Fedora: Security Advisory for mingw-ilmbase (FEDORA-2020-e244f22a51)
2020-05-18T00:00:00
ID OPENVAS:1361412562310877847 Type openvas Reporter Copyright (C) 2020 Greenbone Networks GmbH Modified 2020-05-20T00:00:00
Description
The remote host is missing an update for the
# Copyright (C) 2020 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.877847");
script_version("2020-05-20T02:28:18+0000");
script_cve_id("CVE-2020-11765", "CVE-2020-11764", "CVE-2020-11763", "CVE-2020-11762", "CVE-2020-11761", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11758");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:N/A:P");
script_tag(name:"last_modification", value:"2020-05-20 02:28:18 +0000 (Wed, 20 May 2020)");
script_tag(name:"creation_date", value:"2020-05-18 03:24:01 +0000 (Mon, 18 May 2020)");
script_name("Fedora: Security Advisory for mingw-ilmbase (FEDORA-2020-e244f22a51)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2020 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC32");
script_xref(name:"FEDORA", value:"2020-e244f22a51");
script_xref(name:"URL", value:"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23DHUGWLZZKNI7KCIMYAEI3JJS3TMI6X");
script_tag(name:"summary", value:"The remote host is missing an update for the 'mingw-ilmbase'
package(s) announced via the FEDORA-2020-e244f22a51 advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"MinGW Windows ilmbase library.");
script_tag(name:"affected", value:"'mingw-ilmbase' package(s) on Fedora 32.");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
report = "";
if(release == "FC32") {
if(!isnull(res = isrpmvuln(pkg:"mingw-ilmbase", rpm:"mingw-ilmbase~2.4.1~1.fc32", rls:"FC32"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
exit(0);
}
exit(0);
{"id": "OPENVAS:1361412562310877847", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora: Security Advisory for mingw-ilmbase (FEDORA-2020-e244f22a51)", "description": "The remote host is missing an update for the ", "published": "2020-05-18T00:00:00", "modified": "2020-05-20T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877847", "reporter": "Copyright (C) 2020 Greenbone Networks GmbH", "references": ["https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23DHUGWLZZKNI7KCIMYAEI3JJS3TMI6X", "2020-e244f22a51"], "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-11762"], "lastseen": "2020-05-22T13:26:26", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310844403", "OPENVAS:1361412562310853164", "OPENVAS:1361412562310877857"]}, {"type": "fedora", "idList": ["FEDORA:9F70F610C901", "FEDORA:03034610C904"]}, {"type": "nessus", "idList": ["UBUNTU_USN-4339-1.NASL", "CENTOS_RHSA-2020-4039.NASL", "SUSE_SU-2020-1293-1.NASL", "REDHAT-RHSA-2020-4039.NASL", "SUSE_SU-2020-1292-1.NASL", "OPENSUSE-2020-682.NASL", "AL2_ALAS-2020-1499.NASL", "ORACLELINUX_ELSA-2020-4039.NASL", "DEBIAN_DSA-4755.NASL", "SL_20201001_OPENEXR_ON_SL7_X.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0682-1"]}, {"type": "cve", "idList": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11762", "CVE-2020-11765", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11758", "CVE-2020-11764"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:4AEB9642322F59DD0FC7546535E6E115"]}, {"type": "ubuntu", "idList": ["USN-4339-1"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:8D97E6A853D0492A3F60FD23D695FB73"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2358-1:F7DB9", "DEBIAN:DSA-4755-1:22E9E"]}, {"type": "amazon", "idList": ["ALAS2-2020-1499"]}, {"type": "redhat", "idList": ["RHSA-2020:4039"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-4039"]}, {"type": "centos", "idList": ["CESA-2020:4039"]}, {"type": "apple", "idList": ["APPLE:HT211289", "APPLE:HT211291", "APPLE:HT211290", "APPLE:HT211293", "APPLE:HT211294", "APPLE:HT211295", "APPLE:HT211288"]}], "modified": "2020-05-22T13:26:26", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2020-05-22T13:26:26", "rev": 2}, "vulnersScore": 7.2}, "pluginID": "1361412562310877847", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877847\");\n script_version(\"2020-05-20T02:28:18+0000\");\n script_cve_id(\"CVE-2020-11765\", \"CVE-2020-11764\", \"CVE-2020-11763\", \"CVE-2020-11762\", \"CVE-2020-11761\", \"CVE-2020-11760\", \"CVE-2020-11759\", \"CVE-2020-11758\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-20 02:28:18 +0000 (Wed, 20 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-18 03:24:01 +0000 (Mon, 18 May 2020)\");\n script_name(\"Fedora: Security Advisory for mingw-ilmbase (FEDORA-2020-e244f22a51)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC32\");\n\n script_xref(name:\"FEDORA\", value:\"2020-e244f22a51\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23DHUGWLZZKNI7KCIMYAEI3JJS3TMI6X\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-ilmbase'\n package(s) announced via the FEDORA-2020-e244f22a51 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"MinGW Windows ilmbase library.\");\n\n script_tag(name:\"affected\", value:\"'mingw-ilmbase' package(s) on Fedora 32.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC32\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"mingw-ilmbase\", rpm:\"mingw-ilmbase~2.4.1~1.fc32\", rls:\"FC32\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "naslFamily": "Fedora Local Security Checks"}
{"openvas": [{"lastseen": "2020-05-22T13:24:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-11762"], "description": "The remote host is missing an update for the ", "modified": "2020-05-20T00:00:00", "published": "2020-05-18T00:00:00", "id": "OPENVAS:1361412562310877857", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877857", "type": "openvas", "title": "Fedora: Security Advisory for mingw-OpenEXR (FEDORA-2020-e244f22a51)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877857\");\n script_version(\"2020-05-20T02:28:18+0000\");\n script_cve_id(\"CVE-2020-11765\", \"CVE-2020-11764\", \"CVE-2020-11763\", \"CVE-2020-11762\", \"CVE-2020-11761\", \"CVE-2020-11760\", \"CVE-2020-11759\", \"CVE-2020-11758\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-20 02:28:18 +0000 (Wed, 20 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-18 03:24:19 +0000 (Mon, 18 May 2020)\");\n script_name(\"Fedora: Security Advisory for mingw-OpenEXR (FEDORA-2020-e244f22a51)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC32\");\n\n script_xref(name:\"FEDORA\", value:\"2020-e244f22a51\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4KFGDQG5PVYAU7TS5MZ7XCS6EMPVII3\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-OpenEXR'\n package(s) announced via the FEDORA-2020-e244f22a51 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"MinGW Windows OpenEXR library.\");\n\n script_tag(name:\"affected\", value:\"'mingw-OpenEXR' package(s) on Fedora 32.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC32\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"mingw-OpenEXR\", rpm:\"mingw-OpenEXR~2.4.1~1.fc32\", rls:\"FC32\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-28T13:22:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11764", "CVE-2020-11762"], "description": "The remote host is missing an update for the ", "modified": "2020-05-27T00:00:00", "published": "2020-05-23T00:00:00", "id": "OPENVAS:1361412562310853164", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853164", "type": "openvas", "title": "openSUSE: Security Advisory for openexr (openSUSE-SU-2020:0682-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853164\");\n script_version(\"2020-05-27T04:05:03+0000\");\n script_cve_id(\"CVE-2020-11758\", \"CVE-2020-11760\", \"CVE-2020-11761\", \"CVE-2020-11762\", \"CVE-2020-11763\", \"CVE-2020-11764\", \"CVE-2020-11765\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-27 04:05:03 +0000 (Wed, 27 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-23 03:00:42 +0000 (Sat, 23 May 2020)\");\n script_name(\"openSUSE: Security Advisory for openexr (openSUSE-SU-2020:0682-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0682-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openexr'\n package(s) announced via the openSUSE-SU-2020:0682-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for openexr provides the following fix:\n\n Security issues fixed:\n\n - CVE-2020-11765: Fixed an off-by-one error in use of the ImfXdr.h read\n function by DwaCompressor:Classifier:Classifier (bsc#1169575).\n\n - CVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in\n ImfMisc.cpp (bsc#1169574).\n\n - CVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated\n by ImfTileOffsets.cpp (bsc#1169576).\n\n - CVE-2020-11762: Fixed an out-of-bounds read and write in\n DwaCompressor:uncompress in ImfDwaCompressor.cpp when handling the\n UNKNOWN compression case (bsc#1169549).\n\n - CVE-2020-11761: Fixed an out-of-bounds read during Huffman\n uncompression, as demonstrated by FastHufDecoder:refill in\n ImfFastHuf.cpp (bsc#1169578).\n\n - CVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression in\n rleUncompress in ImfRle.cpp (bsc#1169580).\n\n - CVE-2020-11758: Fixed an out-of-bounds read in\n ImfOptimizedPixelReading.h (bsc#1169573).\n\n Non-security issue fixed:\n\n - Enable tests when building the package on x86_64. (bsc#1146648)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-682=1\");\n\n script_tag(name:\"affected\", value:\"'openexr' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libIlmImf-2_2-23\", rpm:\"libIlmImf-2_2-23~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libIlmImf-2_2-23-debuginfo\", rpm:\"libIlmImf-2_2-23-debuginfo~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libIlmImfUtil-2_2-23\", rpm:\"libIlmImfUtil-2_2-23~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libIlmImfUtil-2_2-23-debuginfo\", rpm:\"libIlmImfUtil-2_2-23-debuginfo~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openexr\", rpm:\"openexr~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openexr-debuginfo\", rpm:\"openexr-debuginfo~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openexr-debugsource\", rpm:\"openexr-debugsource~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openexr-devel\", rpm:\"openexr-devel~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openexr-doc\", rpm:\"openexr-doc~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libIlmImf-2_2-23-32bit\", rpm:\"libIlmImf-2_2-23-32bit~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libIlmImf-2_2-23-32bit-debuginfo\", rpm:\"libIlmImf-2_2-23-32bit-debuginfo~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libIlmImfUtil-2_2-23-32bit\", rpm:\"libIlmImfUtil-2_2-23-32bit~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libIlmImfUtil-2_2-23-32bit-debuginfo\", rpm:\"libIlmImfUtil-2_2-23-32bit-debuginfo~2.2.1~lp151.4.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-06T01:15:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9111", "CVE-2017-9113", "CVE-2020-11761", "CVE-2017-9115", "CVE-2020-11763", "CVE-2020-11765", "CVE-2018-18444", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-11762"], "description": "The remote host is missing an update for the ", "modified": "2020-04-30T00:00:00", "published": "2020-04-28T00:00:00", "id": "OPENVAS:1361412562310844403", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844403", "type": "openvas", "title": "Ubuntu: Security Advisory for openexr (USN-4339-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844403\");\n script_version(\"2020-04-30T08:51:29+0000\");\n script_cve_id(\"CVE-2017-9111\", \"CVE-2017-9113\", \"CVE-2017-9115\", \"CVE-2018-18444\", \"CVE-2020-11758\", \"CVE-2020-11759\", \"CVE-2020-11760\", \"CVE-2020-11761\", \"CVE-2020-11762\", \"CVE-2020-11763\", \"CVE-2020-11764\", \"CVE-2020-11765\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-30 08:51:29 +0000 (Thu, 30 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-28 03:00:15 +0000 (Tue, 28 Apr 2020)\");\n script_name(\"Ubuntu: Security Advisory for openexr (USN-4339-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU19\\.10|UBUNTU18\\.04 LTS|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4339-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-April/005402.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openexr'\n package(s) announced via the USN-4339-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Brandon Perry discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. This issue only applied to Ubuntu 20.04 LTS.\n(CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)\n\nTan Jie discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image file,\na remote attacker could cause a denial of service, or possibly execute\narbitrary code. This issue only applied to Ubuntu 20.04 LTS.\n(CVE-2018-18444)\n\nSamuel Gro\u00df discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service, or possibly\nexecute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760,\nCVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)\n\nIt was discovered that OpenEXR incorrectly handled certain malformed EXR\nimage files. If a user were tricked into opening a crafted EXR image\nfile, a remote attacker could cause a denial of service. (CVE-2020-11765)\");\n\n script_tag(name:\"affected\", value:\"'openexr' package(s) on Ubuntu 19.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libopenexr23\", ver:\"2.2.1-4.1ubuntu1.1\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"openexr\", ver:\"2.2.1-4.1ubuntu1.1\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libopenexr22\", ver:\"2.2.0-11.1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"openexr\", ver:\"2.2.0-11.1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libopenexr22\", ver:\"2.2.0-10ubuntu2.2\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"openexr\", ver:\"2.2.0-10ubuntu2.2\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11758", "CVE-2020-11759", "CVE-2020-11760", "CVE-2020-11761", "CVE-2020-11762", "CVE-2020-11763", "CVE-2020-11764", "CVE-2020-11765"], "description": "MinGW Windows ilmbase library. ", "modified": "2020-05-16T03:40:00", "published": "2020-05-16T03:40:00", "id": "FEDORA:9F70F610C901", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: mingw-ilmbase-2.4.1-1.fc32", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11758", "CVE-2020-11759", "CVE-2020-11760", "CVE-2020-11761", "CVE-2020-11762", "CVE-2020-11763", "CVE-2020-11764", "CVE-2020-11765"], "description": "MinGW Windows OpenEXR library. ", "modified": "2020-05-16T03:40:01", "published": "2020-05-16T03:40:01", "id": "FEDORA:03034610C904", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: mingw-OpenEXR-2.4.1-1.fc32", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2020-05-31T19:55:31", "description": "This update for openexr provides the following fix :\n\nSecurity issues fixed :\n\n - CVE-2020-11765: Fixed an off-by-one error in use of the\n ImfXdr.h read function by\n DwaCompressor:Classifier:Classifier (bsc#1169575).\n\n - CVE-2020-11764: Fixed an out-of-bounds write in\n copyIntoFrameBuffer in ImfMisc.cpp (bsc#1169574).\n\n - CVE-2020-11763: Fixed an out-of-bounds read and write,\n as demonstrated by ImfTileOffsets.cpp (bsc#1169576).\n\n - CVE-2020-11762: Fixed an out-of-bounds read and write in\n DwaCompressor:uncompress in ImfDwaCompressor.cpp when\n handling the UNKNOWN compression case (bsc#1169549).\n\n - CVE-2020-11761: Fixed an out-of-bounds read during\n Huffman uncompression, as demonstrated by\n FastHufDecoder:refill in ImfFastHuf.cpp (bsc#1169578).\n\n - CVE-2020-11760: Fixed an out-of-bounds read during RLE\n uncompression in rleUncompress in ImfRle.cpp\n (bsc#1169580).\n\n - CVE-2020-11758: Fixed an out-of-bounds read in\n ImfOptimizedPixelReading.h (bsc#1169573).\n\nNon-security issue fixed :\n\n - Enable tests when building the package on x86_64.\n (bsc#1146648)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 1, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-05-26T00:00:00", "title": "openSUSE Security Update : openexr (openSUSE-2020-682)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11764", "CVE-2020-11762"], "modified": "2020-05-26T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:libIlmImfUtil-2_2-23-32bit-debuginfo", "p-cpe:/a:novell:opensuse:openexr-debuginfo", "p-cpe:/a:novell:opensuse:openexr-debugsource", "p-cpe:/a:novell:opensuse:openexr-devel", "p-cpe:/a:novell:opensuse:libIlmImf-2_2-23-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libIlmImfUtil-2_2-23-debuginfo", "p-cpe:/a:novell:opensuse:libIlmImf-2_2-23-debuginfo", "p-cpe:/a:novell:opensuse:libIlmImf-2_2-23", "p-cpe:/a:novell:opensuse:openexr", "p-cpe:/a:novell:opensuse:libIlmImf-2_2-23-32bit", "p-cpe:/a:novell:opensuse:libIlmImfUtil-2_2-23", "p-cpe:/a:novell:opensuse:libIlmImfUtil-2_2-23-32bit"], "id": "OPENSUSE-2020-682.NASL", "href": "https://www.tenable.com/plugins/nessus/136880", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-682.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136880);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/28\");\n\n script_cve_id(\"CVE-2020-11758\", \"CVE-2020-11760\", \"CVE-2020-11761\", \"CVE-2020-11762\", \"CVE-2020-11763\", \"CVE-2020-11764\", \"CVE-2020-11765\");\n\n script_name(english:\"openSUSE Security Update : openexr (openSUSE-2020-682)\");\n script_summary(english:\"Check for the openSUSE-2020-682 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for openexr provides the following fix :\n\nSecurity issues fixed :\n\n - CVE-2020-11765: Fixed an off-by-one error in use of the\n ImfXdr.h read function by\n DwaCompressor:Classifier:Classifier (bsc#1169575).\n\n - CVE-2020-11764: Fixed an out-of-bounds write in\n copyIntoFrameBuffer in ImfMisc.cpp (bsc#1169574).\n\n - CVE-2020-11763: Fixed an out-of-bounds read and write,\n as demonstrated by ImfTileOffsets.cpp (bsc#1169576).\n\n - CVE-2020-11762: Fixed an out-of-bounds read and write in\n DwaCompressor:uncompress in ImfDwaCompressor.cpp when\n handling the UNKNOWN compression case (bsc#1169549).\n\n - CVE-2020-11761: Fixed an out-of-bounds read during\n Huffman uncompression, as demonstrated by\n FastHufDecoder:refill in ImfFastHuf.cpp (bsc#1169578).\n\n - CVE-2020-11760: Fixed an out-of-bounds read during RLE\n uncompression in rleUncompress in ImfRle.cpp\n (bsc#1169580).\n\n - CVE-2020-11758: Fixed an out-of-bounds read in\n ImfOptimizedPixelReading.h (bsc#1169573).\n\nNon-security issue fixed :\n\n - Enable tests when building the package on x86_64.\n (bsc#1146648)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1169549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1169573\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1169574\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1169575\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1169576\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1169578\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1169580\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected openexr packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libIlmImf-2_2-23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libIlmImf-2_2-23-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libIlmImf-2_2-23-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libIlmImf-2_2-23-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libIlmImfUtil-2_2-23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libIlmImfUtil-2_2-23-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libIlmImfUtil-2_2-23-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libIlmImfUtil-2_2-23-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openexr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openexr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openexr-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openexr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libIlmImf-2_2-23-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libIlmImf-2_2-23-debuginfo-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libIlmImfUtil-2_2-23-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libIlmImfUtil-2_2-23-debuginfo-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"openexr-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"openexr-debuginfo-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"openexr-debugsource-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"openexr-devel-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libIlmImf-2_2-23-32bit-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libIlmImf-2_2-23-32bit-debuginfo-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libIlmImfUtil-2_2-23-32bit-2.2.1-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libIlmImfUtil-2_2-23-32bit-debuginfo-2.2.1-lp151.4.9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libIlmImf-2_2-23 / libIlmImf-2_2-23-debuginfo / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-14T06:27:27", "description": "This update for openexr provides the following fix :\n\nSecurity issues fixed :\n\nCVE-2020-11765: Fixed an off-by-one error in use of the ImfXdr.h read\nfunction by DwaCompressor:Classifier:Classifier (bsc#1169575).\n\nCVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in\nImfMisc.cpp (bsc#1169574).\n\nCVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated\nby ImfTileOffsets.cpp (bsc#1169576).\n\nCVE-2020-11762: Fixed an out-of-bounds read and write in\nDwaCompressor:uncompress in ImfDwaCompressor.cpp when handling the\nUNKNOWN compression case (bsc#1169549).\n\nCVE-2020-11761: Fixed an out-of-bounds read during Huffman\nuncompression, as demonstrated by FastHufDecoder:refill in\nImfFastHuf.cpp (bsc#1169578).\n\nCVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression\nin rleUncompress in ImfRle.cpp (bsc#1169580).\n\nCVE-2020-11758: Fixed an out-of-bounds read in\nImfOptimizedPixelReading.h (bsc#1169573).\n\nNon-security issue fixed :\n\nEnable tests when building the package on x86_64. (bsc#1146648)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-05-22T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : openexr (SUSE-SU-2020:1293-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11764", "CVE-2020-11762"], "modified": "2020-05-22T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libIlmImfUtil-2_2-23-debuginfo", "p-cpe:/a:novell:suse_linux:openexr", "p-cpe:/a:novell:suse_linux:libIlmImf-2_2-23-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:openexr-debugsource", "p-cpe:/a:novell:suse_linux:openexr-doc", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:libIlmImfUtil-2_2", "p-cpe:/a:novell:suse_linux:libIlmImfUtil-2_2-23", "p-cpe:/a:novell:suse_linux:libIlmImf-2_2-23-debuginfo", "p-cpe:/a:novell:suse_linux:openexr-devel", "p-cpe:/a:novell:suse_linux:libIlmImf-2_2-23", "p-cpe:/a:novell:suse_linux:libIlmImf-2_2", "p-cpe:/a:novell:suse_linux:libIlmImfUtil-2_2-23-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:openexr-debuginfo"], "id": "SUSE_SU-2020-1293-1.NASL", "href": "https://www.tenable.com/plugins/nessus/136787", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1293-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136787);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2020-11758\", \"CVE-2020-11760\", \"CVE-2020-11761\", \"CVE-2020-11762\", \"CVE-2020-11763\", \"CVE-2020-11764\", \"CVE-2020-11765\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : openexr (SUSE-SU-2020:1293-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for openexr provides the following fix :\n\nSecurity issues fixed :\n\nCVE-2020-11765: Fixed an off-by-one error in use of the ImfXdr.h read\nfunction by DwaCompressor:Classifier:Classifier (bsc#1169575).\n\nCVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in\nImfMisc.cpp (bsc#1169574).\n\nCVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated\nby ImfTileOffsets.cpp (bsc#1169576).\n\nCVE-2020-11762: Fixed an out-of-bounds read and write in\nDwaCompressor:uncompress in ImfDwaCompressor.cpp when handling the\nUNKNOWN compression case (bsc#1169549).\n\nCVE-2020-11761: Fixed an out-of-bounds read during Huffman\nuncompression, as demonstrated by FastHufDecoder:refill in\nImfFastHuf.cpp (bsc#1169578).\n\nCVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression\nin rleUncompress in ImfRle.cpp (bsc#1169580).\n\nCVE-2020-11758: Fixed an out-of-bounds read in\nImfOptimizedPixelReading.h (bsc#1169573).\n\nNon-security issue fixed :\n\nEnable tests when building the package on x86_64. (bsc#1146648)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169573\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169574\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169575\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169576\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169578\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169580\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11758/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11760/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11761/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11762/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11763/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11764/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11765/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201293-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cee210de\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1 :\n\nzypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1293=1\n\nSUSE Linux Enterprise Module for Desktop Applications 15-SP1 :\n\nzypper in -t patch\nSUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1293=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11765\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImf-2_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImf-2_2-23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImf-2_2-23-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImf-2_2-23-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImfUtil-2_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImfUtil-2_2-23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImfUtil-2_2-23-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImfUtil-2_2-23-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openexr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openexr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openexr-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openexr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openexr-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libIlmImf-2_2-23-32bit-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libIlmImf-2_2-23-32bit-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libIlmImfUtil-2_2-23-32bit-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libIlmImfUtil-2_2-23-32bit-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libIlmImf-2_2-23-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libIlmImf-2_2-23-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libIlmImfUtil-2_2-23-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"openexr-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"openexr-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"openexr-debugsource-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"openexr-devel-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"openexr-doc-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libIlmImf-2_2-23-32bit-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libIlmImf-2_2-23-32bit-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libIlmImfUtil-2_2-23-32bit-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libIlmImfUtil-2_2-23-32bit-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libIlmImf-2_2-23-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libIlmImf-2_2-23-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libIlmImfUtil-2_2-23-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"openexr-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"openexr-debuginfo-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"openexr-debugsource-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"openexr-devel-2.2.1-3.14.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"openexr-doc-2.2.1-3.14.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openexr\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-18T11:04:28", "description": "Brandon Perry discovered that OpenEXR incorrectly handled certain\nmalformed EXR image files. If a user were tricked into opening a\ncrafted EXR image file, a remote attacker could cause a denial of\nservice, or possibly execute arbitrary code. This issue only applied\nto Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)\n\nTan Jie discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR\nimage file, a remote attacker could cause a denial of service, or\npossibly execute arbitrary code. This issue only applied to Ubuntu\n20.04 LTS. (CVE-2018-18444)\n\nSamuel Gross discovered that OpenEXR incorrectly handled certain\nmalformed EXR image files. If a user were tricked into opening a\ncrafted EXR image file, a remote attacker could cause a denial of\nservice, or possibly execute arbitrary code. (CVE-2020-11758,\nCVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762,\nCVE-2020-11763, CVE-2020-11764)\n\nIt was discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR\nimage file, a remote attacker could cause a denial of service.\n(CVE-2020-11765).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-04-28T00:00:00", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : OpenEXR vulnerabilities (USN-4339-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9111", "CVE-2017-9113", "CVE-2020-11761", "CVE-2017-9115", "CVE-2020-11763", "CVE-2020-11765", "CVE-2018-18444", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-11762"], "modified": "2020-04-28T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libopenexr23", "p-cpe:/a:canonical:ubuntu_linux:libopenexr22", "cpe:/o:canonical:ubuntu_linux:20.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.10", "p-cpe:/a:canonical:ubuntu_linux:openexr", "p-cpe:/a:canonical:ubuntu_linux:libopenexr24"], "id": "UBUNTU_USN-4339-1.NASL", "href": "https://www.tenable.com/plugins/nessus/136028", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4339-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136028);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2017-9111\", \"CVE-2017-9113\", \"CVE-2017-9115\", \"CVE-2018-18444\", \"CVE-2020-11758\", \"CVE-2020-11759\", \"CVE-2020-11760\", \"CVE-2020-11761\", \"CVE-2020-11762\", \"CVE-2020-11763\", \"CVE-2020-11764\", \"CVE-2020-11765\");\n script_xref(name:\"USN\", value:\"4339-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : OpenEXR vulnerabilities (USN-4339-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Brandon Perry discovered that OpenEXR incorrectly handled certain\nmalformed EXR image files. If a user were tricked into opening a\ncrafted EXR image file, a remote attacker could cause a denial of\nservice, or possibly execute arbitrary code. This issue only applied\nto Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)\n\nTan Jie discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR\nimage file, a remote attacker could cause a denial of service, or\npossibly execute arbitrary code. This issue only applied to Ubuntu\n20.04 LTS. (CVE-2018-18444)\n\nSamuel Gross discovered that OpenEXR incorrectly handled certain\nmalformed EXR image files. If a user were tricked into opening a\ncrafted EXR image file, a remote attacker could cause a denial of\nservice, or possibly execute arbitrary code. (CVE-2020-11758,\nCVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762,\nCVE-2020-11763, CVE-2020-11764)\n\nIt was discovered that OpenEXR incorrectly handled certain malformed\nEXR image files. If a user were tricked into opening a crafted EXR\nimage file, a remote attacker could cause a denial of service.\n(CVE-2020-11765).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4339-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libopenexr22\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libopenexr23\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libopenexr24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openexr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|19\\.10|20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04 / 19.10 / 20.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libopenexr22\", pkgver:\"2.2.0-10ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"openexr\", pkgver:\"2.2.0-10ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libopenexr22\", pkgver:\"2.2.0-11.1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"openexr\", pkgver:\"2.2.0-11.1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"libopenexr23\", pkgver:\"2.2.1-4.1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"openexr\", pkgver:\"2.2.1-4.1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"20.04\", pkgname:\"libopenexr24\", pkgver:\"2.3.0-6ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"20.04\", pkgname:\"openexr\", pkgver:\"2.3.0-6ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libopenexr22 / libopenexr23 / libopenexr24 / openexr\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-31T21:09:52", "description": "This update for openexr provides the following fix :\n\nSecurity issues fixed :\n\nCVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in\nImfMisc.cpp (bsc#1169574).\n\nCVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated\nby ImfTileOffsets.cpp (bsc#1169576).\n\nCVE-2020-11758: Fixed an out-of-bounds read in\nImfOptimizedPixelReading.h (bsc#1169573).\n\nCVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression\nin rleUncompress in ImfRle.cpp (bsc#1169580).\n\nNon-security issue fixed :\n\nEnable tests when building the package on x86_64. (bsc#1146648)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-05-22T00:00:00", "title": "SUSE SLES12 Security Update : openexr (SUSE-SU-2020:1292-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11763", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11764"], "modified": "2020-05-22T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:openexr", "p-cpe:/a:novell:suse_linux:openexr-debugsource", "p-cpe:/a:novell:suse_linux:libIlmImf-Imf_2_1", "p-cpe:/a:novell:suse_linux:libIlmImf-Imf_2_1-21-debuginfo", "p-cpe:/a:novell:suse_linux:openexr-debuginfo"], "id": "SUSE_SU-2020-1292-1.NASL", "href": "https://www.tenable.com/plugins/nessus/136786", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1292-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136786);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/26\");\n\n script_cve_id(\"CVE-2020-11758\", \"CVE-2020-11760\", \"CVE-2020-11763\", \"CVE-2020-11764\");\n\n script_name(english:\"SUSE SLES12 Security Update : openexr (SUSE-SU-2020:1292-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for openexr provides the following fix :\n\nSecurity issues fixed :\n\nCVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in\nImfMisc.cpp (bsc#1169574).\n\nCVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated\nby ImfTileOffsets.cpp (bsc#1169576).\n\nCVE-2020-11758: Fixed an out-of-bounds read in\nImfOptimizedPixelReading.h (bsc#1169573).\n\nCVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression\nin rleUncompress in ImfRle.cpp (bsc#1169580).\n\nNon-security issue fixed :\n\nEnable tests when building the package on x86_64. (bsc#1146648)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1146648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169573\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169574\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169576\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169580\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11758/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11760/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11763/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11764/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201292-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?74db7ae0\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP5 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP5-2020-1292=1\n\nSUSE Linux Enterprise Workstation Extension 12-SP4 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP4-2020-1292=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1292=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1292=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1292=1\n\nSUSE Linux Enterprise Server 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1292=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImf-Imf_2_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libIlmImf-Imf_2_1-21-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openexr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openexr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openexr-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libIlmImf-Imf_2_1-21-2.1.0-6.20.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.20.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openexr-2.1.0-6.20.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openexr-debuginfo-2.1.0-6.20.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openexr-debugsource-2.1.0-6.20.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libIlmImf-Imf_2_1-21-2.1.0-6.20.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.20.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openexr-2.1.0-6.20.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openexr-debuginfo-2.1.0-6.20.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openexr-debugsource-2.1.0-6.20.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openexr\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-04T01:37:45", "description": "Multiple security issues were found in the OpenEXR image library,\nwhich could result in denial of service and potentially the execution\nof arbitrary code when processing malformed EXR image files.", "edition": 1, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-08-31T00:00:00", "title": "Debian DSA-4755-1 : openexr - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9111", "CVE-2017-9113", "CVE-2020-11761", "CVE-2017-9115", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-15305", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-11762", "CVE-2017-9114", "CVE-2020-15306"], "modified": "2020-08-31T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "p-cpe:/a:debian:debian_linux:openexr"], "id": "DEBIAN_DSA-4755.NASL", "href": "https://www.tenable.com/plugins/nessus/140061", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4755. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140061);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/02\");\n\n script_cve_id(\"CVE-2017-9111\", \"CVE-2017-9113\", \"CVE-2017-9114\", \"CVE-2017-9115\", \"CVE-2020-11758\", \"CVE-2020-11759\", \"CVE-2020-11760\", \"CVE-2020-11761\", \"CVE-2020-11762\", \"CVE-2020-11763\", \"CVE-2020-11764\", \"CVE-2020-11765\", \"CVE-2020-15305\", \"CVE-2020-15306\");\n script_xref(name:\"DSA\", value:\"4755\");\n\n script_name(english:\"Debian DSA-4755-1 : openexr - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple security issues were found in the OpenEXR image library,\nwhich could result in denial of service and potentially the execution\nof arbitrary code when processing malformed EXR image files.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/openexr\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/openexr\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4755\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the openexr packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 2.2.1-4.1+deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openexr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"libopenexr-dev\", reference:\"2.2.1-4.1+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libopenexr23\", reference:\"2.2.1-4.1+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"openexr\", reference:\"2.2.1-4.1+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"openexr-doc\", reference:\"2.2.1-4.1+deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-01T09:37:34", "description": "The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:4039 advisory.\n\n - OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)\n\n - OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp (CVE-2020-11763)\n\n - OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp (CVE-2020-11764)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-10-20T00:00:00", "title": "CentOS 7 : OpenEXR (CESA-2020:4039)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11764"], "modified": "2020-10-20T00:00:00", "cpe": ["p-cpe:/a:centos:centos:OpenEXR-libs", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:OpenEXR-devel", "p-cpe:/a:centos:centos:OpenEXR"], "id": "CENTOS_RHSA-2020-4039.NASL", "href": "https://www.tenable.com/plugins/nessus/141592", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:4039 and\n# CentOS Errata and Security Advisory 2020:4039 respectively.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141592);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\"CVE-2020-11761\", \"CVE-2020-11763\", \"CVE-2020-11764\");\n script_xref(name:\"RHSA\", value:\"2020:4039\");\n\n script_name(english:\"CentOS 7 : OpenEXR (CESA-2020:4039)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:4039 advisory.\n\n - OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)\n\n - OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp (CVE-2020-11763)\n\n - OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp (CVE-2020-11764)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.centos.org/pipermail/centos-cr-announce/2020-October/012790.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?731d1534\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/22.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/125.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected OpenEXR, OpenEXR-devel and / or OpenEXR-libs packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11764\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(22, 125, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:OpenEXR\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:OpenEXR-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:OpenEXR-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'CentOS 7.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'OpenEXR-1.7.1-8.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'OpenEXR-devel-1.7.1-8.el7', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'OpenEXR-devel-1.7.1-8.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'OpenEXR-libs-1.7.1-8.el7', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'OpenEXR-libs-1.7.1-8.el7', 'cpu':'x86_64', 'release':'CentOS-7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'OpenEXR / OpenEXR-devel / OpenEXR-libs');\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-21T06:04:36", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4039 advisory.\n\n - OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)\n\n - OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp (CVE-2020-11763)\n\n - OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp (CVE-2020-11764)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 3, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-09-29T00:00:00", "title": "RHEL 7 : OpenEXR (RHSA-2020:4039)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11764"], "modified": "2020-09-29T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7::server", "p-cpe:/a:redhat:enterprise_linux:OpenEXR-libs", "p-cpe:/a:redhat:enterprise_linux:OpenEXR", "cpe:/o:redhat:enterprise_linux:7::computenode", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7::workstation", "p-cpe:/a:redhat:enterprise_linux:OpenEXR-devel", "cpe:/o:redhat:enterprise_linux:7::client"], "id": "REDHAT-RHSA-2020-4039.NASL", "href": "https://www.tenable.com/plugins/nessus/141030", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:4039. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141030);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/19\");\n\n script_cve_id(\"CVE-2020-11761\", \"CVE-2020-11763\", \"CVE-2020-11764\");\n script_xref(name:\"RHSA\", value:\"2020:4039\");\n\n script_name(english:\"RHEL 7 : OpenEXR (RHSA-2020:4039)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4039 advisory.\n\n - OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)\n\n - OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp (CVE-2020-11763)\n\n - OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp (CVE-2020-11764)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/22.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/125.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11761\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11763\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11764\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:4039\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1828990\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1828995\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1829002\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected OpenEXR, OpenEXR-devel and / or OpenEXR-libs packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11764\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(22, 125, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7::client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7::computenode\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7::server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7::workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:OpenEXR\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:OpenEXR-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:OpenEXR-libs\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'enterprise_linux_7_client': [\n 'rhel-7-desktop-debug-rpms',\n 'rhel-7-desktop-fastrack-debug-rpms',\n 'rhel-7-desktop-fastrack-rpms',\n 'rhel-7-desktop-fastrack-source-rpms',\n 'rhel-7-desktop-optional-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-rpms',\n 'rhel-7-desktop-optional-fastrack-source-rpms',\n 'rhel-7-desktop-optional-rpms',\n 'rhel-7-desktop-optional-source-rpms',\n 'rhel-7-desktop-rpms',\n 'rhel-7-desktop-source-rpms'\n ],\n 'enterprise_linux_7_computenode': [\n 'rhel-7-for-hpc-node-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-fastrack-rpms',\n 'rhel-7-for-hpc-node-fastrack-source-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-source-rpms',\n 'rhel-7-hpc-node-debug-rpms',\n 'rhel-7-hpc-node-optional-debug-rpms',\n 'rhel-7-hpc-node-optional-rpms',\n 'rhel-7-hpc-node-optional-source-rpms',\n 'rhel-7-hpc-node-rpms',\n 'rhel-7-hpc-node-source-rpms'\n ],\n 'enterprise_linux_7_server': [\n 'rhel-7-for-system-z-a-debug-rpms',\n 'rhel-7-for-system-z-a-optional-debug-rpms',\n 'rhel-7-for-system-z-a-optional-rpms',\n 'rhel-7-for-system-z-a-optional-source-rpms',\n 'rhel-7-for-system-z-a-rpms',\n 'rhel-7-for-system-z-a-source-rpms',\n 'rhel-7-for-system-z-debug-rpms',\n 'rhel-7-for-system-z-fastrack-debug-rpms',\n 'rhel-7-for-system-z-fastrack-rpms',\n 'rhel-7-for-system-z-fastrack-source-rpms',\n 'rhel-7-for-system-z-optional-debug-rpms',\n 'rhel-7-for-system-z-optional-fastrack-debug-rpms',\n 'rhel-7-for-system-z-optional-fastrack-rpms',\n 'rhel-7-for-system-z-optional-fastrack-source-rpms',\n 'rhel-7-for-system-z-optional-rpms',\n 'rhel-7-for-system-z-optional-source-rpms',\n 'rhel-7-for-system-z-rpms',\n 'rhel-7-for-system-z-source-rpms',\n 'rhel-7-server-debug-rpms',\n 'rhel-7-server-fastrack-debug-rpms',\n 'rhel-7-server-fastrack-rpms',\n 'rhel-7-server-fastrack-source-rpms',\n 'rhel-7-server-optional-debug-rpms',\n 'rhel-7-server-optional-fastrack-debug-rpms',\n 'rhel-7-server-optional-fastrack-rpms',\n 'rhel-7-server-optional-fastrack-source-rpms',\n 'rhel-7-server-optional-rpms',\n 'rhel-7-server-optional-source-rpms',\n 'rhel-7-server-rpms',\n 'rhel-7-server-source-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-source-rpms',\n 'rhel-ha-for-rhel-7-server-debug-rpms',\n 'rhel-ha-for-rhel-7-server-rpms',\n 'rhel-ha-for-rhel-7-server-source-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-source-rpms',\n 'rhel-rs-for-rhel-7-server-debug-rpms',\n 'rhel-rs-for-rhel-7-server-rpms',\n 'rhel-rs-for-rhel-7-server-source-rpms'\n ],\n 'enterprise_linux_7_workstation': [\n 'rhel-7-workstation-debug-rpms',\n 'rhel-7-workstation-fastrack-debug-rpms',\n 'rhel-7-workstation-fastrack-rpms',\n 'rhel-7-workstation-fastrack-source-rpms',\n 'rhel-7-workstation-optional-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-rpms',\n 'rhel-7-workstation-optional-fastrack-source-rpms',\n 'rhel-7-workstation-optional-rpms',\n 'rhel-7-workstation-optional-source-rpms',\n 'rhel-7-workstation-rpms',\n 'rhel-7-workstation-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:4039');\n}\n\npkgs = [\n {'reference':'OpenEXR-1.7.1-8.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'OpenEXR-1.7.1-8.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'OpenEXR-devel-1.7.1-8.el7', 'cpu':'i686', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'OpenEXR-devel-1.7.1-8.el7', 'cpu':'s390', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'OpenEXR-devel-1.7.1-8.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'OpenEXR-devel-1.7.1-8.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'OpenEXR-libs-1.7.1-8.el7', 'cpu':'i686', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'OpenEXR-libs-1.7.1-8.el7', 'cpu':'s390', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'OpenEXR-libs-1.7.1-8.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'OpenEXR-libs-1.7.1-8.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'OpenEXR / OpenEXR-devel / OpenEXR-libs');\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-10-10T16:44:30", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2020-4039 advisory.\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman\n uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. (CVE-2020-11761)\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as\n demonstrated by ImfTileOffsets.cpp. (CVE-2020-11763)\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in\n ImfMisc.cpp. (CVE-2020-11764)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-10-07T00:00:00", "title": "Oracle Linux 7 : OpenEXR (ELSA-2020-4039)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11764"], "modified": "2020-10-07T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:OpenEXR", "p-cpe:/a:oracle:linux:OpenEXR-devel", "p-cpe:/a:oracle:linux:OpenEXR-libs", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2020-4039.NASL", "href": "https://www.tenable.com/plugins/nessus/141224", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2020-4039.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141224);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/09\");\n\n script_cve_id(\"CVE-2020-11761\", \"CVE-2020-11763\", \"CVE-2020-11764\");\n\n script_name(english:\"Oracle Linux 7 : OpenEXR (ELSA-2020-4039)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2020-4039 advisory.\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman\n uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. (CVE-2020-11761)\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as\n demonstrated by ImfTileOffsets.cpp. (CVE-2020-11763)\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in\n ImfMisc.cpp. (CVE-2020-11764)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://linux.oracle.com/errata/ELSA-2020-4039.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected OpenEXR, OpenEXR-devel and / or OpenEXR-libs packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11764\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:OpenEXR\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:OpenEXR-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:OpenEXR-libs\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\npkgs = [\n {'reference':'OpenEXR-1.7.1-8.el7', 'cpu':'aarch64', 'release':'7'},\n {'reference':'OpenEXR-1.7.1-8.el7', 'cpu':'x86_64', 'release':'7'},\n {'reference':'OpenEXR-devel-1.7.1-8.el7', 'cpu':'aarch64', 'release':'7'},\n {'reference':'OpenEXR-devel-1.7.1-8.el7', 'cpu':'i686', 'release':'7'},\n {'reference':'OpenEXR-devel-1.7.1-8.el7', 'cpu':'x86_64', 'release':'7'},\n {'reference':'OpenEXR-libs-1.7.1-8.el7', 'cpu':'aarch64', 'release':'7'},\n {'reference':'OpenEXR-libs-1.7.1-8.el7', 'cpu':'i686', 'release':'7'},\n {'reference':'OpenEXR-libs-1.7.1-8.el7', 'cpu':'x86_64', 'release':'7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n rpm_prefix = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release) {\n if (rpm_prefix) {\n if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'OpenEXR / OpenEXR-devel / OpenEXR-libs');\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-10-24T09:24:45", "description": "Security Fix(es) :\n\n - OpenEXR: out-of-bounds read during Huffman uncompression\n (CVE-2020-11761)\n\n - OpenEXR: std::vector out-of-bounds read and write in\n ImfTileOffsets.cpp (CVE-2020-11763)\n\n - OpenEXR: out-of-bounds write in copyIntoFrameBuffer\n function in ImfMisc.cpp (CVE-2020-11764)", "edition": 2, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-10-21T00:00:00", "title": "Scientific Linux Security Update : OpenEXR on SL7.x x86_64 (20201001)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11764"], "modified": "2020-10-21T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:OpenEXR", "p-cpe:/a:fermilab:scientific_linux:OpenEXR-devel", "p-cpe:/a:fermilab:scientific_linux:OpenEXR-libs", "p-cpe:/a:fermilab:scientific_linux:OpenEXR-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20201001_OPENEXR_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/141748", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141748);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/23\");\n\n script_cve_id(\"CVE-2020-11761\", \"CVE-2020-11763\", \"CVE-2020-11764\");\n\n script_name(english:\"Scientific Linux Security Update : OpenEXR on SL7.x x86_64 (20201001)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security Fix(es) :\n\n - OpenEXR: out-of-bounds read during Huffman uncompression\n (CVE-2020-11761)\n\n - OpenEXR: std::vector out-of-bounds read and write in\n ImfTileOffsets.cpp (CVE-2020-11763)\n\n - OpenEXR: out-of-bounds write in copyIntoFrameBuffer\n function in ImfMisc.cpp (CVE-2020-11764)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2010&L=SCIENTIFIC-LINUX-ERRATA&P=18310\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4b8350a2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:OpenEXR\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:OpenEXR-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:OpenEXR-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:OpenEXR-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"OpenEXR-1.7.1-8.