APPLE-SA-12-11-2023-7 tvOS 17.2

tvOS 17.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214040.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

AVEVideoEncoder
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to disclose kernel memory
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2023-42884: an anonymous researcher

ImageIO
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing an image may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2023-42898: Junsung Lee
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to break out of its sandbox
Description: The issue was addressed with improved memory handling.
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv
(@Synacktiv)

WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 259830
CVE-2023-42890: Pwn2car

WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing an image may lead to a denial-of-service
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 263349
CVE-2023-42883: Zoom Offensive Security Team

WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing web content may disclose sensitive information. Apple
is aware of a report that this issue may have been exploited against
versions of iOS before iOS 16.7.1.
Description: An out-of-bounds read was addressed with improved input
validation.
WebKit Bugzilla: 265041
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing web content may lead to arbitrary code execution.
Apple is aware of a report that this issue may have been exploited
against versions of iOS before iOS 16.7.1.
Description: A memory corruption vulnerability was addressed with
improved locking.
WebKit Bugzilla: 265067
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi
We would like to acknowledge Noah Roskin-Frazee and Prof. J.
(ZeroClicks.ai Lab) for their assistance.

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting "Settings ->
System -> Software Update -> Update Software." To check the current
version of software, select "Settings -> General -> About."
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qngACgkQX+5d1TXa
Ivrv3RAAuQY01CVjPIhf1IVMNryEZAW+NEm29U419ldBlHWNENHiXD7dF5cPNcDd
fVlyxJ4zXCjIMflrS5oOGjqtsJvMfL99QaF9of5elxBjF8wA3d3bslESVveUw4/n
OflBE44Ghbg2nNd/wQiiLCDWCbKyVk9R5Vm1c2L5+afg4dyppaNME4oxq7itnyjr
UmNv7Sb2pxjjew0L9YAV15DaZmH30By6jRIKynS0+P1Eys/Vx3JVwC6QOOba6ixF
OxO/Ki4vFAuwxnC9hGbYon6QTpMAuI0nzQAD/RYtpQMtkPkZ3dPPeA7DBs8TIxIo
8QKfABYt5QY+VKFaTbNclzMu0/l/l3AcaZsbKTsyM1rEH8hACZKlkVQxQ3GhVXbe
Hmc6JqOA+fpVJya7RUNCyo3Kq4jKf8Rgj+rDJyHSqZ8vEHr/qrLmgvEsHfhAPq46
tUZMuVrHtcREKzxLh2Os4hCs68kcEG3w9Q2n5a5UHskLBYimhFTsp5ajClNC1l1w
KiVW8SmDL7zt5ApNWRNa1Pc3ZxvAUousVbuMWt6VP40mz9AHKs8VsoscMwQkzscs
OMkrHUJdQfki+GLsd4Zk54/VjQR1CFtr1xBPZkKPW4WCinjAiw73fuOCzTz4f+rZ
Dwvd0BGIGPWaRewZhcxPXrSHDj91bbBLRkOPn5JVDkbP3eXRbAU=
=IKXm
-----END PGP SIGNATURE-----