Apple Security Advisory 2021-07-21-3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2021-07-21-3 Security Update 2021-004 Catalina

Security Update 2021-004 Catalina addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212600.

AMD Kernel
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2021-30805: ABC Research s.r.o

AppKit
Available for: macOS Catalina
Impact: Opening a maliciously crafted file may lead to unexpected
application termination or arbitrary code execution
Description: An information disclosure issue was addressed by
removing the vulnerable code.
CVE-2021-30790: hjy79425575 working with Trend Micro Zero Day
Initiative

Audio
Available for: macOS Catalina
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30781: tr3e

Bluetooth
Available for: macOS Catalina
Impact: A malicious application may be able to gain root privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30672: say2 of ENKI

CoreAudio
Available for: macOS Catalina
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30775: JunDong Xie of Ant Security Light-Year Lab

CoreAudio
Available for: macOS Catalina
Impact: Playing a malicious audio file may lead to an unexpected
application termination
Description: A logic issue was addressed with improved validation.
CVE-2021-30776: JunDong Xie of Ant Security Light-Year Lab

CoreStorage
Available for: macOS Catalina
Impact: A malicious application may be able to gain root privileges
Description: An injection issue was addressed with improved
validation.
CVE-2021-30777: Tim Michaud(@TimGMichaud) of Zoom Video
Communications and Gary Nield of ECSC Group plc

CoreText
Available for: macOS Catalina
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30789: Sunglin of Knownsec 404 team, Mickey Jin (@patch1t)
of Trend Micro

CoreText
Available for: macOS Catalina
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30733: Sunglin from the Knownsec 404

CVMS
Available for: macOS Catalina
Impact: A malicious application may be able to gain root privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30780: Tim Michaud(@TimGMichaud) of Zoom Video
Communications

dyld
Available for: macOS Catalina
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A logic issue was addressed with improved validation.
CVE-2021-30768: Linus Henze (pinauten.de)

FontParser
Available for: macOS Catalina
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An integer overflow was addressed through improved input
validation.
CVE-2021-30760: Sunglin of Knownsec 404 team

FontParser
Available for: macOS Catalina
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A stack overflow was addressed with improved input
validation.
CVE-2021-30759: hjy79425575 working with Trend Micro Zero Day
Initiative

FontParser
Available for: macOS Catalina
Impact: Processing a maliciously crafted tiff file may lead to a
denial-of-service or potentially disclose memory contents
Description: This issue was addressed with improved checks.
CVE-2021-30788: tr3e working with Trend Micro Zero Day Initiative

ImageIO
Available for: macOS Catalina
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2021-30785: Mickey Jin (@patch1t) of Trend Micro, CFF of Topsec
Alpha Team

Intel Graphics Driver
Available for: macOS Catalina
Impact: An application may be able to cause unexpected system
termination or write kernel memory
Description: This issue was addressed with improved checks.
CVE-2021-30787: Anonymous working with Trend Micro Zero Day
Initiative

Intel Graphics Driver
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2021-30765: Liu Long of Ant Security Light-Year Lab
CVE-2021-30766: Liu Long of Ant Security Light-Year Lab

IOUSBHostFamily
Available for: macOS Catalina
Impact: An unprivileged application may be able to capture USB
devices
Description: This issue was addressed with improved checks.
CVE-2021-30731: UTM (@UTMapp)

Kernel
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A double free issue was addressed with improved memory
management.
CVE-2021-30703: an anonymous researcher

Kernel
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A logic issue was addressed with improved state
management.
CVE-2021-30793: Zuozhi Fan (@pattern_F_) of Ant Security TianQiong
Lab

LaunchServices
Available for: macOS Catalina
Impact: A malicious application may be able to break out of its
sandbox
Description: This issue was addressed with improved environment
sanitization.
CVE-2021-30677: Ron Waisberg (@epsilan)

LaunchServices
Available for: macOS Catalina
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An access issue was addressed with improved access
restrictions.
CVE-2021-30783: Ron Waisberg (@epsilan)

Model I/O
Available for: macOS Catalina
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: A logic issue was addressed with improved validation.
CVE-2021-30796: Mickey Jin (@patch1t) of Trend Micro

Sandbox
Available for: macOS Catalina
Impact: A malicious application may be able to access restricted
files
Description: This issue was addressed with improved checks.
CVE-2021-30782: Csaba Fitzl (@theevilbit) of Offensive Security

WebKit
Available for: macOS Catalina
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2021-30799: Sergei Glazunov of Google Project Zero

Additional recognition

configd
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.

CoreServices
We would like to acknowledge Zhongcheng Li (CK01) for their
assistance.

CoreText
We would like to acknowledge Mickey Jin (@patch1t) of Trend Micro for
their assistance.

Crash Reporter
We would like to acknowledge Yizhuo Wang of Group of Software
Security In Progress (G.O.S.S.I.P) at Shanghai Jiao Tong University
for their assistance.

crontabs
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.

IOKit
We would like to acknowledge George Nosenko for their assistance.

Spotlight
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.

Installation note:

This update may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmD4r8cACgkQZcsbuWJ6
jjABdhAAirmXHOsGrxcCNUBGKp5vqFtTyyfgzZIqg5GE3uMS7+l08XUgh32opEHX
qyAUtECbsBUZVTWYRDH1tFOIMU/BpVWZ1w4BOcg6cYTXSdDBqz57VUo71ivjsn4s
MspZ+0so2nLhO2ZwnejQA1tFVH8s2DtScCzYiGjlu/bK61Nozu8E7LzHSksUn/Vp
/68FMaYO8qmRkIZp68n6Avid+pfP8XAcBVuQtlttGX98JFN76u/uH9CuVk64r2Mp
g2o5/Dw15OAOREOTwbcCxSoncHtUoEBSGykxJNRRnAC3zxPndHASA3uM7Ez5ubaa
z9+LrMGXWnbWgOT9y1FSu6vtDDRgd37+syONU9Z2WlHs9nNpo+g2FzIl5/f6twgv
8npMDuCvwtg+I/lXEZBX/AobNq+/OXZDeRtEjeTBzy+gw4I74pkJajg3HwaxTLRV
d+3hsWyQp1tRoeSMC/OErVLrpsV8FmXJyIEeZoaD2jliobz4/6km9CH6VimfPqGJ
ZMQkX/m5yt3OqFXSh6i3ZWjXDRiqw2rVvLa2Ya8Me1PFmroRxj56AuelRM5+J9LG
bBIsV87A+7J44q01OT0hy7JX/mg2wYcUKNglz7iNeeffbOTnDXlI+pP12gPKDkDW
AT2oWHVljBg8aRBVSFB0wu5jctIWjQysbEQCnIDWiPWd4GVSOSs=agRk
-----END PGP SIGNATURE-----