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"OpenEXR-debuginfo-1.7.1-8.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"OpenEXR-devel-1.7.1-8.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"OpenEXR-libs-1.7.1-8.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenEXR / OpenEXR-debuginfo / OpenEXR-devel / OpenEXR-libs\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-10-30T05:12:55", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the ALAS2-2020-1499 advisory.\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman\n uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. (CVE-2020-11761)\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as\n demonstrated by ImfTileOffsets.cpp. (CVE-2020-11763)\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in\n ImfMisc.cpp. (CVE-2020-11764)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-10-28T00:00:00", "title": "Amazon Linux 2 : OpenEXR (ALAS-2020-1499)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11764"], "modified": "2020-10-28T00:00:00", "cpe": ["cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:OpenEXR-devel", "p-cpe:/a:amazon:linux:OpenEXR", "p-cpe:/a:amazon:linux:OpenEXR-libs", "p-cpe:/a:amazon:linux:OpenEXR-debuginfo"], "id": "AL2_ALAS-2020-1499.NASL", "href": "https://www.tenable.com/plugins/nessus/141952", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n# \n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2020-1499.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141952);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/29\");\n\n script_cve_id(\"CVE-2020-11761\", \"CVE-2020-11763\", \"CVE-2020-11764\");\n script_xref(name:\"ALAS\", value:\"2020-1499\");\n\n script_name(english:\"Amazon Linux 2 : OpenEXR (ALAS-2020-1499)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the ALAS2-2020-1499 advisory.\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman\n uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. (CVE-2020-11761)\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as\n demonstrated by ImfTileOffsets.cpp. (CVE-2020-11763)\n\n - An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in\n ImfMisc.cpp. (CVE-2020-11764)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2020-1499.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11761\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11763\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11764\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update OpenEXR' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11764\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:OpenEXR\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:OpenEXR-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:OpenEXR-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:OpenEXR-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'OpenEXR-1.7.1-8.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'OpenEXR-1.7.1-8.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'OpenEXR-1.7.1-8.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'OpenEXR-debuginfo-1.7.1-8.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'OpenEXR-debuginfo-1.7.1-8.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'OpenEXR-debuginfo-1.7.1-8.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'OpenEXR-devel-1.7.1-8.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'OpenEXR-devel-1.7.1-8.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'OpenEXR-devel-1.7.1-8.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'OpenEXR-libs-1.7.1-8.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'OpenEXR-libs-1.7.1-8.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'OpenEXR-libs-1.7.1-8.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenEXR / OpenEXR-debuginfo / OpenEXR-devel / etc\");\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "suse": [{"lastseen": "2020-05-23T03:10:35", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11764", "CVE-2020-11762"], "description": "This update for openexr provides the following fix:\n\n Security issues fixed:\n\n - CVE-2020-11765: Fixed an off-by-one error in use of the ImfXdr.h read\n function by DwaCompressor:Classifier:Classifier (bsc#1169575).\n - CVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in\n ImfMisc.cpp (bsc#1169574).\n - CVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated\n by ImfTileOffsets.cpp (bsc#1169576).\n - CVE-2020-11762: Fixed an out-of-bounds read and write in\n DwaCompressor:uncompress in ImfDwaCompressor.cpp when handling the\n UNKNOWN compression case (bsc#1169549).\n - CVE-2020-11761: Fixed an out-of-bounds read during Huffman\n uncompression, as demonstrated by FastHufDecoder:refill in\n ImfFastHuf.cpp (bsc#1169578).\n - CVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression in\n rleUncompress in ImfRle.cpp (bsc#1169580).\n - CVE-2020-11758: Fixed an out-of-bounds read in\n ImfOptimizedPixelReading.h (bsc#1169573).\n\n Non-security issue fixed:\n\n - Enable tests when building the package on x86_64. (bsc#1146648)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2020-05-23T00:31:37", "published": "2020-05-23T00:31:37", "id": "OPENSUSE-SU-2020:0682-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html", "title": "Security update for openexr (moderate)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2021-02-02T07:36:56", "description": "An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.", "edition": 15, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-14T23:15:00", "title": "CVE-2020-11765", "type": "cve", "cwe": ["CWE-193"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11765"], "modified": "2020-09-09T14:15:00", "cpe": [], "id": "CVE-2020-11765", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11765", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T07:36:56", "description": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h.", "edition": 15, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-14T23:15:00", "title": "CVE-2020-11758", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11758"], "modified": "2020-09-09T14:15:00", "cpe": [], "id": "CVE-2020-11758", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11758", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T07:36:56", "description": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp.", "edition": 15, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-14T23:15:00", "title": "CVE-2020-11760", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11760"], "modified": "2020-09-09T14:15:00", "cpe": [], "id": "CVE-2020-11760", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11760", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T07:36:56", "description": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case.", "edition": 15, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-14T23:15:00", "title": "CVE-2020-11762", "type": "cve", "cwe": ["CWE-125", "CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11762"], "modified": "2020-09-09T14:15:00", "cpe": [], "id": "CVE-2020-11762", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11762", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T07:36:56", "description": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp.", "edition": 15, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-14T23:15:00", "title": "CVE-2020-11761", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11761"], "modified": "2020-09-09T14:15:00", "cpe": [], "id": "CVE-2020-11761", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11761", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T07:36:56", "description": "An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer.", "edition": 14, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-14T23:15:00", "title": "CVE-2020-11759", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11759"], "modified": "2020-09-09T14:15:00", "cpe": [], "id": "CVE-2020-11759", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11759", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T07:36:56", "description": "An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp.", "edition": 15, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-14T23:15:00", "title": "CVE-2020-11764", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11764"], "modified": "2020-09-09T14:15:00", "cpe": [], "id": "CVE-2020-11764", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11764", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T07:36:56", "description": "An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp.", "edition": 15, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-14T23:15:00", "title": "CVE-2020-11763", "type": "cve", "cwe": ["CWE-125", "CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11763"], "modified": "2020-09-09T14:15:00", "cpe": [], "id": "CVE-2020-11763", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11763", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}], "ubuntu": [{"lastseen": "2020-07-02T11:37:21", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9111", "CVE-2017-9113", "CVE-2020-11761", "CVE-2017-9115", "CVE-2020-11763", "CVE-2020-11765", "CVE-2018-18444", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-11762"], "description": "Brandon Perry discovered that OpenEXR incorrectly handled certain malformed \nEXR image files. If a user were tricked into opening a crafted EXR image \nfile, a remote attacker could cause a denial of service, or possibly \nexecute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)\n\nTan Jie discovered that OpenEXR incorrectly handled certain malformed EXR \nimage files. If a user were tricked into opening a crafted EXR image file, \na remote attacker could cause a denial of service, or possibly execute \narbitrary code. This issue only applied to Ubuntu 20.04 LTS. \n(CVE-2018-18444)\n\nSamuel Gro\u00df discovered that OpenEXR incorrectly handled certain malformed \nEXR image files. If a user were tricked into opening a crafted EXR image \nfile, a remote attacker could cause a denial of service, or possibly \nexecute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, \nCVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)\n\nIt was discovered that OpenEXR incorrectly handled certain malformed EXR \nimage files. If a user were tricked into opening a crafted EXR image \nfile, a remote attacker could cause a denial of service. (CVE-2020-11765)", "edition": 2, "modified": "2020-04-27T00:00:00", "published": "2020-04-27T00:00:00", "id": "USN-4339-1", "href": "https://ubuntu.com/security/notices/USN-4339-1", "title": "OpenEXR vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2020-05-15T05:08:23", "bulletinFamily": "software", "cvelist": ["CVE-2017-9111", "CVE-2017-9113", "CVE-2020-11761", "CVE-2017-9115", "CVE-2020-11763", "CVE-2020-11765", "CVE-2018-18444", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-11762"], "description": "# \n\n## Severity\n\nMedium\n\n## Vendor\n\nCanonical Ubuntu\n\n## Versions Affected\n\n * Canonical Ubuntu 18.04\n\n## Description\n\nBrandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115)\n\nTan Jie discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2018-18444)\n\nSamuel Gro\u00df discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. (CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764)\n\nIt was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service. (CVE-2020-11765)\n\nCVEs contained in this USN include: CVE-2017-9111, CVE-2017-9113, CVE-2017-9115, CVE-2018-18444, CVE-2020-11758, CVE-2020-11759, CVE-2020-11760, CVE-2020-11761, CVE-2020-11762, CVE-2020-11763, CVE-2020-11764, CVE-2020-11765.\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * cflinuxfs3 \n * All versions prior to 0.177.0\n * CF Deployment \n * All versions prior to v13.0.0\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:\n\n * cflinuxfs3 \n * Upgrade All versions to 0.177.0 or greater\n * CF Deployment \n * Upgrade All versions to v13.0.0 or greater\n\n## References\n\n * [USN Notice](<https://usn.ubuntu.com/4339-1/>)\n * [CVE-2017-9111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9111>)\n * [CVE-2017-9113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9113>)\n * [CVE-2017-9115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9115>)\n * [CVE-2018-18444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18444>)\n * [CVE-2020-11758](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11758>)\n * [CVE-2020-11759](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11759>)\n * [CVE-2020-11760](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11760>)\n * [CVE-2020-11761](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11761>)\n * [CVE-2020-11762](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11762>)\n * [CVE-2020-11763](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11763>)\n * [CVE-2020-11764](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11764>)\n * [CVE-2020-11765](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11765>)\n\n## History\n\n2020-04-27: Initial vulnerability report published.\n", "edition": 1, "modified": "2020-05-14T00:00:00", "published": "2020-05-14T00:00:00", "id": "CFOUNDRY:4AEB9642322F59DD0FC7546535E6E115", "href": "https://www.cloudfoundry.org/blog/usn-4339-1/", "title": "USN-4339-1: OpenEXR vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:22:42", "bulletinFamily": "info", "cvelist": ["CVE-2019-11931", "CVE-2020-11758", "CVE-2020-11759", "CVE-2020-11760", "CVE-2020-11761", "CVE-2020-11762", "CVE-2020-11763", "CVE-2020-11764", "CVE-2020-11765", "CVE-2020-3826", "CVE-2020-3827", "CVE-2020-3878", "CVE-2020-3880"], "description": "**Posted by Samuel Gro\u00df, Project Zero**\n\n** \n**\n\nThis blog post discusses an old type of issue, vulnerabilities in image format parsers, in a new(er) context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the ImageIO framework. Multiple vulnerabilities in image parsing code were found, reported to Apple or the respective open source image library maintainers, and subsequently fixed. During this research, a lightweight and low-overhead guided fuzzing approach for closed source binaries was implemented and is released alongside this blogpost.\n\n** \n**\n\nTo reiterate an important point, the vulnerabilities described throughout this blog are reachable through popular messengers but are not part of their codebase. It is thus not the responsibility of the messenger vendors to fix them. \n\n## Introduction\n\n** \n**\n\nWhile reverse engineering popular messenger apps, I came across the following code (manually decompiled into ObjC and slightly simplified) on a code path reachable without user interaction:\n\n** \n**\n\nNSData* payload = [handler decryptData:encryptedDataFromSender, ...];\n\nif (isImagePayload) {\n\nUIImage* img = [UIImage imageWithData:payload];\n\n...;\n\n}\n\n** \n**\n\nThis code decrypts binary data received as part of an incoming message from the sender and instantiates a [UIImage](<https://developer.apple.com/documentation/uikit/uiimage?language=objc>) instance from it. The UIImage constructor will then try to determine the image format automatically. Afterwards, the received image is passed to the following code:\n\n** \n**\n\nCGImageRef cgImage = [image CGImage];\n\nCGColorSpaceRef colorSpace = CGColorSpaceCreateDeviceRGB();\n\nCGContextRef cgContext = CGBitmapContextCreate(0, thumbnailWidth, thumbnailHeight, ...);\n\nCGContextDrawImage(cgContext, cgImage, ...);\n\nCGImageRef outImage = CGBitmapContextCreateImage(cgContext);\n\nUIImage* thumbnail = [UIImage imageWithCGImage:outImage];\n\n** \n** \n\n\nThe purpose of this code is to render a smaller sized version of the input image for use as a thumbnail in a notification for the user. Unsurprisingly, similar code can be found in other messenger apps as well. In essence, code like the one shown above turns Apple\u2019s UIImage image parsing and CoreGraphics image rendering code into 0click attack surface.\n\n** \n**\n\nOne of the insights gained from [developing an exploit for an iMessage vulnerability](<https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html>) was that a memory corruption vulnerability could likely be exploited using the described techniques if the following preconditions are met:\n\n** \n**\n\n 1. A form of automatic delivery receipt sent from the same process handling the messages\n\n 2. Per-boot ASLR of at least some memory mappings\n\n 3. Automatically restarting services\n\n** \n**\n\nIn that case, the vulnerability could for example be used to corrupt a pointer to an ObjC object (or something similar), then construct a crash oracle to bypass ASLR, then gain code execution afterwards.\n\n** \n**\n\nAll preconditions are satisfied in the current attack scenario, thus prompting some research into the robustness of the exposed image parsing code. Looking into the [documentation of UImage](<https://developer.apple.com/documentation/uikit/uiimage?language=objc>), the following sentence can be found: \u201cYou use image objects to represent image data of all kinds, and the UIImage class is capable of managing data for all image formats supported by the underlying platform\u201d. As such, the next step was determining exactly what image formats were supported by the underlying platform.\n\n** \n**\n\n## An Introduction to ImageIO.framework\n\n** \n**\n\nParsing of image data passed to UIImage is implemented in the ImageIO framework. As such, the supported image formats can be enumerated by reverse engineering the ImageIO library (/System/Library/Frameworks/ImageIO.framework/Versions/A/ImageIO on macOS or part of the dyld_shared_cache on iOS).\n\n** \n**\n\nIn the ImageIO framework, every supported image format has a dedicated IIO_Reader subclass for it. Each IIO_Reader subclass is expected to implement a testHeader function which, when given a chunk of bytes, should decide whether these bytes represent an image in the format supported by the reader. An example implementation of the testHeader implementation for the LibJPEG reader is shown below. It simply tests a few bytes of the input to detect the JPEG header magic.\n\n** \n**\n\nbool IIO_Reader_LibJPEG::testHeader(IIO_Reader_LibJPEG *this, const unsigned __int8 *a2, unsigned __int64 a3, const __CFString *a4)\n\n{\n\nreturn *a2 == 0xFF && a2[1] == 0xD8 && a2[2] == 0xFF;\n\n}\n\n** \n**\n\nBy listing the different testHeader implementations, it thus becomes possible to compile a list of file formats supported by the ImageIO library. The list is as follows:\n\n** \n**\n\nIIORawCamera_Reader::testHeader\n\nIIO_Reader_AI::testHeader\n\nIIO_Reader_ASTC::testHeader\n\nIIO_Reader_ATX::testHeader\n\nIIO_Reader_AppleJPEG::testHeader\n\nIIO_Reader_BC::testHeader\n\nIIO_Reader_BMP::testHeader\n\nIIO_Reader_CUR::testHeader\n\nIIO_Reader_GIF::testHeader\n\nIIO_Reader_HEIF::testHeader\n\nIIO_Reader_ICNS::testHeader\n\nIIO_Reader_ICO::testHeader\n\nIIO_Reader_JP2::testHeader\n\nIIO_Reader_KTX::testHeader\n\nIIO_Reader_LibJPEG::testHeader\n\nIIO_Reader_MPO::testHeader\n\nIIO_Reader_OpenEXR::testHeader\n\nIIO_Reader_PBM::testHeader\n\nIIO_Reader_PDF::testHeader\n\nIIO_Reader_PICT::testHeader (macOS only)\n\nIIO_Reader_PNG::testHeader\n\nIIO_Reader_PSD::testHeader\n\nIIO_Reader_PVR::testHeader\n\nIIO_Reader_RAD::testHeader\n\nIIO_Reader_SGI::testHeader (macOS only)\n\nIIO_Reader_TGA::testHeader\n\nIIO_Reader_TIFF::testHeader\n\n** \n**\n\nWhile this list contains many familiar formats (JPEG, PNG, GIF, \u2026) there are numerous rather exotic ones as well (KTX and ASTC, apparently used for textures or AI: Adobe Illustrator Artwork) and some that appear to be specific to the Apple ecosystem (ICNS for icons, ATX likely for Animojis)\n\n** \n**\n\nSupport for the different formats also varies. Some formats appear fully supported and are often implemented using what appear to be the open source parsing library which can be found in /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources on macOS: libGIF.dylib, libJP2.dylib, libJPEG.dylib, libOpenEXR.dylib, libPng.dylib, libRadiance.dylib, and libTIFF.dylib. Other formats seem to have only rudimentary support for handling the most common cases.\n\n** \n**\n\nFinally, some formats (e.g. PSD), also appear to support out-of-process decoding (on macOS this is handled by /System/Library/Frameworks/ImageIO.framework/Versions/A/XPCServices/ImageIOXPCService.xpc) which can help sandbox vulnerabilities in the parsers. It does not, however, seem to be possible to specify whether parsing should be performed in-process or out-of-process in the public APIs, and no attempt was made to change the default behaviour.\n\n** \n**\n\n## Fuzzing Closed Source Image Parsers\n\n** \n**\n\nGiven the wide range of available image formats and the fact that no source code is available for the majority of the code, fuzzing seemed like the obvious choice. \n\n** \n**\n\nThe choice of which fuzzer and fuzzing approach to use was not so obvious. Since the majority of the target code was not open source, many standard tools were not directly applicable. Further, I had decided to limit fuzzing to a single Mac Mini for simplicity. Thus, the fuzzer should:\n\n 1. Run with as little overhead as possible to fully utilize the available compute resources, and\n\n 2. Make use some kind of code coverage guidance\n\nIn the end I decided to implement something myself on top of [Honggfuzz](<https://github.com/google/honggfuzz>). The idea for the fuzzing approach is loosely based on the paper: [Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing ](<https://arxiv.org/abs/1812.11875>)\n\nand achieves lightweight, low-overhead coverage guided fuzzing for closed source code by: \n\n** \n**\n\n 1. Enumerating the start offset of every basic block in the program/library. This is done with a simple IDAPython script\n\n 2. At runtime, in the fuzzed process, replacing the first byte of every undiscovered basic block with a breakpoint instruction (int3 on Intel). The original byte and the corresponding offset in the coverage bitmap are stored in a dedicated shadow memory mapping whose address can be computed from the address of the modified library, and\n\n 3. Installing a SIGTRAP handler that will:\n\n 1. Retrieve the faulting address and compute the offset in the library as well as the address of the corresponding entry in the shadow memory\n\n 2. Mark the basic block as found in the global coverage bitmap\n\n 3. Replace the breakpoint with the original byte\n\n 4. Resume execution\n\n** \n**\n\nAs only undiscovered basic blocks are instrumented and since every breakpoint is only triggered once, the runtime overhead quickly approaches zero. It should, however, be noted that this approach only achieves basic block coverage and not edge coverage as used for example by [AFL](<https://lcamtuf.coredump.cx/afl/>) and which, for closed source targets, can be achieved through [dynamic](<https://project.inria.fr/FranceJapanICST/files/2019/04/19-Kyoto-Fuzzing_Binaries_using_Dynamic_Instrumentation.pdf>) [binary](<https://github.com/googleprojectzero/winafl/blob/master/readme_dr.md>) [instrumentation](<https://youtu.be/fTNzylTMYks>) albeit with some performance overhead. It will thus be more \u201ccoarse grained\u201d and for example treat different transitions to the same basic block as equal whereas AFL would not. As such, this approach will likely find fewer vulnerabilities given the same number of iterations. I deemed this acceptable as the goal of this research was not to perform thorough discovery of all vulnerabilities but rather to quickly test the robustness of the image parsing code and highlight the attack vector. Thorough fuzzing, in any case, is always best performed by the maintainers with source code access.\n\n** \n**\n\nThe described approach was fairly easy to implement by patching honggfuzz\u2019s client instrumentation code and writing an IDAPython script to enumerate the basic block offsets. Both patch and IDAPython script can be found [here](<https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz>). \n\n** \n**\n\nThe fuzzer then started from a small corpus of around 700 seed images covering the supported image formats and ran for multiple weeks. In the end, the following vulnerabilities were identified:\n\n** \n**\n\n[P0 Issue 1952](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1952>)\n\nA bug in the usage of libTiff by ImageIO which caused controlled data to be written past the end of a memory buffer. No CVE was assigned for this issue likely because it had already been discovered internally by Apple before we reported it.\n\n** \n**\n\n[CVE-2020-3826/P0 Issue 1953](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1953>)\n\nAn out-of-bounds read on the heap when processing DDS images with invalid size parameters.\n\n** \n**\n\n[CVE-2020-3827/P0 Issue 1956](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1956>)\n\nAn out-of-bounds write on the heap when processing JPEG images with an optimized parser. \n\n** \n**\n\n[CVE-2020-3878/P0 Issue 1974](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1974>)\n\nPossibly an off-by-one error in the PVR decoding logic leading to an additional row of pixel data being written out-of-bounds past the end of the output buffer.\n\n** \n**\n\n[CVE-2020-3878/P0 Issue 1984](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1984>)\n\nA related bug in the PVR decoder leading to an out-of-bounds read which likely had the same root cause as P0 Issue 1974 and thus was assigned the same CVE number.\n\n** \n**\n\n[CVE-2020-3880/P0 Issue 1988](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1988>)\n\nAn out-of-bounds read during handling of OpenEXR images.\n\n** \n**\n\nThe last issue was somewhat special as it occurred in 3rd party code bundled with ImageIO, namely that of the [OpenEXR library](<https://github.com/AcademySoftwareFoundation/openexr>). As that library is open source, I decided to fuzz it separately as well. \n\n** \n**\n\n## OpenEXR\n\n** \n**\n\n[OpenEXR](<https://www.openexr.com/>) is \u201ca high dynamic-range (HDR) image file format [...] for use in computer imaging applications\u201d. The parser is implemented in C and C++ and can be found on [github](<https://github.com/AcademySoftwareFoundation/openexr>).\n\nAs described above, the OpenEXR library is exposed through Apple\u2019s ImageIO framework and therefore is exposed as a 0click attack surface through various popular messenger apps on Apple devices. It is likely that the attack surface is not limited to messaging apps, though I haven't conducted additional research to support that claim.\n\n** \n**\n\nAs the library is open source, \u201cconventional\u201d guided fuzzing is much easier to perform. I used a Google internal, coverage-guided fuzzer running on roughly 500 cores for around two weeks. The fuzzer was guided by edge coverage using llvm\u2019s [SanitizerCoverage](<https://clang.llvm.org/docs/SanitizerCoverage.html>) and generated new inputs by mutating existing ones using common binary mutation strategies and starting from a set of roughly 80 existing OpenEXR images as seeds. \n\n** \n**\n\nEight likely unique vulnerabilities were identified and reported as [P0 issue 1987](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1987>) to the OpenEXR maintainers, then fixed in the [2.4.1 release](<https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1>). They are briefly summarized next:\n\n** \n**\n\nCVE-2020-11764\n\nAn out-of-bounds write (of presumably image pixels) on the heap in the copyIntoFrameBuffer function.\n\n** \n**\n\nCVE-2020-11763\n\nA bug that caused a std::vector to be read out-ouf-bounds. Afterwards, the calling code would write into an element slot of this vector, thus likely corrupting memory.\n\n** \n**\n\nCVE-2020-11762\n\nAn out-of-bounds memcpy that was reading data out-of-bounds and afterwards potentially writing it out-of-bounds as well.\n\n** \n**\n\nCVE-2020-11760, CVE-2020-11761, CVE-2020-11758\n\nVarious out-of-bounds reads of pixel data and other data structures.\n\n** \n**\n\nCVE-2020-11765\n\nAn out-of-bounds read on the stack, likely due to an off-by-one error previously overwriting a string null terminator on the stack.\n\n** \n**\n\nCVE-2020-11759\n\nLikely an integer overflow issue leading to a write to a wild pointer.\n\n** \n**\n\nInterestingly, the crash initially found by the ImageIO fuzzer ([issue 1988](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1988>)) did not appear to be reproducible in the upstream OpenEXR library and was thus reported directly to Apple. A possible explanation is that Apple was shipping an outdated version of the OpenEXR library and the bug had been fixed upstream in the meantime.\n\n** \n**\n\n## Recommendations\n\n** \n**\n\nMedia format parsing remains an important issue. This was also demonstrated by other researchers and vendor advisories, with the two following coming immediately to mind:\n\n * [https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/](<https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/>)\n\n * [https://www.facebook.com/security/advisories/cve-2019-11931](<https://www.facebook.com/security/advisories/cve-2019-11931>)\n\n** \n**\n\nThis of course suggests that continuous fuzz-testing of input parsers should occur on the vendor/code maintainer side. Further, allowing clients of a library like ImageIO to restrict the allowed input formats and potentially to opt-in to out-of-process decoding can help prevent exploitation.\n\n** \n**\n\nOn the messenger side, one recommendation is to reduce the attack surface by restricting the receiver to a small number of supported image formats (at least for message previews that don\u2019t require interaction). In that case, the sender would then re-encode any unsupported image format prior to sending it to the receiver. In the case of ImageIO, that would reduce the attack surface from around 25 image formats down to just a handful or less.\n\n** \n**\n\n## Conclusion\n\nThis blog post described how image parsing code, as part of the operating system or third party libraries, end up being exposed to 0click attack surface through popular messengers. Fuzzing of the exposed code turned up numerous new vulnerabilities which have since been fixed. It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for RCE in a 0click attack scenario. Unfortunately it is also likely that other bugs remain or will be introduced in the future. As such, continuous fuzz-testing of this and similar media format parsing code as well as aggressive attack-surface reduction, both in operating system libraries (in this case ImageIO) as well as messenger apps (by restricting the number of accepted image formats on the receiver) are recommended.\n\n \n\n", "modified": "2020-04-28T00:00:00", "published": "2020-04-28T00:00:00", "id": "GOOGLEPROJECTZERO:8D97E6A853D0492A3F60FD23D695FB73", "href": "https://googleprojectzero.blogspot.com/2020/04/fuzzing-imageio.html", "type": "googleprojectzero", "title": "\nFuzzing ImageIO\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-08-31T00:50:28", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9111", "CVE-2017-9113", "CVE-2020-11761", "CVE-2017-9115", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-15305", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-11762", "CVE-2017-9114", "CVE-2020-15306"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4755-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nAugust 29, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openexr\nCVE ID : CVE-2017-9111 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115 \n CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 \n CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 \n CVE-2020-15305 CVE-2020-15306\n\nMultiple security issues were found in the OpenEXR image library, which\ncould result in denial of service and potentially the execution of\narbitrary code when processing malformed EXR image files.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.2.1-4.1+deb10u1.\n\nWe recommend that you upgrade your openexr packages.\n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2020-08-29T17:36:17", "published": "2020-08-29T17:36:17", "id": "DEBIAN:DSA-4755-1:22E9E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00162.html", "title": "[SECURITY] [DSA 4755-1] openexr security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-31T00:54:19", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9111", "CVE-2017-9112", "CVE-2017-9113", "CVE-2020-11761", "CVE-2017-9110", "CVE-2017-12596", "CVE-2017-9115", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-15305", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-11762", "CVE-2017-9114", "CVE-2017-9116", "CVE-2020-15306"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2358-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ \nAugust 30, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : openexr\nVersion : 2.2.0-11+deb9u1\nCVE ID : CVE-2017-9110 CVE-2017-9111 CVE-2017-9112 CVE-2017-9113 \n CVE-2017-9114 CVE-2017-9115 CVE-2017-9116 CVE-2017-12596 \n CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 \n CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 \n CVE-2020-15305 CVE-2020-15306\n\nMultiple security issues were found in the OpenEXR image library, which \ncould result in denial of service and potentially the execution of \narbitrary code when processing malformed EXR image files.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2.2.0-11+deb9u1.\n\nWe recommend that you upgrade your openexr packages.\n\nFor the detailed security status of openexr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openexr\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 1, "modified": "2020-08-30T19:36:28", "published": "2020-08-30T19:36:28", "id": "DEBIAN:DLA-2358-1:F7DB9", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202008/msg00056.html", "title": "[SECURITY] [DLA 2358-1] openexr security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2020-10-07T18:04:14", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11764"], "description": "OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. \n\nSecurity Fix(es):\n\n* OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)\n\n* OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp (CVE-2020-11763)\n\n* OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp (CVE-2020-11764)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.", "modified": "2020-09-29T13:41:34", "published": "2020-09-29T11:53:49", "id": "RHSA-2020:4039", "href": "https://access.redhat.com/errata/RHSA-2020:4039", "type": "redhat", "title": "(RHSA-2020:4039) Moderate: OpenEXR security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "oraclelinux": [{"lastseen": "2020-10-07T06:55:55", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11764"], "description": "[1.7.1-8]\n- fix CVE-2020-11764 (#1833552)\n- fix CVE-2020-11763 (#1833566)\n- fix CVE-2020-11761 (#1834461)", "edition": 1, "modified": "2020-10-06T00:00:00", "published": "2020-10-06T00:00:00", "id": "ELSA-2020-4039", "href": "http://linux.oracle.com/errata/ELSA-2020-4039.html", "title": "OpenEXR security update", "type": "oraclelinux", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:37:08", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11764"], "description": "**Issue Overview:**\n\nAn issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp. ([CVE-2020-11761 __](<https://access.redhat.com/security/cve/CVE-2020-11761>))\n\nAn issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp. ([CVE-2020-11763 __](<https://access.redhat.com/security/cve/CVE-2020-11763>))\n\nAn issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp. ([CVE-2020-11764 __](<https://access.redhat.com/security/cve/CVE-2020-11764>))\n\n \n**Affected Packages:** \n\n\nOpenEXR\n\n \n**Issue Correction:** \nRun _yum update OpenEXR_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n OpenEXR-1.7.1-8.amzn2.0.1.aarch64 \n OpenEXR-devel-1.7.1-8.amzn2.0.1.aarch64 \n OpenEXR-libs-1.7.1-8.amzn2.0.1.aarch64 \n OpenEXR-debuginfo-1.7.1-8.amzn2.0.1.aarch64 \n \n i686: \n OpenEXR-1.7.1-8.amzn2.0.1.i686 \n OpenEXR-devel-1.7.1-8.amzn2.0.1.i686 \n OpenEXR-libs-1.7.1-8.amzn2.0.1.i686 \n OpenEXR-debuginfo-1.7.1-8.amzn2.0.1.i686 \n \n src: \n OpenEXR-1.7.1-8.amzn2.0.1.src \n \n x86_64: \n OpenEXR-1.7.1-8.amzn2.0.1.x86_64 \n OpenEXR-devel-1.7.1-8.amzn2.0.1.x86_64 \n OpenEXR-libs-1.7.1-8.amzn2.0.1.x86_64 \n OpenEXR-debuginfo-1.7.1-8.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2020-10-22T17:15:00", "published": "2020-10-22T17:15:00", "id": "ALAS2-2020-1499", "href": "https://alas.aws.amazon.com/AL2/ALAS-2020-1499.html", "title": "Medium: OpenEXR", "type": "amazon", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "centos": [{"lastseen": "2020-10-20T23:05:58", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11761", "CVE-2020-11763", "CVE-2020-11764"], "description": "**CentOS Errata and Security Advisory** CESA-2020:4039\n\n\nOpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. \n\nSecurity Fix(es):\n\n* OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761)\n\n* OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp (CVE-2020-11763)\n\n* OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp (CVE-2020-11764)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-October/012790.html\n\n**Affected packages:**\nOpenEXR\nOpenEXR-devel\nOpenEXR-libs\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-10-20T18:35:31", "published": "2020-10-20T18:35:31", "id": "CESA-2020:4039", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2020-October/012790.html", "title": "OpenEXR security update", "type": "centos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "apple": [{"lastseen": "2020-12-24T20:44:33", "bulletinFamily": "software", "cvelist": ["CVE-2020-9871", "CVE-2020-9874", "CVE-2020-11761", "CVE-2020-9862", "CVE-2020-9883", "CVE-2020-9984", "CVE-2020-9894", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-9876", "CVE-2020-9875", "CVE-2020-9910", "CVE-2020-9925", "CVE-2020-9895", "CVE-2020-9938", "CVE-2020-9916", "CVE-2020-9877", "CVE-2020-9919", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-9879", "CVE-2020-9893", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-9915", "CVE-2020-11762", "CVE-2020-9936", "CVE-2020-9872", "CVE-2020-9873", "CVE-2020-9937"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iCloud for Windows 7.20\n\nReleased August 10, 2020\n\n**CoreGraphics**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro\n\nEntry added September 21, 2020, updated December 15, 2020\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Multiple buffer overflow issues existed in openEXR\n\nDescription: Multiple issues in openEXR were addressed with improved checks.\n\nCVE-2020-11758: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11759: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11760: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11761: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11762: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11763: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11764: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11765: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nCVE-2020-9936: Mickey Jin of Trend Micro\n\nCVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9984: an anonymous researcher\n\nEntry updated September 21, 2020\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9919: Mickey Jin of Trend Micro\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9876: Mickey Jin of Trend Micro\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9875: Mickey Jin of Trend Micro\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced\n\nDescription: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.\n\nCVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-9925: an anonymous researcher\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative\n\nCVE-2020-9895: Wen Xu of SSLab, Georgia Tech\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2020-9910: Samuel Gro\u00df of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: Windows 7 and later\n\nImpact: A malicious attacker may be able to conceal the destination of a URL\n\nDescription: A URL Unicode encoding issue was addressed with improved state management.\n\nCVE-2020-9916: Rakesh Mane (@RakeshMane10)\n\n**WebKit Web Inspector**\n\nAvailable for: Windows 7 and later\n\nImpact: Copying a URL from Web Inspector may lead to command injection\n\nDescription: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.\n\nCVE-2020-9862: Ophir Lojkine (@lovasoa)\n\n## Additional recognition\n\n**ImageIO**\n\nWe would like to acknowledge Xingwei Lin of Ant-financial Light-Year Security Lab for their assistance.\n\nEntry added September 21, 2020\n", "edition": 6, "modified": "2020-12-15T05:23:14", "published": "2020-12-15T05:23:14", "id": "APPLE:HT211295", "href": "https://support.apple.com/kb/HT211295", "title": "About the security content of iCloud for Windows 7.20 - Apple Support", "type": "apple", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:43:46", "bulletinFamily": "software", "cvelist": ["CVE-2020-9871", "CVE-2020-9874", "CVE-2020-11761", "CVE-2020-9862", "CVE-2020-9883", "CVE-2020-9984", "CVE-2020-9894", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-9876", "CVE-2020-9875", "CVE-2020-9910", "CVE-2020-9925", "CVE-2020-9895", "CVE-2020-9938", "CVE-2020-9916", "CVE-2020-9877", "CVE-2020-9919", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-9879", "CVE-2020-9893", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-9915", "CVE-2020-11762", "CVE-2020-9936", "CVE-2020-9872", "CVE-2020-9873", "CVE-2020-9937"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iCloud for Windows 11.3\n\nReleased August 10, 2020\n\n**CoreGraphics**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro\n\nEntry added September 21, 2020, updated December 15, 2020\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Multiple buffer overflow issues existed in openEXR\n\nDescription: Multiple issues in openEXR were addressed with improved checks.\n\nCVE-2020-11758: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11759: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11760: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11761: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11762: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11763: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11764: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11765: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nCVE-2020-9936: Mickey Jin of Trend Micro\n\nCVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9984: an anonymous researcher\n\nEntry updated September 21, 2020\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9919: Mickey Jin of Trend Micro\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9876: Mickey Jin of Trend Micro\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9875: Mickey Jin of Trend Micro\n\n**WebKit**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced\n\nDescription: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.\n\nCVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon\n\n**WebKit**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-9925: an anonymous researcher\n\n**WebKit**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative\n\nCVE-2020-9895: Wen Xu of SSLab, Georgia Tech\n\n**WebKit**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2020-9910: Samuel Gro\u00df of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: A malicious attacker may be able to conceal the destination of a URL\n\nDescription: A URL Unicode encoding issue was addressed with improved state management.\n\nCVE-2020-9916: Rakesh Mane (@RakeshMane10)\n\n**WebKit Web Inspector**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Copying a URL from Web Inspector may lead to command injection\n\nDescription: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.\n\nCVE-2020-9862: Ophir Lojkine (@lovasoa)\n\n## Additional recognition\n\n**ImageIO**\n\nWe would like to acknowledge Xingwei Lin of Ant-financial Light-Year Security Lab for their assistance.\n\nEntry added September 21, 2020\n", "edition": 6, "modified": "2020-12-15T06:02:19", "published": "2020-12-15T06:02:19", "id": "APPLE:HT211294", "href": "https://support.apple.com/kb/HT211294 ", "title": "About the security content of iCloud for Windows 11.3 - Apple Support", "type": "apple", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:41:46", "bulletinFamily": "software", "cvelist": ["CVE-2020-9871", "CVE-2020-9874", "CVE-2020-11761", "CVE-2020-9862", "CVE-2020-9883", "CVE-2020-9984", "CVE-2020-9894", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-9876", "CVE-2020-9875", "CVE-2020-9910", "CVE-2020-9925", "CVE-2020-9895", "CVE-2020-9938", "CVE-2020-9916", "CVE-2020-9877", "CVE-2020-9919", "CVE-2020-11758", "CVE-2020-11760", "CVE-2020-9879", "CVE-2020-9893", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-9915", "CVE-2020-11762", "CVE-2020-9936", "CVE-2020-9872", "CVE-2020-9873", "CVE-2020-9937"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iTunes 12.10.8 for Windows\n\nReleased July 30, 2020\n\n**CoreGraphics**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro\n\nEntry added September 21, 2020, updated December 15, 2020\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Multiple buffer overflow issues existed in openEXR\n\nDescription: Multiple issues in openEXR were addressed with improved checks.\n\nCVE-2020-11758: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11759: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11760: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11761: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11762: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11763: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11764: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11765: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nCVE-2020-9936: Mickey Jin of Trend Micro\n\nCVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9984: an anonymous researcher\n\nEntry updated September 21, 2020\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9919: Mickey Jin of Trend Micro\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9876: Mickey Jin of Trend Micro\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab\n\n**ImageIO**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9875: Mickey Jin of Trend Micro\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced\n\nDescription: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.\n\nCVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-9925: an anonymous researcher\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative\n\nCVE-2020-9895: Wen Xu of SSLab, Georgia Tech\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2020-9910: Samuel Gro\u00df of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: Windows 7 and later\n\nImpact: A malicious attacker may be able to conceal the destination of a URL\n\nDescription: A URL Unicode encoding issue was addressed with improved state management.\n\nCVE-2020-9916: Rakesh Mane (@RakeshMane10)\n\n**WebKit Web Inspector**\n\nAvailable for: Windows 7 and later\n\nImpact: Copying a URL from Web Inspector may lead to command injection\n\nDescription: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.\n\nCVE-2020-9862: Ophir Lojkine (@lovasoa)\n\n## Additional recognition\n\n**ImageIO**\n\nWe would like to acknowledge Xingwei Lin of Ant-financial Light-Year Security Lab for their assistance.\n\nEntry added September 21, 2020\n", "edition": 6, "modified": "2020-12-15T05:45:32", "published": "2020-12-15T05:45:32", "id": "APPLE:HT211293", "href": "https://support.apple.com/kb/HT211293 ", "title": "About the security content of iTunes 12.10.8 for Windows - Apple Support", "type": "apple", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:42:02", "bulletinFamily": "software", "cvelist": ["CVE-2020-9871", "CVE-2020-9884", "CVE-2020-9889", "CVE-2020-9905", "CVE-2020-9868", "CVE-2020-9874", "CVE-2020-9907", "CVE-2020-11761", "CVE-2020-9933", "CVE-2020-9862", "CVE-2020-9883", "CVE-2020-9984", "CVE-2020-9904", "CVE-2020-9894", "CVE-2020-11763", "CVE-2020-9914", "CVE-2020-11765", "CVE-2020-9901", "CVE-2020-9891", "CVE-2020-9876", "CVE-2020-9875", "CVE-2020-9910", "CVE-2020-9925", "CVE-2020-9895", "CVE-2020-9938", "CVE-2020-9940", "CVE-2020-9888", "CVE-2020-9916", "CVE-2019-14899", "CVE-2020-9880", "CVE-2020-9877", "CVE-2020-9919", "CVE-2020-9865", "CVE-2020-11758", "CVE-2020-9863", "CVE-2020-6514", "CVE-2020-11760", "CVE-2020-9900", "CVE-2020-9879", "CVE-2020-9878", "CVE-2020-9893", "CVE-2020-9980", "CVE-2020-11759", "CVE-2020-11764", "CVE-2020-9915", "CVE-2020-11762", "CVE-2020-9936", "CVE-2020-9918", "CVE-2020-9902", "CVE-2020-9892", "CVE-2020-9909", "CVE-2020-9890", "CVE-2020-9872", "CVE-2020-9873", "CVE-2020-9937"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## tvOS 13.4.8\n\nReleased July 15, 2020\n\n**Audio**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9884: Yu Zhou(@yuzhou6666) of \u5c0f\u9e21\u5e2e working with Trend Micro Zero Day Initiative\n\nCVE-2020-9889: Anonymous working with Trend Micro\u2019s Zero Day Initiative, JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nEntry updated August 10, 2020\n\n**Audio**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9888: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9890: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9891: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nEntry updated August 10, 2020\n\n**AVEVideoEncoder**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed by removing the vulnerable code.\n\nCVE-2020-9907: 08Tc3wBB working with ZecOps\n\nEntry added July 28, 2020, updated August 31, 2020\n\n**CoreGraphics**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro\n\nEntry added July 28, 2020, updated December 15, 2020\n\n**Crash Reporter**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to break out of its sandbox\n\nDescription: A memory corruption issue was addressed by removing the vulnerable code.\n\nCVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud\n\n**Crash Reporter**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.\n\nCVE-2020-9900: Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi'anxin Group\n\nEntry added August 10, 2020\n\n**FontParser**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9980: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added September 21, 2020, updated October 19, 2020\n\n**GeoServices**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to read sensitive location information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.\n\n**iAP**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An attacker in a privileged network position may be able to perform denial of service attack using malformed Bluetooth packets\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2020-9914: Andy Davis of NCC Group\n\nEntry updated July 28, 2020\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Multiple buffer overflow issues existed in openEXR\n\nDescription: Multiple issues in openEXR were addressed with improved checks.\n\nCVE-2020-11758: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11759: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11760: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11761: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11762: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11763: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11764: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11765: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nCVE-2020-9936: Mickey Jin of Trend Micro\n\nCVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry updated August 10, 2020\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9919: Mickey Jin of Trend Micro\n\nEntry added July 28, 2020\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9876: Mickey Jin of Trend Micro\n\nEntry added July 28, 2020\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9984: an anonymous researcher\n\nEntry added July 28, 2020, updated September 21, 2020\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added August 10, 2020\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9875: Mickey Jin of Trend Micro\n\nEntry added August 10, 2020\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel\n\nDescription: A routing issue was addressed with improved restrictions.\n\nCVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9909: Brandon Azad of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9904: Tielei Wang of Pangu Lab\n\nEntry added July 28, 2020\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2020-9863: Xinru Chi of Pangu Lab\n\nEntry updated August 10, 2020\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple memory corruption issues were addressed with improved state management.\n\nCVE-2020-9892: Andy Nguyen of Google\n\nEntry added August 10, 2020\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9902: Xinru Chi and Tielei Wang of Pangu Lab\n\nEntry added August 10, 2020\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2020-9905: Raz Mashat (@RazMashat) of ZecOps\n\nEntry added August 31, 2020\n\n**Model I/O**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2020-9880: Holger Fuhrmannek of Deutsche Telekom Security\n\nEntry added September 21, 2020\n\n**Model I/O**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9878: Aleksandar Nikolic of Cisco Talos, Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9940: Holger Fuhrmannek of Deutsche Telekom Security\n\nEntry added September 21, 2020\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An attacker may have been able to impersonate a trusted website using shared key material for an administrator added certificate\n\nDescription: A certificate validation issue existed when processing administrator added certificates. This issue was addressed with improved certificate validation.\n\nCVE-2020-9868: Brian Wolff of Asana\n\nEntry added July 28, 2020\n\n**sysdiagnose**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.