--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2017-3849af4477
2017-05-12 14:08:49.129401
--------------------------------------------------------------------------------Name        : libplist
Product     : Fedora 24
Version     : 2.0.0
Release     : 1.fc24
URL         : https://libimobiledevice.org/
Summary     : Library for manipulating Apple Binary and XML Property Lists
Description :
libplist is a library for manipulating Apple Binary and XML Property Lists

--------------------------------------------------------------------------------Update Information:

Version 2.0.0  Changes:    * New light-weight custom XML parser   * Remove
libxml2 dependency   * Refactor binary plist parsing   * Improved malformed XML
and binary plist detection and error handling   * Add parser debug/error output
(when compiled with --enable-debug), controlled via environment variables   *
Fix unicode character handling   * Add PLIST_IS_* helper macros for the
different node types   * Extend date/time range and date conversion issues   *
Add plist_is_binary() and plist_from_memory() functions to the interface   *
Plug several memory leaks   * Speed improvements for handling large plist files
Includes security fixes for:     * CVE-2017-6440   * CVE-2017-6439   *
CVE-2017-6438   * CVE-2017-6437   * CVE-2017-6436   * CVE-2017-6435   *
CVE-2017-5836   * CVE-2017-5835   * CVE-2017-5834   * CVE-2017-5545   *
CVE-2017-5209  ... and several others that didn't receive any CVE (yet).
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1432965 - CVE-2017-6440 libplist: Memory allocation error in parse_data_node
        https://bugzilla.redhat.com/show_bug.cgi?id=1432965
  [ 2 ] Bug #1432959 - CVE-2017-6439 libplist: Heap-based buffer overflow in parse_string_node
        https://bugzilla.redhat.com/show_bug.cgi?id=1432959
  [ 3 ] Bug #1432956 - CVE-2017-6438 libplist: Heap-based buffer overflow in parse_unicode_node
        https://bugzilla.redhat.com/show_bug.cgi?id=1432956
  [ 4 ] Bug #1432954 - CVE-2017-6437 libplist: Out-of-bounds heap read in base64encode function
        https://bugzilla.redhat.com/show_bug.cgi?id=1432954
  [ 5 ] Bug #1432951 - CVE-2017-6436 libplist: Integer overflow in parse_string_node
        https://bugzilla.redhat.com/show_bug.cgi?id=1432951
  [ 6 ] Bug #1412613 - CVE-2017-5209 libplist: base64decode buffer over-read via split encoded Apple Property List data
        https://bugzilla.redhat.com/show_bug.cgi?id=1412613
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade libplist' at the command line.
For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora 24: libplist Security Update

May 12, 2017
Version 2.0.0 Changes: * New light-weight custom XML parser * Remove libxml2 dependency * Refactor binary plist parsing * Improved malformed XML and binary plist detection and ...

Summary

libplist is a library for manipulating Apple Binary and XML Property Lists

Version 2.0.0 Changes: * New light-weight custom XML parser * Remove

libxml2 dependency * Refactor binary plist parsing * Improved malformed XML

and binary plist detection and error handling * Add parser debug/error output

(when compiled with --enable-debug), controlled via environment variables *

Fix unicode character handling * Add PLIST_IS_* helper macros for the

different node types * Extend date/time range and date conversion issues *

Add plist_is_binary() and plist_from_memory() functions to the interface *

Plug several memory leaks * Speed improvements for handling large plist files

Includes security fixes for: * CVE-2017-6440 * CVE-2017-6439 *

CVE-2017-6438 * CVE-2017-6437 * CVE-2017-6436 * CVE-2017-6435 *

CVE-2017-5836 * CVE-2017-5835 * CVE-2017-5834 * CVE-2017-5545 *

CVE-2017-5209 ... and several others that didn't receive any CVE (yet).

[ 1 ] Bug #1432965 - CVE-2017-6440 libplist: Memory allocation error in parse_data_node

https://bugzilla.redhat.com/show_bug.cgi?id=1432965

[ 2 ] Bug #1432959 - CVE-2017-6439 libplist: Heap-based buffer overflow in parse_string_node

https://bugzilla.redhat.com/show_bug.cgi?id=1432959

[ 3 ] Bug #1432956 - CVE-2017-6438 libplist: Heap-based buffer overflow in parse_unicode_node

https://bugzilla.redhat.com/show_bug.cgi?id=1432956

[ 4 ] Bug #1432954 - CVE-2017-6437 libplist: Out-of-bounds heap read in base64encode function

https://bugzilla.redhat.com/show_bug.cgi?id=1432954

[ 5 ] Bug #1432951 - CVE-2017-6436 libplist: Integer overflow in parse_string_node

https://bugzilla.redhat.com/show_bug.cgi?id=1432951

[ 6 ] Bug #1412613 - CVE-2017-5209 libplist: base64decode buffer over-read via split encoded Apple Property List data

https://bugzilla.redhat.com/show_bug.cgi?id=1412613

su -c 'dnf upgrade libplist' at the command line.

For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

FEDORA-2017-3849af4477 2017-05-12 14:08:49.129401 Product : Fedora 24 Version : 2.0.0 Release : 1.fc24 URL : https://libimobiledevice.org/ Summary : Library for manipulating Apple Binary and XML Property Lists Description : libplist is a library for manipulating Apple Binary and XML Property Lists Version 2.0.0 Changes: * New light-weight custom XML parser * Remove libxml2 dependency * Refactor binary plist parsing * Improved malformed XML and binary plist detection and error handling * Add parser debug/error output (when compiled with --enable-debug), controlled via environment variables * Fix unicode character handling * Add PLIST_IS_* helper macros for the different node types * Extend date/time range and date conversion issues * Add plist_is_binary() and plist_from_memory() functions to the interface * Plug several memory leaks * Speed improvements for handling large plist files Includes security fixes for: * CVE-2017-6440 * CVE-2017-6439 * CVE-2017-6438 * CVE-2017-6437 * CVE-2017-6436 * CVE-2017-6435 * CVE-2017-5836 * CVE-2017-5835 * CVE-2017-5834 * CVE-2017-5545 * CVE-2017-5209 ... and several others that didn't receive any CVE (yet). [ 1 ] Bug #1432965 - CVE-2017-6440 libplist: Memory allocation error in parse_data_node https://bugzilla.redhat.com/show_bug.cgi?id=1432965 [ 2 ] Bug #1432959 - CVE-2017-6439 libplist: Heap-based buffer overflow in parse_string_node https://bugzilla.redhat.com/show_bug.cgi?id=1432959 [ 3 ] Bug #1432956 - CVE-2017-6438 libplist: Heap-based buffer overflow in parse_unicode_node https://bugzilla.redhat.com/show_bug.cgi?id=1432956 [ 4 ] Bug #1432954 - CVE-2017-6437 libplist: Out-of-bounds heap read in base64encode function https://bugzilla.redhat.com/show_bug.cgi?id=1432954 [ 5 ] Bug #1432951 - CVE-2017-6436 libplist: Integer overflow in parse_string_node https://bugzilla.redhat.com/show_bug.cgi?id=1432951 [ 6 ] Bug #1412613 - CVE-2017-5209 libplist: base64decode buffer over-read via split encoded Apple Property List data https://bugzilla.redhat.com/show_bug.cgi?id=1412613 su -c 'dnf upgrade libplist' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Change Log

References

Update Instructions

Severity
Product : Fedora 24
Version : 2.0.0
Release : 1.fc24
URL : https://libimobiledevice.org/
Summary : Library for manipulating Apple Binary and XML Property Lists

Related News

22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved