AppleAVD has an issue where a large OBU size in AV1_Syntax::Parse_Header reading can lead to out-of-bounds reads.
f5d5e8258c287b17deb1dcd5e1d0cebc5da361b98ef166bcd58023bc62a1af2c
AppleAVD has an issue in AV1_Syntax::f leading to out-of-bounds reads.
8793fd0b760f2a8c6b210ae7701eec4e5ab9281a045322d56d92d2c1672e4bd1
AppleAVD has an integer underflow in AV1_Syntax::Parse_Header that can lead to out-of-bounds reads.
c6dddb5cbf681203616f22b9385ebd751596c9da4d40dbd84bfdb8a9de7f9473
There is an integer overflow in dav1d when decoding an AV1 video with large width/height. The integer overflow may result in an out-of-bounds write.
258b775b05e2d4378551ee4e66e5c90a5df4e7d9ef5dc5c37abec0ba66db8a8e
macOS suffers from an out-of-bounds write vulnerability in AppleVADriver when decoding mpeg2 videos.
a755a34876f36a8a24fb4024eeda524426d61439be93ad37d2aa3f187ed43ce5
On Intel macOS, HEVC video decoding is performed in the AppleGVA module. Using fuzzing, researchers identified multiple issues in this decoder. The issues range from out-of-bounds writes, out-of-bounds reads and, in one case, free() on an invalid address. All of the issues were reproduced on macOS Ventura 13.6 running on a 2018 Mac mini (Intel based).
ed851479d112d861e65e1f2c3cbdcfb9751f8aafbae00aece5139de5128c88b0
There is a use-after-free vulnerability in libIPTelephony.dylib inside the SIP message decoder (SipMessageDecoder::decode() function). The vulnerable library is present on both iOS and macOS and was confirmed on macOS Ventura 13.2.1.
6d3cab99ce231d2cf5def080ffac1a0b2fd80f0e9852f330e033cb0e5ceb0b2d
There is a heap buffer overflow in Shannon Baseband when processing the Retry-After header in the SIP protocol decoder (IMSPL_SipRetryAfter.c according to the debug strings in the firmware image).
dd3027619afa3f34e33a8c7c8fa273a3caead4344694e68e00f0bf7658948980
There is a stack buffer overflow in Shannon Baseband when processing the Min-SE header in the SIP protocol decoder (IMSPL_SipMinSE.c according to the debug strings in the firmware image).
e0cd48f57c8b65b8d3f033aad592c288cb156a5fc17e43743d268337dab80c20
There is a negative-size memcpy (heap overflow) when decoding the body of SIP multipart messages. According to debug strings in the modem image, this functionality is implemented in IMSPL_SipFragDecode.
008713e1403417d96115cab8cea235d3b9c02eefab2c7765ee120627abe0c5b3
There is a stack buffer overflow in Shannon Baseband when processing the Session-Expires header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).
e11bd9abdf4b3c1c338a567873ee29ab281b3106b929fa8c9cb91119afcbc1f7
There is a stack buffer overflow in Shannon Baseband when processing the status line of a SIP message (this happens in IMSPL_SipStatusLine.c according to the debug strings in the firmware image).
775cec97675cbb8c305fcd017b6eeee470cd0ac86f5bca8f85e29ef9c9c3e283
There is a stack buffer overflow in Shannon Baseband when processing the Via header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).
0afa5f6ef5d703a73b0521ecca5d80bc302663f045296001e5c9f592b245d7f9
There is a stack buffer overflow in Shannon Baseband in the SIP URI decoder. According to the debug strings present in the firmware image, this decoder corresponds to IMSPL_SipUri.c.
cef6065d95093542cb22a1a75544960827efff742ba806ef8e0db27ff1a75588
There is an integer overflow in Shannon Baseband leading to a heap buffer overflow when reassembling IPv4 fragments. According to the debug strings, this corresponding functionality is implemented in SmdtIp4Rx::ProcessFragments function and its callees.
85296d153a53a5ed603bc0ad519a9d3336041170d6909013ceb81a85f4d1624b
There is an intra-object overflow in Shannon Baseband, inside the 5G SM protocol implementation (NrSmMsgCodec as it is called in Shannon according to debug strings), when decoding the Extended protocol configuration options message (IEI = 0x7B).
fbcb90e472d2e3ece0a5999daefccbac91cb16b93b5bdde7163bb7f5b46c8021
There is an intra-object overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Service Area List message (IEI = 0x27).
ca27ff3f40a5cef1422ff326c82c6ac37d4d2a24ac33342144bc8a5c84aa2848
There is a heap buffer overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Operator-defined access category definitions message (IEI = 0x76).
0d9b32ed9b931576486f7e7630f9b8e393f008ff2bccc77a8e30f84a45f1e0f0
There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Extended emergency number list" message (IEI = 0x7A).
ba04bb179ad4db118c637bfe6c329d2d3ebef7e310034bd5a8af11fa0123adc3
There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Emergency number list" message (IEI = 0x34).
ff7c534a4bbc11dc3cd3ac7fb2571e8b2fc9cddf789fa05fff2fc30be17f2aca
On newer macOS/iOS versions, entitlements in binary signature blobs are stored in the DER format. libCoreEntitlements.dylib is the userspace library for parsing and querying such entitlements. The kernel has its own version of this library inside the AppleMobileFileIntegrity module. libCoreEntitlements exposes several functions, such as, for example, to convert entitlements to a dictionary representation (e.g. CEQueryContextToCFDictionary) or to query a specific entitlement (CEContextQuery). Unfortunately, different functions traverse the DER structure in a subtly different way, which allows one API to see one set of entitlements and another API to see a different set of entitlements.
9313c983a56ba7500d8b9861b16b1c103ae3a9454de12a836126f89cec59a1b8
There is a vulnerability in Cisco Jabber that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Cisco Jabber client, including XMPP stanzas that are normally sent only by the trusted server.
ed2115ba91caeae4b0245ae0141359b56fa7d27077ea7a8cb6d34c1aa2ad914c
There is an out-of-bounds write vulnerability when decoding a certain flavor of RAW image files on macOS. The vulnerability has been confirmed on macOS 12.3.1. Although the advisory notes an attached poc, Google did not have one attached.
b0cdd2ef0c901dd72ddd0b3fa6f8cc6fcb53635705915e5ec0c9100853c07cb3
There is a vulnerability in Kik Messenger for Android that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Kik client, including XMPP stanzas that are normally sent only by the Kik server. Included is a proof of concept that demonstrates sending of the stc stanza which triggers a captcha dialog and opens an arbitrary attacker-control webpage on the victim client. However, the full impact is likely larger than this, and includes any application features accessible over XMPP.
3f66b31a34e395df392668d6453b6eee4bbfd623765c95d99108116f95c8a143
Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to smuggle (or, if you prefer, inject) an arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).
80c339179764f04e39876070e482957638cbcf822ccdb04b5cc72ea035585e1e