\n\nCVE-2020-9901: Tim Michaud (@TimGMichaud) of Leviathan, Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi'anxin Group\n\nEntry added August 10, 2020, updated August 31, 2020\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced\n\nDescription: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.\n\nCVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon\n\nEntry updated July 28, 2020\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-9925: an anonymous researcher\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative\n\nCVE-2020-9895: Wen Xu of SSLab, Georgia Tech\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2020-9910: Samuel Gro\u00df of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious attacker may be able to conceal the destination of a URL\n\nDescription: A URL Unicode encoding issue was addressed with improved state management.\n\nCVE-2020-9916: Rakesh Mane (@RakeshMane10)\n\n**WebKit Web Inspector**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Copying a URL from Web Inspector may lead to command injection\n\nDescription: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.\n\nCVE-2020-9862: Ophir Lojkine (@lovasoa)\n\n**WebRTC**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An attacker in a privileged network position may be able to cause heap corruption via a crafted SCTP stream\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-6514: Natalie Silvanovich of Google Project Zero\n\nEntry added September 21, 2020\n\n**Wi-Fi**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud (bugcloud.360.cn)\n\n\n\n## Additional recognition\n\n**CoreFoundation**\n\nWe would like to acknowledge Bobby Pelletier for their assistance.\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nWe would like to acknowledge Xingwei Lin of Ant-financial Light-Year Security Lab for their assistance.\n\nEntry added September 21, 2020\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad of Google Project Zero for their assistance.\n", "edition": 11, "modified": "2020-12-15T05:58:45", "published": "2020-12-15T05:58:45", "id": "APPLE:HT211290", "href": "https://support.apple.com/kb/HT211290", "title": "About the security content of tvOS 13.4.8 - Apple Support", "type": "apple", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:41:44", "bulletinFamily": "software", "cvelist": ["CVE-2020-9871", "CVE-2020-9884", "CVE-2020-9889", "CVE-2020-9868", "CVE-2020-9874", "CVE-2020-11761", "CVE-2020-9933", "CVE-2020-9862", "CVE-2020-9883", "CVE-2020-9885", "CVE-2020-9906", "CVE-2020-9984", "CVE-2020-9904", "CVE-2020-9894", "CVE-2020-11763", "CVE-2020-11765", "CVE-2020-9891", "CVE-2020-9876", "CVE-2020-9875", "CVE-2020-9910", "CVE-2020-9925", "CVE-2020-9895", "CVE-2020-9938", "CVE-2020-9888", "CVE-2020-9916", "CVE-2020-9923", "CVE-2020-9880", "CVE-2020-9877", "CVE-2020-9919", "CVE-2020-9865", "CVE-2020-11758", "CVE-2020-9863", "CVE-2020-6514", "CVE-2020-11760", "CVE-2020-9900", "CVE-2020-9879", "CVE-2020-9878", "CVE-2020-9893", "CVE-2020-9920", "CVE-2020-9985", "CVE-2020-9980", "CVE-2020-11759", "CVE-2020-9882", "CVE-2020-11764", "CVE-2020-9915", "CVE-2020-11762", "CVE-2020-9936", "CVE-2020-9918", "CVE-2020-9902", "CVE-2020-9881", "CVE-2020-9892", "CVE-2020-9997", "CVE-2020-9909", "CVE-2020-9890", "CVE-2020-9872", "CVE-2020-9873", "CVE-2020-9937"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## watchOS 6.2.8\n\nReleased July 15, 2020\n\n**Audio**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9884: Yu Zhou(@yuzhou6666) of \u5c0f\u9e21\u5e2e working with Trend Micro Zero Day Initiative\n\nCVE-2020-9889: Anonymous working with Trend Micro\u2019s Zero Day Initiative, JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nEntry updated August 10, 2020\n\n**Audio**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9888: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9890: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9891: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nEntry updated August 10, 2020\n\n**CoreGraphics**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro\n\nEntry added July 28, 2020, updated December 15, 2020\n\n**Crash Reporter**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to break out of its sandbox\n\nDescription: A memory corruption issue was addressed by removing the vulnerable code.\n\nCVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud\n\n**Crash Reporter**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.\n\nCVE-2020-9900: Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi'anxin Group\n\nEntry added August 10, 2020\n\n**FontParser**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9980: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added September 21, 2020, updated October 19, 2020\n\n**GeoServices**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to read sensitive location information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Multiple buffer overflow issues existed in openEXR\n\nDescription: Multiple issues in openEXR were addressed with improved checks.\n\nCVE-2020-11758: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11759: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11760: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11761: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11762: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11763: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11764: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11765: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nCVE-2020-9936: Mickey Jin of Trend Micro\n\nCVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry updated August 10, 2020\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9919: Mickey Jin of Trend Micro\n\nEntry added July 28, 2020\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9876: Mickey Jin of Trend Micro\n\nEntry added July 28, 2020\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9984: an anonymous researcher\n\nEntry added July 28, 2020, updated September 21, 2020\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added August 10, 2020\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9875: Mickey Jin of Trend Micro\n\nEntry added August 10, 2020\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2020-9923: Proteas\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9909: Brandon Azad of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9904: Tielei Wang of Pangu Lab\n\nEntry added July 28, 2020\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2020-9863: Xinru Chi of Pangu Lab\n\nEntry updated August 10, 2020\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple memory corruption issues were addressed with improved state management.\n\nCVE-2020-9892: Andy Nguyen of Google\n\nEntry added August 10, 2020\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9902: Xinru Chi and Tielei Wang of Pangu Lab\n\nEntry added August 10, 2020\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may disclose restricted memory\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9997: Catalin Valeriu Lita of SecurityScorecard\n\nEntry added September 21, 2020\n\n**Mail**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious mail server may overwrite arbitrary mail files\n\nDescription: A path handling issue was addressed with improved validation.\n\nCVE-2020-9920: YongYue Wang AKA BigChan of Hillstone Networks AF Team\n\nEntry added July 28, 2020\n\n**Messages**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A user that is removed from an iMessage group could rejoin the group\n\nDescription: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification.\n\nCVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP High School North (medium.com/@suryanshmansha)\n\n**Model I/O**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2020-9880: Holger Fuhrmannek of Deutsche Telekom Security\n\nEntry added September 21, 2020\n\n**Model I/O**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9878: Aleksandar Nikolic of Cisco Talos, Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9881: Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9882: Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9985: Holger Fuhrmannek of Deutsche Telekom Security\n\nEntry added September 21, 2020\n\n**Security**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An attacker may have been able to impersonate a trusted website using shared key material for an administrator added certificate\n\nDescription: A certificate validation issue existed when processing administrator added certificates. This issue was addressed with improved certificate validation.\n\nCVE-2020-9868: Brian Wolff of Asana\n\nEntry added July 28, 2020\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced\n\nDescription: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.\n\nCVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon\n\nEntry updated July 28, 2020\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-9925: an anonymous researcher\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative\n\nCVE-2020-9895: Wen Xu of SSLab, Georgia Tech\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2020-9910: Samuel Gro\u00df of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious attacker may be able to conceal the destination of a URL\n\nDescription: A URL Unicode encoding issue was addressed with improved state management.\n\nCVE-2020-9916: Rakesh Mane (@RakeshMane10)\n\n**WebKit Web Inspector**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Copying a URL from Web Inspector may lead to command injection\n\nDescription: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.\n\nCVE-2020-9862: Ophir Lojkine (@lovasoa)\n\n**WebRTC**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An attacker in a privileged network position may be able to cause heap corruption via a crafted SCTP stream\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-6514: Natalie Silvanovich of Google Project Zero\n\nEntry added September 21, 2020\n\n**Wi-Fi**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud (bugcloud.360.cn)\n\n**Wi-Fi**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2020-9906: Ian Beer of Google Project Zero\n\nEntry added July 28, 2020\n\n\n\n## Additional recognition\n\n**CoreFoundation**\n\nWe would like to acknowledge Bobby Pelletier for their assistance.\n\nEntry added September 8, 2020\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad of Google Project Zero for their assistance.\n", "edition": 10, "modified": "2020-12-15T05:53:50", "published": "2020-12-15T05:53:50", "id": "APPLE:HT211291", "href": "https://support.apple.com/kb/HT211291", "title": "About the security content of watchOS 6.2.8 - Apple Support", "type": "apple", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:44:53", "bulletinFamily": "software", "cvelist": ["CVE-2020-9871", "CVE-2019-19906", "CVE-2020-9884", "CVE-2020-9889", "CVE-2020-9905", "CVE-2020-9868", "CVE-2020-9874", "CVE-2020-9907", "CVE-2020-11761", "CVE-2020-9933", "CVE-2020-9862", "CVE-2020-9883", "CVE-2020-9885", "CVE-2020-9906", "CVE-2020-9984", "CVE-2020-9904", "CVE-2020-9894", "CVE-2020-11763", "CVE-2020-9914", "CVE-2020-11765", "CVE-2020-9901", "CVE-2020-9891", "CVE-2020-9876", "CVE-2020-9903", "CVE-2020-9875", "CVE-2020-9910", "CVE-2020-9925", "CVE-2020-9898", "CVE-2020-9895", "CVE-2020-9911", "CVE-2020-9938", "CVE-2020-9940", "CVE-2020-9888", "CVE-2020-9934", "CVE-2020-9916", "CVE-2020-9923", "CVE-2019-14899", "CVE-2020-9880", "CVE-2020-9877", "CVE-2020-9917", "CVE-2020-9919", "CVE-2020-9865", "CVE-2020-11758", "CVE-2020-9863", "CVE-2020-6514", "CVE-2020-11760", "CVE-2020-9931", "CVE-2020-9900", "CVE-2020-9879", "CVE-2020-9878", "CVE-2020-9893", "CVE-2020-9920", "CVE-2020-9985", "CVE-2020-9980", "CVE-2020-11759", "CVE-2020-9882", "CVE-2020-11764", "CVE-2020-9915", "CVE-2020-11762", "CVE-2020-9936", "CVE-2020-9918", "CVE-2020-9902", "CVE-2020-9881", "CVE-2020-9892", "CVE-2020-9909", "CVE-2020-9890", "CVE-2020-9872", "CVE-2020-9873", "CVE-2020-9937"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iOS 13.6 and iPadOS 13.6\n\nReleased July 15, 2020\n\n**Audio**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9888: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9890: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9891: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nEntry updated August 5, 2020\n\n**Audio**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9884: Yu Zhou(@yuzhou6666) of \u5c0f\u9e21\u5e2e working with Trend Micro Zero Day Initiative\n\nCVE-2020-9889: Anonymous working with Trend Micro\u2019s Zero Day Initiative, JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nEntry updated August 5, 2020\n\n**AVEVideoEncoder**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed by removing the vulnerable code.\n\nCVE-2020-9907: 08Tc3wBB working with ZecOps\n\nEntry added July 24, 2020, updated August 31, 2020\n\n**Bluetooth**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may cause an unexpected application termination\n\nDescription: A denial of service issue was addressed with improved input validation.\n\nCVE-2020-9931: Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab\n\n**CoreFoundation**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An issue existed in the handling of environment variables. This issue was addressed with improved validation.\n\nCVE-2020-9934: Matt Shockley (linkedin.com/in/shocktop)\n\nEntry updated August 5, 2020\n\n**CoreGraphics**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro\n\nEntry added July 24, 2020, updated December 15, 2020\n\n**Crash Reporter**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to break out of its sandbox\n\nDescription: A memory corruption issue was addressed by removing the vulnerable code.\n\nCVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud\n\n**Crash Reporter**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.\n\nCVE-2020-9900: Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi'anxin Group\n\nEntry added August 5, 2020\n\n**FontParser**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9980: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added September 21, 2020, updated October 19, 2020\n\n**GeoServices**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to read sensitive location information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.\n\n**iAP**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An attacker in a privileged network position may be able to perform denial of service attack using malformed Bluetooth packets\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2020-9914: Andy Davis of NCC Group\n\nEntry updated July 24, 2020\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Multiple buffer overflow issues existed in openEXR\n\nDescription: Multiple issues in openEXR were addressed with improved checks.\n\nCVE-2020-11758: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11759: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11760: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11761: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11762: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11763: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11764: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11765: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nCVE-2020-9936: Mickey Jin of Trend Micro\n\nCVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry updated August 5, 2020\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9919: Mickey Jin of Trend Micro\n\nEntry added July 24, 2020\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9876: Mickey Jin of Trend Micro\n\nEntry added July 24, 2020\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9984: an anonymous researcher\n\nEntry added July 24, 2020, updated September 21, 2020\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added August 5, 2020\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9875: Mickey Jin of Trend Micro\n\nEntry added August 5, 2020\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2020-9923: Proteas\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel\n\nDescription: A routing issue was addressed with improved restrictions.\n\nCVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9909: Brandon Azad of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9904: Tielei Wang of Pangu Lab\n\nEntry added July 24, 2020\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2020-9863: Xinru Chi of Pangu Lab\n\nEntry updated August 5, 2020\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple memory corruption issues were addressed with improved state management.\n\nCVE-2020-9892: Andy Nguyen of Google\n\nEntry added July 24, 2020\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9902: Xinru Chi and Tielei Wang of Pangu Lab\n\nEntry added August 5, 2020\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2020-9905: Raz Mashat (@RazMashat) of ZecOps\n\nEntry added August 5, 2020\n\n**Mail**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2019-19906\n\nEntry added July 24, 2020, updated September 8, 2020\n\n**Mail**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious mail server may overwrite arbitrary mail files\n\nDescription: A path handling issue was addressed with improved validation.\n\nCVE-2020-9920: YongYue Wang AKA BigChan of Hillstone Networks AF Team\n\nEntry added July 24, 2020\n\n**Messages**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A user that is removed from an iMessage group could rejoin the group\n\nDescription: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification.\n\nCVE-2020-9885: an anonymous researcher, Suryansh Mansharamani of WWP High School North (medium.com/@suryanshmansha)\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9878: Aleksandar Nikolic of Cisco Talos, Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9881: Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9882: Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9940: Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9985: Holger Fuhrmannek of Deutsche Telekom Security\n\nEntry updated September 21, 2020\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2020-9880: Holger Fuhrmannek of Deutsche Telekom Security\n\nEntry added September 21, 2020\n\n**Safari Login AutoFill**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious attacker may cause Safari to suggest a password for the wrong domain\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9903: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)\n\n**Safari Reader**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An issue in Safari Reader mode may allow a remote attacker to bypass the Same Origin Policy\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9911: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)\n\n**Security**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An attacker may have been able to impersonate a trusted website using shared key material for an administrator added certificate\n\nDescription: A certificate validation issue existed when processing administrator added certificates. This issue was addressed with improved certificate validation.\n\nCVE-2020-9868: Brian Wolff of Asana\n\nEntry added July 24, 2020\n\n**sysdiagnose**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.\n\nCVE-2020-9901: Tim Michaud (@TimGMichaud) of Leviathan, Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi'anxin Group\n\nEntry added August 5, 2020, updated August 31, 2020\n\n**WebDAV**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: This issue was addressed with improved entitlements.\n\nCVE-2020-9898: Sreejith Krishnan R (@skr0x1C0)\n\nEntry added September 8, 2020\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced\n\nDescription: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.\n\nCVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon\n\nEntry updated July 24, 2020\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative\n\nCVE-2020-9895: Wen Xu of SSLab, Georgia Tech\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-9925: an anonymous researcher\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2020-9910: Samuel Gro\u00df of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious attacker may be able to conceal the destination of a URL\n\nDescription: A URL Unicode encoding issue was addressed with improved state management.\n\nCVE-2020-9916: Rakesh Mane (@RakeshMane10)\n\n**WebKit Web Inspector**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Copying a URL from Web Inspector may lead to command injection\n\nDescription: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.\n\nCVE-2020-9862: Ophir Lojkine (@lovasoa)\n\n**WebRTC**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An attacker in a privileged network position may be able to cause heap corruption via a crafted SCTP stream\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-6514: Natalie Silvanovich of Google Project Zero\n\nEntry added September 21, 2020\n\n**Wi-Fi**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud (bugcloud.360.cn)\n\n**Wi-Fi**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2020-9906: Ian Beer of Google Project Zero\n\nEntry added July 24, 2020\n\n**Wi-Fi**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-9917: Pradeep Deokate of Harman, Stefan B\u00f6hrer at Daimler AG, proofnet.de\n\nEntry updated July 24, 2020\n\n\n\n## Additional recognition\n\n**Bluetooth**\n\nWe would like to acknowledge Andy Davis of NCC Group for their assistance.\n\n**CoreFoundation**\n\nWe would like to acknowledge Bobby Pelletier for their assistance.\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nWe would like to acknowledge Xingwei Lin of Ant-financial Light-Year Security Lab for their assistance.\n\nEntry added September 21, 2020\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad of Google Project Zero for their assistance.\n\n**USB Audio**\n\nWe would like to acknowledge Andy Davis of NCC Group for their assistance.\n", "edition": 11, "modified": "2020-12-15T05:18:44", "published": "2020-12-15T05:18:44", "id": "APPLE:HT211288", "href": "https://support.apple.com/kb/HT211288", "title": "About the security content of iOS 13.6 and iPadOS 13.6 - Apple Support", "type": "apple", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:23", "bulletinFamily": "software", "cvelist": ["CVE-2020-9871", "CVE-2014-9512", "CVE-2019-19906", "CVE-2020-9884", "CVE-2020-9870", "CVE-2020-9889", "CVE-2020-9905", "CVE-2020-9927", "CVE-2020-9868", "CVE-2020-9874", "CVE-2020-9990", "CVE-2020-11761", "CVE-2020-9883", "CVE-2020-9854", "CVE-2020-9885", "CVE-2020-9928", "CVE-2020-9906", "CVE-2020-9939", "CVE-2020-9984", "CVE-2020-9904", "CVE-2020-11763", "CVE-2020-9929", "CVE-2020-11765", "CVE-2020-9901", "CVE-2020-9891", "CVE-2020-9876", "CVE-2020-9875", "CVE-2020-9887", "CVE-2020-9898", "CVE-2020-9866", "CVE-2020-9908", "CVE-2020-9864", "CVE-2020-9938", "CVE-2020-9949", "CVE-2020-9940", "CVE-2020-9888", "CVE-2020-9934", "CVE-2020-9930", "CVE-2019-14899", "CVE-2020-9880", "CVE-2020-9877", "CVE-2020-9919", "CVE-2020-9865", "CVE-2020-11758", "CVE-2020-9863", "CVE-2020-9922", "CVE-2020-11760", "CVE-2020-9924", "CVE-2019-20807", "CVE-2020-9900", "CVE-2020-9879", "CVE-2020-9878", "CVE-2020-9921", "CVE-2020-9920", "CVE-2020-9985", "CVE-2020-9980", "CVE-2020-11759", "CVE-2020-9882", "CVE-2020-11764", "CVE-2020-9935", "CVE-2020-9913", "CVE-2020-11762", "CVE-2020-9899", "CVE-2020-9799", "CVE-2020-9936", "CVE-2020-9918", "CVE-2020-9902", "CVE-2020-9881", "CVE-2020-9869", "CVE-2020-9892", "CVE-2020-12243", "CVE-2020-9997", "CVE-2020-9994", "CVE-2020-9890", "CVE-2020-9872", "CVE-2020-9873", "CVE-2020-9937"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra\n\nReleased July 15, 2020\n\n**AMD**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2020-9927: Lilang Wu working with TrendMicro\u2019s Zero Day Initiative\n\nEntry updated August 5, 2020\n\n**Audio**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9884: Yu Zhou(@yuzhou6666) of \u5c0f\u9e21\u5e2e working with Trend Micro Zero Day Initiative\n\nCVE-2020-9889: Anonymous working with Trend Micro\u2019s Zero Day Initiative, JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nEntry updated August 5, 2020\n\n**Audio**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9888: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9890: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9891: JunDong Xie and XingWei Lin of Ant-financial Light-Year Security Lab\n\nEntry updated August 5, 2020\n\n**Bluetooth**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2020-9928: Yu Wang of Didi Research America\n\nEntry added August 5, 2020\n\n**Bluetooth**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.5\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2020-9929: Yu Wang of Didi Research America\n\nEntry added August 5, 2020\n\n**Clang**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: Clang may generate machine code that does not correctly enforce pointer authentication codes\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2020-9870: Samuel Gro\u00df of Google Project Zero\n\n**CoreAudio**\n\nAvailable for: macOS High Sierra 10.13.6\n\nImpact: A buffer overflow may result in arbitrary code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2020-9866: Yu Zhou of \u5c0f\u9e21\u5e2e and Jundong Xie of Ant-financial Light-Year Security Lab\n\n**Core Bluetooth**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A remote attacker may cause an unexpected application termination\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2020-9869: Patrick Wardle of Jamf\n\nEntry added August 5, 2020\n\n**CoreCapture**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9949: Proteas\n\nEntry added November 12, 2020\n\n**CoreFoundation**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An issue existed in the handling of environment variables. This issue was addressed with improved validation.\n\nCVE-2020-9934: Matt Shockley (linkedin.com/in/shocktop)\n\nEntry updated August 5, 2020\n\n**CoreGraphics**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro\n\nEntry added July 24, 2020, updated November 12, 2020\n\n**Crash Reporter**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A malicious application may be able to break out of its sandbox\n\nDescription: A memory corruption issue was addressed by removing the vulnerable code.\n\nCVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud\n\n**Crash Reporter**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.\n\nCVE-2020-9900: Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi'anxin Group\n\nEntry added August 5, 2020\n\n**FontParser**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9980: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added September 21, 2020, updated October 19, 2020\n\n**Graphics Drivers**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9799: ABC Research s.r.o.\n\nEntry updated July 24, 2020\n\n**Heimdal**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A local user may be able to leak sensitive user information\n\nDescription: This issue was addressed with improved data protection.\n\nCVE-2020-9913: Cody Thomas of SpecterOps\n\n**ImageIO**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: Multiple buffer overflow issues existed in openEXR\n\nDescription: Multiple issues in openEXR were addressed with improved checks.\n\nCVE-2020-11758: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11759: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11760: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11761: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11762: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11763: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11764: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-11765: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nCVE-2020-9936: Mickey Jin of Trend Micro\n\nCVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry updated August 5, 2020\n\n**ImageIO**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9919: Mickey Jin of Trend Micro\n\nEntry added July 24, 2020\n\n**ImageIO**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9876: Mickey Jin of Trend Micro\n\nEntry added July 24, 2020\n\n**ImageIO**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added July 24, 2020\n\n**ImageIO**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nEntry added August 5, 2020\n\n**ImageIO**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9875: Mickey Jin of Trend Micro\n\nEntry added August 5, 2020\n\n**ImageIO**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab\n\nCVE-2020-9984: an anonymous researcher\n\nEntry added September 21, 2020\n\n**Image Processing**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2020-9887: Mickey Jin of Trend Micro\n\nEntry added September 8, 2020\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9908: Junzhi Lu(@pwn0rz) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added July 24, 2020, updated August 31, 2020\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2020-9990: ABC Research s.r.l. working with Trend Micro Zero Day Initiative, ABC Research s.r.o. working with Trend Micro Zero Day Initiative\n\nEntry added September 21, 2020\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2020-9921: ABC Research s.r.o. working with Trend Micro Zero Day Initiative\n\nEntry added August 5, 2020\n\n**Kernel**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel\n\nDescription: A routing issue was addressed with improved restrictions.\n\nCVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9904: Tielei Wang of Pangu Lab\n\nEntry added July 24, 2020\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-9924: Matt DeVore of Google\n\nEntry added July 24, 2020\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple memory corruption issues were addressed with improved state management.\n\nCVE-2020-9892: Andy Nguyen of Google\n\nEntry added July 24, 2020\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2020-9863: Xinru Chi of Pangu Lab\n\nEntry updated August 5, 2020\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9902: Xinru Chi and Tielei Wang of Pangu Lab\n\nEntry added August 5, 2020\n\n**Kernel**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2020-9905: Raz Mashat (@RazMashat) of ZecOps\n\nEntry added August 5, 2020\n\n**Kernel**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A malicious application may disclose restricted memory\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9997: Catalin Valeriu Lita of SecurityScorecard\n\nEntry added September 21, 2020\n\n**libxpc**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: A path handling issue was addressed with improved validation.\n\nCVE-2020-9994: Apple\n\nEntry added September 21, 2020\n\n**Login Window**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A user may be unexpectedly logged in to another user\u2019s account\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-9935: an anonymous researcher\n\nEntry added September 21, 2020\n\n**Mail**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2019-19906\n\nEntry added July 24, 2020, updated September 8, 2020\n\n**Mail**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A malicious mail server may overwrite arbitrary mail files\n\nDescription: A path handling issue was addressed with improved validation.\n\nCVE-2020-9920: YongYue Wang AKA BigChan of Hillstone Networks AF Team\n\nEntry added July 24, 2020\n\n**Mail**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted email may lead to writing arbitrary files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-9922: Mikko Kentt\u00e4l\u00e4 (@Turmio_) of SensorFu\n\nEntry added November 12, 2020\n\n**Messages**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A user that is removed from an iMessage group could rejoin the group\n\nDescription: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification.\n\nCVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP High School North (medium.com/@suryanshmansha)\n\n**Model I/O**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9878: Holger Fuhrmannek of Deutsche Telekom Security\n\n**Model I/O**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2020-9880: Holger Fuhrmannek of Deutsche Telekom Security\n\nEntry added July 24, 2020, updated September 21, 2020\n\n**Model I/O**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.5\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2020-9878: Aleksandar Nikolic of Cisco Talos, Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9881: Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9882: Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9940: Holger Fuhrmannek of Deutsche Telekom Security\n\nCVE-2020-9985: Holger Fuhrmannek of Deutsche Telekom Security\n\nEntry added July 24, 2020, updated September 21, 2020\n\n**OpenLDAP**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-12243\n\nEntry added September 21, 2020\n\n**rsync**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: A remote attacker may be able to overwrite existing files\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2014-9512: gaojianfeng\n\nEntry added July 24, 2020\n\n**Sandbox**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.5\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9930: Zhiyi Zhang from Codesafe Team of Legendsec at Qi'anxin Group\n\nEntry added December 15, 2020\n\n**Sandbox**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A local user may be able to load unsigned kernel extensions\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-9939: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added August 5, 2020\n\n**Security**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9864: Alexander Holodny\n\n**Security**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: An attacker may have been able to impersonate a trusted website using shared key material for an administrator added certificate\n\nDescription: A certificate validation issue existed when processing administrator added certificates. This issue was addressed with improved certificate validation.\n\nCVE-2020-9868: Brian Wolff of Asana\n\nEntry added July 24, 2020\n\n**Security**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2020-9854: Ilias Morad (A2nkF)\n\nEntry added July 24, 2020\n\n**sysdiagnose**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.\n\nCVE-2020-9901: Tim Michaud (@TimGMichaud) of Leviathan, Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi'anxin Group\n\nEntry added August 5, 2020, updated August 31, 2020\n\n**Vim**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2019-20807: Guilherme de Almeida Suckevicz\n\n**WebDAV**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: This issue was addressed with improved entitlements.\n\nCVE-2020-9898: Sreejith Krishnan R (@skr0x1C0)\n\nEntry added September 8, 2020\n\n**Wi-Fi**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud (bugcloud.360.cn)\n\n**Wi-Fi**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2020-9899: Yu Wang of Didi Research America\n\nEntry added July 24, 2020\n\n**Wi-Fi**\n\nAvailable for: macOS Catalina 10.15.5\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2020-9906: Ian Beer of Google Project Zero\n\nEntry added July 24, 2020\n\n\n\n## Additional recognition\n\n**CoreFoundation**\n\nWe would like to acknowledge Bobby Pelletier for their assistance.\n\nEntry added September 8, 2020\n\n**ImageIO**\n\nWe would like to acknowledge Xingwei Lin of Ant-financial Light-Year Security Lab for their assistance.\n\nEntry added September 21, 2020\n\n**Siri**\n\nWe would like to acknowledge Yuval Ron, Amichai Shulman, and Eli Biham of the Technion - Israel Institute of Technology for their assistance.\n\nEntry added August 5, 2020\n\n**USB Audio**\n\nWe would like to acknowledge Andy Davis of NCC Group for their assistance.\n", "edition": 13, "modified": "2020-12-15T06:08:19", "published": "2020-12-15T06:08:19", "id": "APPLE:HT211289", "href": "https://support.apple.com/kb/HT211289", "title": "About the security content of macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra - Apple Support", "type": "apple", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
