Apple on Tuesday released out-of-band patches for iOS and macOS, to address two arbitrary code execution vulnerabilities in the libxml2 library.
Written in the C programming language and originally developed for the Gnome project, libxml2 is a software library for parsing XML documents.
Tracked as CVE-2022-40303 and CVE-2022-40304, the two vulnerabilities could lead to remote code execution. Apple has credited Google Project Zero security researchers for both issues.
“A remote user may be able to cause unexpected app termination or arbitrary code execution,” Apple notes for both security flaws.
The first of the flaws exists because the lack of specific limitations could lead to integer overflows. According to Apple, improved input validation resolved the issue.
In case of the second vulnerability, in specific conditions, memory errors such as double-free bugs could emerge. Apple says that improved checks fixed the defect.
Apple addressed the flaws with the release of macOS Ventura 13.0.1 and iOS 16.1.1 and iPadOS 16.1.1 (for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th gen and later, and iPad mini 5th gen and later).
Apple has made no mention of any of the vulnerabilities being exploited in attacks.
However, proof-of-concept (PoC) code targeting CVE-2022-40303, as well as full technical details on CVE-2022-40304 have been published online, which explains why Apple rushed the fixes.
Ionut Arghire is an international correspondent for SecurityWeek. Previous Columns by Ionut Arghire:Tags: