Posted by Apple Product Security via Fulldisclosure on May 16
APPLE-SA-2022-05-16-8 Xcode 13.4
Xcode 13.4 addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213261.
Git
Available for: macOS Monterey 12 or later
Impact: On multi-user machines Git users might find themselves
unexpectedly in a Git worktree
Description: A logic issue was addressed with improved state
management.
CVE-2022-24765: 俞晨东
Version 2.2.0 is affected, and prior versions are likely affected too.
[-] Vulnerabilities Description:
Vulnerable component is switching to another tab. To exploit
vulnerability, an attacker may send a POST request (with
application/x-www-form-urlencoded content-type) to AJAX endpoint
(usually “/index.php”) with “is_ajax_listing_tabs” parameter set to
“1” and “setting” parameter…
Elison Niven discovered that the c_rehash script included in OpenSSL did
not sanitise shell meta characters which could result in the execution
of arbitrary commands.
Jakub Wilk discovered a local privilege escalation in needrestart, a
utility to check which daemons need to be restarted after library
upgrades. Regular expressions to detect the Perl, Python, and Ruby
interpreters are not anchored, allowing a local user to escalate
privileges when needrestart tries to detect if interpreters are using
old source files.