Apple Security Advisory 2022-03-14-7 - Xcode 13.3 addresses code execution and out of bounds read vulnerabilities.
1d8bad9cb38e9301927404d011c17922380da91299a1819eb8e62a8e6dacb150
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2022-03-14-7 Xcode 13.3
Xcode 13.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213189.
iTMSTransporter
Available for: macOS Monterey 12 and later
Impact: Multiple issues in iTMSTransporter
Description: Multiple issues were addressed with updating FasterXML
jackson-databind and Apache Log4j2.
CVE-2019-14379
CVE-2021-44228
otool
Available for: macOS Monterey 12 and later
Impact: Opening a maliciously crafted file may lead to unexpected
application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2022-22601: hjy79425575
CVE-2022-22602: hjy79425575
CVE-2022-22603: hjy79425575
CVE-2022-22604: hjy79425575
CVE-2022-22605: hjy79425575
CVE-2022-22606: hjy79425575
CVE-2022-22607: hjy79425575
CVE-2022-22608: hjy79425575
Additional recognition
iTMSTransporter
We would like to acknowledge Anthony Shaw of Microsoft for their
assistance.
ld64
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of Alibaba
Security Pandora Lab for their assistance.
Xcode IDE
We would like to acknowledge an anonymous researcher for their
assistance.
Xcode 13.3 may be obtained from:
https://developer.apple.com/xcode/downloads/ To check that the Xcode
has been updated: * Select Xcode in the menu bar * Select About
Xcode * The version after applying this update will be "Xcode 13.3".
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmIvyxkACgkQeC9qKD1p
rhgTfRAA389W9ZYj+RMeet6hyBYIeftGEUGKTwm4K5Ufo4RJTumsdRB+ivJz8Oed
EFCRcyWHwnM5BZ+ufWnOf1BAijmd1SjlIUwl2zs9SyuULPMybucXKRMfnA2SYgEx
ysNlljwsnS7/udREPfMQoJ2gIGYrISt0TxitZnRE9a7mD3r13KwyY3DpjnOxRavL
op5AypLkovUA4ljmsLMgIjTHWt4dyDMPCJB/sRchxBDG5tzxcAZvKA/TkvCDMwiF
z3yq4yN4ESXo3p9p3KD4bQmGD16dZ7TuxKuCfZpVKT1bFP8wWAHUhY3S7vJ9GDS+
6cShJ1oIk4/3FFeo98SEgKn8wE1p15DM4DxaqVcWvPuLNpzipQlcmyuicgntZBmO
2wBZED2pfewMiMy+CeX0jDWj6m79cW3g30TYS0P5QQOcWcRme63acE4wJ31uawd2
6jZfYpnpvw6dSsouBcCcZT9sNOuV8r9l5XePJQu37UGjmZuESuLgfZdiymaQunOl
f/mPe+C+KgBJ3MEEqbEoU4CqWC/pGtQtyMpepyYdiN14pDLhbhaeJ1T/XDc5O4OB
qqNyHocYAm1LUBgEspbHa1EtHQlDk1i5iWGwQMMaLkenKGzlf00bU0hYPISXH8oi
am4a0XUz6Y7AjY+TyRU/tuwaIiuzoUIDNELsJPm7PA+QiF370XI=cKC5
-----END PGP SIGNATURE-----