIGNATURE-----

Debian Security Advisory 5458-1

Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-8 watchOS 9.6

watchOS 9.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213848.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-38136: Mohamed GHANNAM (@_simo36)  
CVE-2023-38580: Mohamed GHANNAM (@_simo36)

Find My  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG  
Pte. Ltd.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-32381: an anonymous researcher  
CVE-2023-32433: Zweig of Kunlun Lab  
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to modify sensitive kernel state. Apple is  
aware of a report that this issue may have been actively exploited  
against versions of iOS released before iOS 15.7.1.  
Description: This issue was addressed with improved state management.  
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin  
(@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of  
Kaspersky

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to gain root privileges  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause a denial-of-service  
Description: A logic issue was addressed with improved checks.  
CVE-2023-38593: Noah Roskin-Frazee

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A website may be able to bypass Same Origin Policy  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma  
Soft Pvt. Ltd, Pune - India

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu  
WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, Jikai Ren  
WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been actively  
exploited.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher

WebKit Web Inspector  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLoACgkQ4RjMIDke  
NxmzaQ/8DN0im3Y0iJRoYgBwW5xNTUn6ewcO2BzHGWV/3vTWq6gip2V2cWCJ6lKS  
FTlP2n0+pRsk23WLWRJNzmAETVVB1UfVgzDvx9sc2aw07DpiCLVdoZr3wLxrKK3r  
67j2hTjRc8SDkjKrNCJKvjS0MO1FOje0FoCrtRP9inu32QTHXj7Rg/0iDqH+4tVS  
tbLxaomTMHjd8xL2X6nHCteofCx9nJvRKymlxJi7bCHQtHKyrAR3DnFjpG9Jxk38  
UeOTMwhmQN2r44e9CBj0vxf2WroYE0qiofXJP0x3zTQnS72z7BFfRf9kGnDGKGes  
GmQrh4+nG8tsr3Neo1rongITM7JYxl8uIuNxjNaRGjRpgb6RYk4TOgAhtTPv48NP  
QRbcq9opzVQcBU74/jGripIWxIDDuZaaLav6kxvAAJinCiaTmB9fE2ldDqxjEInS  
4N8F8JsONRrjeydOrhqC/9cDWeGpLUImv74qvLZmyaa2qmsyM6WWxY8mGxZL2oBN  
2xQUEr2BH53YgM0z3VnQhtnLImKA6ONZC6eNSgVcjJVU5Yp3fSRtvZsX8Y6ZDCzw  
R5KX0z6yrOmIpgdKI+Ejm59EIVFveVXflv6zZrfj7uoIZZ9mbv8iL0qzSDl+ExcB  
NkuagC5WyORhFPTdG1D3mNcBNiZhr+XLRQNoZhfd0KqEoeXphko=  
=SnKr  
-----END PGP SIGNATURE-----

Tag

#dos