Michal Zalewski

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 10.3 Apple Safari versions prior to 10.1 **Description** The issue involves the Safari component and allows remote attackers to spoof the address bar by leveraging text input during the loading of a page. **Recommendations** For iOS versions prior to 10.3, update to version 10.3 or later. For Safari versions prior to 10.1, update to version 10.1 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 52 **Description** The issue allows for spoofing attacks by changing the addressbar to display a location that does not match the URL of the newly loaded page after dragging content from the primary browser pane to the addressbar on a malicious site. **Recommendations** For versions prior to 52, update to version 52 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** libxml2 version 2.9.2 **Description** The issue is caused by improper handling of invalid input, allowing context-dependent attackers to cause a denial of service via crafted XML data. This can lead to an out-of-bounds read and a crash in libxml2. The `xmlParseEntityDecl` and `xmlParseConditionalSections` functions in parser.c are affected. **Recommendations** For libxml2 version 2.9.2, consider updating to a newer version to resolve the issue. As a temporary workaround, restrict the use of the `xmlParseEntityDecl` and `xmlParseConditionalSections` functions in parser.c to minimize the risk of exploitation. Avoid using crafted XML data that could trigger the denial of service.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.10.5 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the Quick Look component. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a previously visited web site that is rendered during a Quick Look search. The vulnerability exists due to insufficient protection of the web page structure. **Recommendations** For Apple OS X versions prior to 10.10.5, update to version 10.10.5 or later to resolve the issue. As a temporary workaround, consider avoiding the use of Quick Look for searching previously visited web sites until the update is applied.

**Name of the Vulnerable Software and Affected Versions** libxml2 in Apple iOS versions prior to 8.4.1 libxml2 in Apple OS X versions prior to 10.10.5 **Description** The issue allows remote attackers to obtain sensitive information from process memory or cause a denial of service due to memory corruption via a crafted XML document. This is caused by a buffer overflow in the libxml2 component. **Recommendations** For libxml2 in Apple iOS versions prior to 8.4.1, update to iOS 8.4.1 or later. For libxml2 in Apple OS X versions prior to 10.10.5, update to OS X 10.10.5 or later.

**Name of the Vulnerable Software and Affected Versions** ImageIO in Apple iOS versions prior to 8.4.1 ImageIO in Apple OS X versions prior to 10.10.5 **Description** The issue is related to the ImageIO component in iOS and Mac OS X, which lacks protection of internal data. This can be exploited by a remote attacker using a specially crafted PNG file to access sensitive information in the process memory. **Recommendations** For iOS versions prior to 8.4.1, update to version 8.4.1 or later. For OS X versions prior to 10.10.5, update to version 10.10.5 or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 8.4.1 Apple OS X versions prior to 10.10.5 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service, resulting in memory corruption and application crash, via a crafted TIFF image. This is caused by a buffer overflow in the ImageIO component. **Recommendations** For Apple iOS versions prior to 8.4.1, update to version 8.4.1 or later. For Apple OS X versions prior to 10.10.5, update to version 10.10.5 or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 8.4.1 Apple OS X versions prior to 10.10.5 **Description** The issue is related to the improper initialization of a data structure in the ImageIO component, allowing remote attackers to obtain sensitive information from process memory. This can be achieved by using a crafted TIFF image. The estimated number of potentially affected devices is not specified. **Recommendations** For Apple iOS versions prior to 8.4.1, update to version 8.4.1 or later. For Apple OS X versions prior to 10.10.5, update to version 10.10.5 or later.

