ID

VAR-201707-1168

CVE

CVE-2017-7068

TITLE

plural Apple Product libarchive Vulnerability in arbitrary code execution in components

DESCRIPTION

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. macOS before 10.12.6 is affected. tvOS before 10.2.2 is affected. watchOS before 3.2.3 is affected. The issue involves the "libarchive" component. It allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted archive file. Apple iOS/WatchOS/tvOS/macOS are prone to multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary code or gain sensitive information. Failed exploit attempts will likely cause a denial-of-service condition. Apple iOS, watchOS, macOS, and tvOS are all products of the American company Apple (Apple). Apple iOS is an operating system developed for mobile devices; watchOS is an operating system for smart watches. libarchive is one of the multi-format archive and compression library components. A buffer overflow vulnerability exists in the libarchive component of several Apple products. The following products and versions are affected: Apple iOS prior to 10.3.3; macOS Sierra prior to 10.12.6; tvOS prior to 10.2.2; watchOS prior to 3.2.3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-07-19-3 watchOS 3.2.2 watchOS 3.2.2 is now available and addresses the following: Contacts Available for: All Apple Watch models Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A buffer overflow issue was addressed through improved memory handling. CVE-2017-7062: Shashank (@cyberboyIndia) IOUSBFamily Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team Kernel Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7022: an anonymous researcher CVE-2017-7024: an anonymous researcher CVE-2017-7026: an anonymous researcher Kernel Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7023: an anonymous researcher CVE-2017-7025: an anonymous researcher CVE-2017-7027: an anonymous researcher CVE-2017-7069: Proteas of Qihoo 360 Nirvan Team Kernel Available for: All Apple Watch models Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7028: an anonymous researcher CVE-2017-7029: an anonymous researcher libarchive Available for: All Apple Watch models Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution Description: A buffer overflow was addressed through improved bounds checking. CVE-2017-7068: found by OSS-Fuzz libxml2 Available for: All Apple Watch models Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2017-7013: found by OSS-Fuzz libxpc Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7047: Ian Beer of Google Project Zero Messages Available for: All Apple Watch models Impact: A remote attacker may cause an unexpected application termination Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-7063: Shashank (@cyberboyIndia) Wi-Fi Available for: All Apple Watch models Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-9417: Nitay Artenstein of Exodus Intelligence Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZb5VSAAoJEIOj74w0bLRGds4P/jn6yqMh+cw1dYmhfloU/XGi J4Q6JbGTWLBvacsucsneTvDW6EtuZUWTENaRsndj3HFK+awwEcdfx/MkEO7LaDfQ 0cVBkij5+V0hEn3e6eNItTdKZ85h5C4zjEE76BPw6hqcCuf9t3ZqDtyubKKXb3V+ 6D6l64G/m5krs/bB65Evj/XSd3d1vNLQ03zYCKjfgqpI5P/pFv2PEdzOnH8oWYz8 mVcqQW6sRgiFsIq4W88qP1WaQmDLVlYdoPqfd+a98JoGDUebi6PcgxxJl9fXFIo6 jv0zBoXr2begOJFSo3duxOPxlnLienv+qNScdENTDgZORcJ8loALtnCN5ICWIGcE K1eqNW63nNK0Gq1EhMXMT3MktgbP8BJEc8pEs82U73XD9DVgYKcCGGNzfj7qFQAm GE18IEd20h+0N/Irk+TN+9pYf+Vf+7RNA4naRfLBOsiTRZjmDJ3ds9LWawle5Rlx hR9mznsR3zqhh6vBDvIt9vSEJXV5X61hkTe7Q4jHkHj04XLUidMWkI47BqLGYTK6 jtEHF/4Mk5A+KG+jjpxZs6LtweTQqudQSqnDXtJlE1LRJ4b1jHNNUUm05tx2lGxi zrDgNGFQtzZ0Gds9wXQjpE5eFNa7X2VUArqHiJUHnoxLMvLtBVMa7vuTvyrPGdnb QvBYRDybEp8yUkxd8seM =Ci3F -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Shashank (@cyberboyIndia),Proteas of Qihoo 360 Nirvan Team,Ian Beer of Google Project Zero,shrek_wzw of Qihoo 360 Nirvan Team,Anonymous.

SOURCES

LAST UPDATE DATE

2025-04-20T21:31:34.393000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE