Fedora 24: libplist Security Update
Summary
libplist is a library for manipulating Apple Binary and XML Property Lists
Version 2.0.0 Changes: * New light-weight custom XML parser * Remove
libxml2 dependency * Refactor binary plist parsing * Improved malformed XML
and binary plist detection and error handling * Add parser debug/error output
(when compiled with --enable-debug), controlled via environment variables *
Fix unicode character handling * Add PLIST_IS_* helper macros for the
different node types * Extend date/time range and date conversion issues *
Add plist_is_binary() and plist_from_memory() functions to the interface *
Plug several memory leaks * Speed improvements for handling large plist files
Includes security fixes for: * CVE-2017-6440 * CVE-2017-6439 *
CVE-2017-6438 * CVE-2017-6437 * CVE-2017-6436 * CVE-2017-6435 *
CVE-2017-5836 * CVE-2017-5835 * CVE-2017-5834 * CVE-2017-5545 *
CVE-2017-5209 ... and several others that didn't receive any CVE (yet).
[ 1 ] Bug #1432965 - CVE-2017-6440 libplist: Memory allocation error in parse_data_node
https://bugzilla.redhat.com/show_bug.cgi?id=1432965
[ 2 ] Bug #1432959 - CVE-2017-6439 libplist: Heap-based buffer overflow in parse_string_node
https://bugzilla.redhat.com/show_bug.cgi?id=1432959
[ 3 ] Bug #1432956 - CVE-2017-6438 libplist: Heap-based buffer overflow in parse_unicode_node
https://bugzilla.redhat.com/show_bug.cgi?id=1432956
[ 4 ] Bug #1432954 - CVE-2017-6437 libplist: Out-of-bounds heap read in base64encode function
https://bugzilla.redhat.com/show_bug.cgi?id=1432954
[ 5 ] Bug #1432951 - CVE-2017-6436 libplist: Integer overflow in parse_string_node
https://bugzilla.redhat.com/show_bug.cgi?id=1432951
[ 6 ] Bug #1412613 - CVE-2017-5209 libplist: base64decode buffer over-read via split encoded Apple Property List data
https://bugzilla.redhat.com/show_bug.cgi?id=1412613
su -c 'dnf upgrade libplist' at the command line.
For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
FEDORA-2017-3849af4477 2017-05-12 14:08:49.129401 Product : Fedora 24 Version : 2.0.0 Release : 1.fc24 URL : https://libimobiledevice.org/ Summary : Library for manipulating Apple Binary and XML Property Lists Description : libplist is a library for manipulating Apple Binary and XML Property Lists Version 2.0.0 Changes: * New light-weight custom XML parser * Remove libxml2 dependency * Refactor binary plist parsing * Improved malformed XML and binary plist detection and error handling * Add parser debug/error output (when compiled with --enable-debug), controlled via environment variables * Fix unicode character handling * Add PLIST_IS_* helper macros for the different node types * Extend date/time range and date conversion issues * Add plist_is_binary() and plist_from_memory() functions to the interface * Plug several memory leaks * Speed improvements for handling large plist files Includes security fixes for: * CVE-2017-6440 * CVE-2017-6439 * CVE-2017-6438 * CVE-2017-6437 * CVE-2017-6436 * CVE-2017-6435 * CVE-2017-5836 * CVE-2017-5835 * CVE-2017-5834 * CVE-2017-5545 * CVE-2017-5209 ... and several others that didn't receive any CVE (yet). [ 1 ] Bug #1432965 - CVE-2017-6440 libplist: Memory allocation error in parse_data_node https://bugzilla.redhat.com/show_bug.cgi?id=1432965 [ 2 ] Bug #1432959 - CVE-2017-6439 libplist: Heap-based buffer overflow in parse_string_node https://bugzilla.redhat.com/show_bug.cgi?id=1432959 [ 3 ] Bug #1432956 - CVE-2017-6438 libplist: Heap-based buffer overflow in parse_unicode_node https://bugzilla.redhat.com/show_bug.cgi?id=1432956 [ 4 ] Bug #1432954 - CVE-2017-6437 libplist: Out-of-bounds heap read in base64encode function https://bugzilla.redhat.com/show_bug.cgi?id=1432954 [ 5 ] Bug #1432951 - CVE-2017-6436 libplist: Integer overflow in parse_string_node https://bugzilla.redhat.com/show_bug.cgi?id=1432951 [ 6 ] Bug #1412613 - CVE-2017-5209 libplist: base64decode buffer over-read via split encoded Apple Property List data https://bugzilla.redhat.com/show_bug.cgi?id=1412613 su -c 'dnf upgrade libplist' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Change Log
References