**Name of the Vulnerable Software and Affected Versions** SQLite versions prior to 3.8.9 **Description** The issue is related to the improper implementation of the dequoting of collation-sequence names. This can be exploited by context-dependent attackers to cause a denial of service, resulting in uninitialized memory access and application crash, via a crafted COLLATE clause. For example, using `COLLATE""""""""` at the end of a SELECT statement can trigger this issue. **Recommendations** For SQLite versions prior to 3.8.9, update to version 3.8.9 or later to resolve the issue. At the moment, there is no other information about additional mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FFmpeg versions prior to 2.3.6 **Description** A use-after-free issue exists in the `ff h264 free tables` function, allowing remote attackers to potentially cause a denial of service or have other unspecified impacts through crafted H.264 data in an MP4 file. This can be demonstrated using an HTML VIDEO element referencing the malicious H.264 data. **Recommendations** For versions prior to 2.3.6, update to version 2.3.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `ff h264 free tables` function until a patch is applied. Avoid using crafted H.264 data in MP4 files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SQLite versions prior to 3.8.9 **Description** The issue is related to the improper implementation of comparison operators in the sqlite3VdbeExec function, which can be exploited by context-dependent attackers. This can be achieved via a crafted CHECK clause, for example, CHECK(0&O>O) in a CREATE TABLE statement, potentially leading to a denial of service or other unspecified impacts. **Recommendations** For versions prior to 3.8.9, update to version 3.8.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the CHECK clause in CREATE TABLE statements until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** SQLite versions prior to 3.8.9 **Description** The issue concerns the sqlite3VXPrintf function in printf.c, which does not properly handle precision and width values during floating-point conversions. This can be exploited by context-dependent attackers to cause a denial of service, specifically an integer overflow and stack-based buffer overflow, or possibly have other unspecified impacts. The attack can be carried out via large integers in a crafted printf function call in a SELECT statement. **Recommendations** For versions prior to 3.8.9, update to version 3.8.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** LibTIFF (affected versions not specified) **Description** The issue allows remote attackers to cause a denial of service due to uninitialized memory access via a crafted TIFF image. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibTIFF (affected versions not specified) **Description** The issue allows remote attackers to cause a denial of service due to uninitialized memory access via a crafted TIFF image. This is related to the `putcontig8bitYCbCr21tile` function in `tif getimage.c` or the `NeXTDecode` function in `tif next.c`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** unzip version 6.0 **Description** The issue allows remote attackers to cause a denial of service, resulting in an out-of-bounds read or write and crash. This occurs via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression. **Recommendations** For unzip version 6.0, update to a newer version that contains a fix for this issue to prevent potential denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** LibTIFF version 4.0.3 **Description** The issue allows remote attackers to cause a denial of service or possibly have other unspecified impacts via a crafted TIFF image. This is demonstrated by the failure of tif next.c to verify that the BitsPerSample value is 2, and the t2p sample lab signed to unsigned function in tiff2pdf.c. **Recommendations** For LibTIFF version 4.0.3, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** UnRTF (affected versions not specified) **Description** The issue allows remote attackers to cause a denial of service, potentially leading to a crash, and may also enable the execution of arbitrary code. This can be triggered by a file containing a specific string, `{cb-999999999`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 0.9.8zf OpenSSL versions prior to 1.0.0r OpenSSL versions prior to 1.0.1m OpenSSL versions prior to 1.0.2a **Description** The issue affects the PKCS#7 implementation in OpenSSL, allowing attackers to cause a denial of service (NULL pointer dereference and application crash) by providing malformed data with ASN.1 encoding. This can be exploited remotely. The vulnerability may lead to a disruption of confidentiality, integrity, and availability of protected information. **Recommendations** For versions prior to 0.9.8zf, update to version 0.9.8zf or later. For versions prior to 1.0.0r, update to version 1.0.0r or later. For versions prior to 1.0.1m, update to version 1.0.1m or later. For versions prior to 1.0.2a, update to version 1.0.2a or later. As a temporary workaround, consider restricting the processing of arbitrary PKCS#7 data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 0.9.8zg OpenSSL versions prior to 1.0.0s OpenSSL versions prior to 1.0.1n OpenSSL versions prior to 1.0.2b **Description** The issue is related to the PKCS7 dataDecode function in OpenSSL, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data. This is due to errors in pointer handling. The vulnerability can be exploited by an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. **Recommendations** For versions prior to 0.9.8zg, update to version 0.9.8zg or later. For versions prior to 1.0.0s, update to version 1.0.0s or later. For versions prior to 1.0.1n, update to version 1.0.1n or later. For versions prior to 1.0.2b, update to version 1.0.2b or later. As a temporary workaround, consider only accepting PKCS7 files from trusted sources.

**Name of the Vulnerable Software and Affected Versions** libjpeg versions 6b libjpeg-turbo versions 1.2.1 through 1.3.0 **Description** The issue is related to the handling of JPEG images, which can lead to the disclosure of sensitive information from uninitialized memory locations. This can be exploited remotely. The `get sos` function in `jdmarker.c` does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers. An information disclosure vulnerability exists within the open-source libjpeg image-processing library where it fails to properly handle objects in memory, allowing an attacker to retrieve information that could lead to an Address Space Layout Randomization (ASLR) bypass. **Recommendations** For libjpeg version 6b, update to a version that fixes the vulnerability. For libjpeg-turbo versions 1.2.1 through 1.3.0, update to a version that fixes the vulnerability. As a temporary workaround, consider disabling the handling of JPEG images until a patch is available. Restrict access to the vulnerable library to minimize the risk of exploitation.