ID

VAR-201512-0156


CVE

CVE-2015-7057


TITLE

Apple Xcode of otools Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2015-006363

DESCRIPTION

otools in Apple Xcode before 7.2 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted mach-o file, a different vulnerability than CVE-2015-7049. Apple Xcode is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, bypass security restrictions and perform unauthorized actions. Failed exploit attempts may result in a denial-of-service condition. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2015-12-08-6 Xcode 7.2 Xcode 7.2 is now available and addresses the following: Git Available for: OS X Yosemite v10.10.5 or later Impact: Multiple vulnerabilities existed in Git Description: Multiple vulnerabilities existed in Git versions prior to 2.5.4. These were addressed by updating Git to version 2.5.4. CVE-ID CVE-2015-7082 IDE SCM Available for: OS X Yosemite v10.10.5 or later Impact: Intentionally untracked files may be uploaded to repositories Description: Xcode did not honor the .gitignore directive. This issue was addressed by adding support to honor .gitignore file. CVE-ID CVE-2015-7056 : Stephen Lardieri otools Available for: OS X Yosemite v10.10.5 or later Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the processing of mach-o files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7049 : Proteas of Qihoo 360 Nirvan Team CVE-2015-7057 : Proteas of Qihoo 360 Nirvan Team Installation note: Xcode 7.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "7.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWZzRaAAoJEBcWfLTuOo7td2kP/Ag61Qpz8uA8MgClf9SbFJau FNMDPV7ZOLPPc+DA37rQIwQemSe8dkt4Jnc6TOcTQdR7+f+Mt0QgscDW9xlOlYT4 Ofg5h5XnrKQ02DBkptD4ms5RH8JAHDKCYj8WttlBnBVsJMb6H3s5Om6vfubXkb7t 6bdUMe7iCgRsGuRrBuzPfxjMzh2ilnWML1B6VJkRi6rMnWTW2a66BWvfqLL1Cv2h 1ybIaJi1wsw0lTxGIb+bNM8lg+EL4JLEV+DSJ6mFtDpF6dQBqndbxjopbO5l6LzT rnWtFTQQ1/6SAM11n9bbDOQj8w8QW3v0CAyad4HN+5Ayk/qnuJZ8o1ycSGAIrQgr HCzG8RELjK9ipgkdu5daXUc75SGVPuuwobQM6SNzrg5M6SVzIvVdSibTwfgnDvgu PQO6mBZXLewSBoWqJAQnoDJXExSJ67IE5RzXwvg5KQcF+81Toj48HUxxd98PKrnI gPbhf8QT9/asGupN4wh3JjN73/qm2BwpJsbPvVj42Ew1OnsBgldpEL1Ssl/2qX0O pPi1pfF6PIFQUrbloWyYC+lIJuydb3FZUYKLR6HSn7v7RrZu5n8Uvj+5VX3TyVOi 5WzXvbHd9L3exphb8SnITTUdZX6LzkUgRrQRvGWTzT/AfIHQRAyliyk7BgYRqzHH ObtqW74YB0YXaiw1ckGl =FxUB -----END PGP SIGNATURE-----

Trust: 2.16

sources: NVD: CVE-2015-7057 // JVNDB: JVNDB-2015-006363 // BID: 78727 // VULHUB: VHN-85018 // VULMON: CVE-2015-7057 // PACKETSTORM: 134747

AFFECTED PRODUCTS

vendor:applemodel:xcodescope:lteversion:7.1.1

Trust: 1.0

vendor:applemodel:xcodescope:ltversion:7.2 (os x yosemite v10.10.5 or later )

Trust: 0.8

vendor:applemodel:xcodescope:eqversion:7.1.1

Trust: 0.6

vendor:gitmodel:gitscope:eqversion:2.5.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.5.2

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.5.1

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.2.1

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.2

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.1.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.1.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.1

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.0.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.0.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:2.0

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.9.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.9.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.9

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.56

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.7.2

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.6.3.2

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.66

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.65

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.66

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.65

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.6.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.6.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.6

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.56

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.55

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.47

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.46

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.5.24

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.1.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.1.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.5.5

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.5.0

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.1.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8.1.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.8

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.7.3.4

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.7.3.3

Trust: 0.3

vendor:gitmodel:gitscope:eqversion:1.4.4.5

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.4.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:7.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:7.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:6.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:6.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:6.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:5.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.4

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.3.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.3.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.3.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.2.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.1.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:4.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.5

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.4

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.2.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1.4

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.0

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11

Trust: 0.3

vendor:gitmodel:gitscope:neversion:2.5.4

Trust: 0.3

vendor:applemodel:xcodescope:neversion:7.2

Trust: 0.3

sources: BID: 78727 // JVNDB: JVNDB-2015-006363 // CNNVD: CNNVD-201512-346 // NVD: CVE-2015-7057

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7057
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-7057
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201512-346
value: MEDIUM

