95702

https://github.com/libimobiledevice/libplist/commit/7391a506352c009fe044dead7baad9e22dd279ee

https://github.com/libimobiledevice/libplist/issues/87

[debian-lts-announce] 20200402 [SECURITY] [DLA 2168-1] libplist security update

libplist is a library for reading and writing the Apple binary and XML property lists format. It's part of the libimobiledevice stack, providing access to iDevices (iPod, iPhone, iPad ...).

CVE-2017-5209

The base64decode function in base64.c allows attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via split encoded Apple Property List data.

CVE-2017-5545

The main function in plistutil.c allows attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via Apple Property List data that is too short.

CVE-2017-5834

The parse_dict_node function in bplist.c allows attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted file.

CVE-2017-5835

libplist allows attackers to cause a denial of service (large memory allocation and crash) via vectors involving an offset size of zero.

CVE-2017-6435

The parse_string_node function in bplist.c allows local users to cause a denial of service (memory corruption) via a crafted plist file.

CVE-2017-6436

The parse_string_node function in bplist.c allows local users to cause a denial of service (memory allocation error) via a crafted plist file.

CVE-2017-6439

Heap-based buffer overflow in the parse_string_node function in bplist.c allows local users to cause a denial of service (out-of-bounds write) via a crafted plist file.

CVE-2017-7982

Integer overflow in the plist_from_bin function in bplist.c allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted plist file.

For Debian 8 'Jessie', these problems have been fixed in version 1.11-3+deb8u1.

We recommend that you upgrade your libplist packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libplist package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - libplist allows attackers to cause a denial of service     (large memory allocation and crash) via vectors     involving an offset size of zero.(CVE-2017-5835)

  - The main function in plistutil.c in libimobiledevice     libplist through 1.12 allows attackers to obtain     sensitive information from process memory or cause a     denial of service (buffer over-read) via Apple Property     List data that is too short.(CVE-2017-5545)

  - The parse_dict_node function in bplist.c in libplist     allows attackers to cause a denial of service     (out-of-bounds heap read and crash) via a crafted     file.(CVE-2017-5834)

  - The plist_free_data function in plist.c in libplist     allows attackers to cause a denial of service (crash)     via vectors involving an integer node that is treated     as a PLIST_KEY and then triggers an invalid     free.(CVE-2017-5836)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libplist package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - libplist allows attackers to cause a denial of service     (large memory allocation and crash) via vectors     involving an offset size of zero.(CVE-2017-5835)

  - The main function in plistutil.c in libimobiledevice     libplist through 1.12 allows attackers to obtain     sensitive information from process memory or cause a     denial of service (buffer over-read) via Apple Property     List data that is too short.(CVE-2017-5545)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libplist package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The parse_string_node function in bplist.c in     libimobiledevice libplist 1.12 allows local users to     cause a denial of service (memory corruption) via a     crafted plist file.(CVE-2017-6435)

  - The base64decode function in base64.c in     libimobiledevice libplist through 1.12 allows attackers     to obtain sensitive information from process memory or     cause a denial of service (buffer over-read) via split     encoded Apple Property List data.(CVE-2017-5209)

  - The main function in plistutil.c in libimobiledevice     libplist through 1.12 allows attackers to obtain     sensitive information from process memory or cause a     denial of service (buffer over-read) via Apple Property     List data that is too short.(CVE-2017-5545)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New libplist packages are available for Slackware 14.2 and -current to fix security issues.

- Update to upstream 2.0.0

  - Fixes the following CVEs plus others

  - CVE-2017-6440 CVE-2017-6439 CVE-2017-6438 CVE-2017-6437     CVE-2017-6436 CVE-2017-6435 CVE-2017-5836 CVE-2017-5835     CVE-2017-5834 CVE-2017-5545 CVE-2017-5209

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libplist fixes the following issues :

  - CVE-2017-5209: The base64decode function in libplist     allowed attackers to obtain sensitive information from     process memory or cause a denial of service (buffer     over-read) via split encoded Apple Property List data     (bsc#1019531).

  - CVE-2017-5545: The main function in plistutil.c in     libimobiledevice libplist allowed attackers to obtain     sensitive information from process memory or cause a     denial of service (buffer over-read) via Apple Property     List data that is too short. (bsc#1021610).

  - CVE-2017-5836: A type inconsistency in bplist.c was     fixed. (bsc#1023807)

  - CVE-2017-5835: A memory allocation error leading to DoS     was fixed. (bsc#1023822)

  - CVE-2017-5834: A heap-buffer overflow in parse_dict_node     was fixed. (bsc#1023848)

  - CVE-2017-6440: Ensure that sanity checks work on 32-bit     platforms. (bsc#1029631)

  - CVE-2017-7982: Add some safety checks, backported from     upstream (bsc#1035312). 

  - CVE-2017-5836: A maliciously crafted file could cause     the application to crash. (bsc#1023807).

  - CVE-2017-5835: Malicious crafted file could cause     libplist to allocate large amounts of memory and consume     lots of CPU (bsc#1023822) 

  - CVE-2017-5834: Maliciou crafted file could cause a heap     buffer overflow or segmentation fault (bsc#1023848) This     update was imported from the SUSE:SLE-12-SP2:Update     update project.

This update for libplist fixes the following issues :

  - CVE-2017-5209: The base64decode function in libplist     allowed attackers to obtain sensitive information from     process memory or cause a denial of service (buffer     over-read) via split encoded Apple Property List data     (bsc#1019531).

