Details of VAR-201912-0560

ID

VAR-201912-0560

CVE

CVE-2019-8739

TITLE

Xcode Memory corruption vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-013748

DESCRIPTION

A memory corruption issue was addressed with improved state management. This issue is fixed in Xcode 11.0. Processing a maliciously crafted file may lead to arbitrary code execution. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-7 Xcode 11.0 Xcode 11.0 addresses the following: IDE SCM Available for: macOS Mojave 10.14.4 and later Impact: Multiple issues in libssh2 Description: Multiple issues were addressed by updating to version 2.16. CVE-2019-3855: Chris Coulson ld64 Available for: macOS Mojave 10.14.4 and later Impact: Compiling code without proper input validation could lead to arbitrary code execution with user privilege Description: Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. CVE-2019-8721: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8722: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8723: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8724: Pan ZhenPeng of Qihoo 360 Nirvan Team otool Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8738: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team CVE-2019-8739: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team Installation note: Xcode 11.0 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.0". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl2NDI4ACgkQBz4uGe3y 0M3yBg//WnHzKci0fwo78s/jomFP1EcSVj8FQ5T3ycwITMK01X5WDyZUHJw4rHJH l3NaJLFkjXXovzBl0aQzGHoRvOiYoMJeBCaZeix3dafLdA+6whZ8VREie4ncY31y EI0KoPxBxocLu0WaMUmEatDJsGqQWWFy0Q4LGGmDyOIXnrRqWJrLE7Qmm6IvOr1Q ViDpLeWzymHaAQiiXnpUR9nDvpCEA5irlbKzvmfA55FLzUYdh1RBJUjrsR+JcUJ0 IewyJD6FpFMzpOImQJ22oBArN++Fag6KjlmTDbmL1O2uCHbl1x71ZhOPBRhgWFkP X3nXTYFLGM22SWzOjBn8el05AAfOmkuISP9219HEXfbAYZliTQw37L2VlZ86nCn2 A3F258d8m1UAOh7NGvsDN4WUQ/QD4PQ0OUPSzQtztMXHZwoSiF92fw6epCkH10dV xb28tXuv4eI3aI2ncgf5fClOwsC6/IFeheTfimsL+6ccro2C1IiJvcMnBH7HBZ+9 k4Z414NOKlUsbhTX+8lcLKKzpN/WxppmyN01fIdwO2anu1IRXOI2D3TvRKFI+pkr u4u/ohjf8lmCgoDPyAa4YDmiYu9I5qMb/CmLwwhdYjX2NeUBSEPb3Ctga6jwP6RH /3kg2VAgACUG+nR08itzvCMwCzkILfiCSy6D9EkPed5aoPGIrP4= =9Hep -----END PGP SIGNATURE-----

Trust: 1.8

sources: NVD: CVE-2019-8739 // JVNDB: JVNDB-2019-013748 // VULHUB: VHN-160174 // PACKETSTORM: 154655

AFFECTED PRODUCTS

vendor:	apple	model:	xcode	scope:	lt	version:	11.0	Trust: 1.0
vendor:	apple	model:	xcode	scope:	lt	version:	11.0 (macos mojave 10.14.4 or later )	Trust: 0.8

sources: JVNDB: JVNDB-2019-013748 // NVD: CVE-2019-8739

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-8739
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-8739
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201909-1291
value:	HIGH
Trust: 0.6
VULHUB:	VHN-160174
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-8739
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-160174
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-8739
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-8739
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-160174 // JVNDB: JVNDB-2019-013748 // CNNVD: CNNVD-201909-1291 // NVD: CVE-2019-8739

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.0
problemtype:	CWE-119	Trust: 0.9

sources: VULHUB: VHN-160174 // JVNDB: JVNDB-2019-013748 // NVD: CVE-2019-8739

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201909-1291

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201909-1291

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013748

PATCH

title:	HT210609	url:	https://support.apple.com/en-us/HT210609	Trust: 0.8
title:	HT210609	url:	https://support.apple.com/ja-jp/HT210609	Trust: 0.8
title:	Apple Xcode otool Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98678	Trust: 0.6

sources: JVNDB: JVNDB-2019-013748 // CNNVD: CNNVD-201909-1291

EXTERNAL IDS

db:	NVD	id:	CVE-2019-8739	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-013748	Trust: 0.8
db:	AUSCERT	id:	ESB-2019.3647	Trust: 0.6
db:	CNNVD	id:	CNNVD-201909-1291	Trust: 0.6
db:	VULHUB	id:	VHN-160174	Trust: 0.1
db:	PACKETSTORM	id:	154655	Trust: 0.1

sources: VULHUB: VHN-160174 // JVNDB: JVNDB-2019-013748 // PACKETSTORM: 154655 // CNNVD: CNNVD-201909-1291 // NVD: CVE-2019-8739

REFERENCES

url:	https://support.apple.com/ht210609	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8739	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8739	Trust: 0.8
url:	https://support.apple.com/en-au/ht210609	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3647/	Trust: 0.6
url:	https://support.apple.com/en-us/ht210609	Trust: 0.6
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8724	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8723	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8738	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://developer.apple.com/xcode/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8722	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8721	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3855	Trust: 0.1

sources: VULHUB: VHN-160174 // JVNDB: JVNDB-2019-013748 // PACKETSTORM: 154655 // CNNVD: CNNVD-201909-1291 // NVD: CVE-2019-8739

CREDITS

Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team

Trust: 0.6

sources: CNNVD: CNNVD-201909-1291

SOURCES

db:	VULHUB	id:	VHN-160174
db:	JVNDB	id:	JVNDB-2019-013748
db:	PACKETSTORM	id:	154655
db:	CNNVD	id:	CNNVD-201909-1291
db:	NVD	id:	CVE-2019-8739

LAST UPDATE DATE

2024-08-14T12:17:14.502000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-160174	date:	2019-12-30T00:00:00
db:	JVNDB	id:	JVNDB-2019-013748	date:	2020-01-16T00:00:00
db:	CNNVD	id:	CNNVD-201909-1291	date:	2021-10-29T00:00:00
db:	NVD	id:	CVE-2019-8739	date:	2021-07-21T11:39:23.747

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-160174	date:	2019-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-013748	date:	2020-01-16T00:00:00
db:	PACKETSTORM	id:	154655	date:	2019-09-29T10:11:11
db:	CNNVD	id:	CNNVD-201909-1291	date:	2019-09-27T00:00:00
db:	NVD	id:	CVE-2019-8739	date:	2019-12-18T18:15:38.100