Trust: 0.6

VULHUB: VHN-85018
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-7057
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-7057
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-85018
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-85018 // VULMON: CVE-2015-7057 // JVNDB: JVNDB-2015-006363 // CNNVD: CNNVD-201512-346 // NVD: CVE-2015-7057

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-85018 // JVNDB: JVNDB-2015-006363 // NVD: CVE-2015-7057

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201512-346

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201512-346

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006363

PATCH

title:Apple security updatesurl:https://support.apple.com/en-us/HT201222

Trust: 0.8

title:APPLE-SA-2015-12-08-6 Xcode 7.2url:http://lists.apple.com/archives/security-announce/2015/Dec/msg00004.html

Trust: 0.8

title:HT205642url:https://support.apple.com/en-us/HT205642

Trust: 0.8

title:HT205642url:http://support.apple.com/ja-jp/HT205642

Trust: 0.8

title:Apple Xcode otools Buffer Overflow Vulnerability Fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59164

Trust: 0.6

title:Apple: Xcode 7.2url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=b0f396ef6a900924a1f83c1172e037b6

Trust: 0.1

sources: VULMON: CVE-2015-7057 // JVNDB: JVNDB-2015-006363 // CNNVD: CNNVD-201512-346

EXTERNAL IDS

db:NVDid:CVE-2015-7057

Trust: 3.0

db:SECTRACKid:1034340

Trust: 1.2

db:JVNid:JVNVU97526033

Trust: 0.8

db:JVNDBid:JVNDB-2015-006363

Trust: 0.8

db:CNNVDid:CNNVD-201512-346

Trust: 0.7

db:BIDid:78727

Trust: 0.4

db:VULHUBid:VHN-85018

Trust: 0.1

db:VULMONid:CVE-2015-7057

Trust: 0.1

db:PACKETSTORMid:134747

Trust: 0.1

sources: VULHUB: VHN-85018 // VULMON: CVE-2015-7057 // BID: 78727 // JVNDB: JVNDB-2015-006363 // PACKETSTORM: 134747 // CNNVD: CNNVD-201512-346 // NVD: CVE-2015-7057

REFERENCES

url:http://lists.apple.com/archives/security-announce/2015/dec/msg00004.html

Trust: 1.8

url:https://support.apple.com/ht205642

Trust: 1.8

url:http://www.securitytracker.com/id/1034340

Trust: 1.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7057

Trust: 0.8

url:http://jvn.jp/vu/jvnvu97526033/

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7057

Trust: 0.8

url:http://git.or.cz/

Trust: 0.3

url:http://www.apple.com/macosx/

Trust: 0.3

url:https://developer.apple.com/xcode/

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/119.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://support.apple.com/kb/ht205642

Trust: 0.1

url:https://www.securityfocus.com/bid/78727

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-7057

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-7082

Trust: 0.1

url:https://support.apple.com/kb/ht201222

Trust: 0.1

url:https://www.apple.com/support/security/pgp/

Trust: 0.1

url:https://gpgtools.org

Trust: 0.1

url:https://developer.apple.com/xcode/downloads/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-7049

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-7056

Trust: 0.1

sources: VULHUB: VHN-85018 // VULMON: CVE-2015-7057 // BID: 78727 // JVNDB: JVNDB-2015-006363 // PACKETSTORM: 134747 // CNNVD: CNNVD-201512-346 // NVD: CVE-2015-7057

CREDITS

Stephen Lardieri and Proteas of Qihoo 360 Nirvan Team

Trust: 0.3

sources: BID: 78727

SOURCES

db:VULHUBid:VHN-85018
db:VULMONid:CVE-2015-7057
db:BIDid:78727
db:JVNDBid:JVNDB-2015-006363
db:PACKETSTORMid:134747
db:CNNVDid:CNNVD-201512-346
db:NVDid:CVE-2015-7057

LAST UPDATE DATE

2024-08-14T12:48:24.161000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-85018date:2016-12-07T00:00:00
db:VULMONid:CVE-2015-7057date:2016-12-07T00:00:00
db:BIDid:78727date:2015-12-08T00:00:00
db:JVNDBid:JVNDB-2015-006363date:2015-12-15T00:00:00
db:CNNVDid:CNNVD-201512-346date:2015-12-14T00:00:00
db:NVDid:CVE-2015-7057date:2016-12-07T18:22:22.417

SOURCES RELEASE DATE

db:VULHUBid:VHN-85018date:2015-12-11T00:00:00
db:VULMONid:CVE-2015-7057date:2015-12-11T00:00:00
db:BIDid:78727date:2015-12-08T00:00:00
db:JVNDBid:JVNDB-2015-006363date:2015-12-15T00:00:00
db:PACKETSTORMid:134747date:2015-12-10T17:11:47
db:CNNVDid:CNNVD-201512-346date:2015-12-14T00:00:00
db:NVDid:CVE-2015-7057date:2015-12-11T11:59:23.117