  - CVE-2017-5545: The main function in plistutil.c in     libimobiledevice libplist allowed attackers to obtain     sensitive information from process memory or cause a     denial of service (buffer over-read) via Apple Property     List data that is too short. (bsc#1021610).

  - CVE-2017-5836: A type inconsistency in bplist.c was     fixed. (bsc#1023807)

  - CVE-2017-5835: A memory allocation error leading to DoS     was fixed. (bsc#1023822)

  - CVE-2017-5834: A heap-buffer overflow in parse_dict_node     was fixed. (bsc#1023848)

  - CVE-2017-6440: Ensure that sanity checks work on 32-bit     platforms. (bsc#1029631)

  - CVE-2017-7982: Add some safety checks, backported from     upstream (bsc#1035312).

  - CVE-2017-5836: A maliciously crafted file could cause     the application to crash. (bsc#1023807).

  - CVE-2017-5835: Malicious crafted file could cause     libplist to allocate large amounts of memory and consume     lots of CPU (bsc#1023822)

  - CVE-2017-5834: Maliciou crafted file could cause a heap     buffer overflow or segmentation fault (bsc#1023848)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libplist fixes the following security issues :

  - CVE-2017-5545: The main function in plistutil.c in     libimobiledevice libplist allowed attackers to obtain     sensitive information from process memory or cause a     denial of service (buffer over-read) via Apple Property     List data that is too short. (bsc#1021610).

  - CVE-2017-5209: The base64decode function in base64.c in     libimobiledevice libplist through 1.12 allows attackers     to obtain sensitive information from process memory or     cause a denial of service (buffer over-read) via split     encoded Apple Property List data. (bsc#1019531)

  - CVE-2017-5836: A type inconsistency in bplist.c was     fixed. (bsc#1023807)

  - CVE-2017-5835: A memory allocation error leading to DoS     was fixed. (bsc#1023822)

  - CVE-2017-5834: A heap-buffer overflow in parse_dict_node     was fixed (bsc#1023848)

  - CVE-2017-7982: Denial of service (heap-based buffer     over-read and application crash) via a crafted plist     file (bsc#1035312)

  - CVE-2017-6440: A specially crafted plist file could lead     to denial of service (bsc#1029631)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Version 2.0.0

Changes :

  - New light-weight custom XML parser

  - Remove libxml2 dependency

  - Refactor binary plist parsing

  - Improved malformed XML and binary plist detection and     error handling

  - Add parser debug/error output (when compiled with
    --enable-debug), controlled via environment variables

  - Fix unicode character handling

  - Add PLIST_IS_* helper macros for the different node     types

  - Extend date/time range and date conversion issues

  - Add plist_is_binary() and plist_from_memory() functions     to the interface

  - Plug several memory leaks

  - Speed improvements for handling large plist files

Includes security fixes for :

  - CVE-2017-6440

  - CVE-2017-6439

  - CVE-2017-6438

  - CVE-2017-6437

  - CVE-2017-6436

  - CVE-2017-6435

  - CVE-2017-5836

  - CVE-2017-5835

  - CVE-2017-5834

  - CVE-2017-5545

  - CVE-2017-5209

... and several others that didn't receive any CVE (yet).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libplist addresses the following vulnerabilities :

  - CVE-2017-5545: OOB heap buffer read which could allow     attackers to obtain sensitive information from process     memory or cause a DoS (bsc#1021610)

  - CVE-2017-5209: base64decode function could have allowed     attackers to obtain sensitive information from process     memory or cause a denial of service (buffer over-read)     via split encoded Apple Property List data

The following vulnerabilities have been fixed in libplist :

CVE-2017-5209

Out of bounds read when parsing specially crafted Apple plist file

CVE-2017-5545

Heap buffer overflow via crafted Apple plist file

For Debian 7 'Wheezy', these problems have been fixed in version 1.8-1+deb7u1.

We recommend that you upgrade your libplist packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
135190	Debian DLA-2168-1 : libplist security update	Nessus	Debian Local Security Checks	medium
132148	EulerOS 2.0 SP3 : libplist (EulerOS-SA-2019-2613)	Nessus	Huawei Local Security Checks	medium
131887	EulerOS 2.0 SP2 : libplist (EulerOS-SA-2019-2395)	Nessus	Huawei Local Security Checks	medium
130669	EulerOS 2.0 SP5 : libplist (EulerOS-SA-2019-2207)	Nessus	Huawei Local Security Checks	medium
104641	Slackware 14.2 / current : libplist (SSA:2017-320-01)	Nessus	Slackware Local Security Checks	medium
101732	Fedora 26 : libplist (2017-d8173aacff)	Nessus	Fedora Local Security Checks	medium
100502	openSUSE Security Update : libplist (openSUSE-2017-627)	Nessus	SuSE Local Security Checks	medium
100374	SUSE SLED12 / SLES12 Security Update : libplist (SUSE-SU-2017:1379-1)	Nessus	SuSE Local Security Checks	medium
100354	SUSE SLED12 / SLES12 Security Update : libplist (SUSE-SU-2017:1368-1)	Nessus	SuSE Local Security Checks	medium
100188	Fedora 25 : libplist (2017-4047180cd3)	Nessus	Fedora Local Security Checks	medium
100187	Fedora 24 : libplist (2017-3849af4477)	Nessus	Fedora Local Security Checks	medium
97093	openSUSE Security Update : libplist (openSUSE-2017-230)	Nessus	SuSE Local Security Checks	medium
96910	Debian DLA-811-1 : libplist security update	Nessus	Debian Local Security Checks	medium

CVE-2017-5545

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins