APPLE-SA-2022-01-26-5 tvOS 15.3
APPLE-SA-2022-01-26-5 tvOS 15.3
- Subject: APPLE-SA-2022-01-26-5 tvOS 15.3
- From: Apple Product Security via Security-announce <email@hidden>
- Date: Wed, 26 Jan 2022 16:00:31 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2022-01-26-5 tvOS 15.3
tvOS 15.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213057.
ColorSync
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted file may lead to arbitrary
code execution
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro
Crash Reporter
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to gain root privileges
Description: A logic issue was addressed with improved validation.
CVE-2022-22578: an anonymous researcher
iCloud
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to access a user's files
Description: An issue existed within the path validation logic for
symlinks. This issue was addressed with improved path sanitization.
CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab
(https://xlab.tencent.com)
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs
Model I/O
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted STL file may lead to
unexpected application termination or arbitrary code execution
Description: An information disclosure issue was addressed with
improved state management.
CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-22590: Toan Pham from Team Orca of Sea Security
(security.sea.com)
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may prevent
Content Security Policy from being enforced
Description: A logic issue was addressed with improved state
management.
CVE-2022-22592: Prakash (@1lastBr3ath)
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted mail message may lead to
running arbitrary javascript
Description: A validation issue was addressed with improved input
sanitization.
CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu
of Palo Alto Networks (paloaltonetworks.com)
WebKit Storage
Available for: Apple TV 4K and Apple TV HD
Impact: A website may be able to track sensitive user information
Description: A cross-origin issue in the IndexDB API was addressed
with improved input validation.
CVE-2022-22594: Martin Bajanik of FingerprintJS
Additional recognition
WebKit
We would like to acknowledge Prakash (@1lastBr3ath) for their
assistance.
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software."
To check the current version of software, select
"Settings -> General -> About."
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmHx1BsACgkQeC9qKD1p
rhhAGg//Uv8GqVrrn9+EvH/YH2FMdQ8mzNKhYfbZu9g4uR7kZpvKZjY/YWoM6/cR
JImeE5vOwKlLW/5iTPWAFq2uQkS7aE9v6Z4kQ7l9atUoYc5d9ad8tGABGyFOHcl0
qJdnB+4m8AWZA4FRpN0PE2xawFcvoO4gysMQBMBjeeDJl7YnfqgbmFicNB/LB3WF
nHRJO7+V4EvpQhW4RChPalaM8VKHoypL6yFAOtCoodMwXyTSbAoRJkUJN83DJWFS
EP4qOCkJx06KfCNO9Q8dPSapzUms/YHheGzVcDGhCQiguJR1L5xjXdTEg8iwvJpj
Wbv5TP2kP8NGTzefR0vyuKKqPSeN+FgVZBI9OcVEvZq/i72NbYoyTcApBkbKh4WG
OSQ+AoZ81gKBcsdFmJOiyAl2T22u5OxRfwoa9wHlJklMxkYnFacBkGQ2Ihf6Kwrk
Ueq62ym7RIppszZHc35tDLjb+65ZIBgNLsEJxnQ8xnZNY++hEaUCGiPZP1K3zQLj
2x4BGjC+RzFzbyJg4I+uqktvJCo7PSWU9KP1/caL3G9jWc3tPOTXKv7L/bpuIGpP
XBq/V93jHDrdYmzQfZi0xfk1SA6VfofYT+5/etjPVvqX+o7pDeB/132cT91/eEC5
qy3aXGQnB1U21mD5YDCUrJf8Ee63vYXs3grzw0AdDxfaYEn4Ebg=
=hA3E
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden