Overview

File _patchinfo of Package patchinfo.4095

<patchinfo incident="4095">
  <issue id="1021610" tracker="bnc">VUL-1: CVE-2017-5545: libplist: invalid read on too short input files</issue>
  <issue id="1019531" tracker="bnc">VUL-1: CVE-2017-5209: libplist: base64decode buffer over-read via split encoded Apple Property List data (edit)</issue>
  <issue id="1023807" tracker="bnc">VUL-1: CVE-2017-5836: libplist: Type inconsistency in bplist.c</issue>
  <issue id="1023822" tracker="bnc">VUL-1: CVE-2017-5835: libplist: Memory allocation error leading to DoS</issue>
  <issue id="1023848" tracker="bnc">VUL-1: CVE-2017-5834: libplist: Heap-buffer overflow in parse_dict_node</issue>
  <issue id="1035312" tracker="bnc">VUL-1: CVE-2017-7982: libimobiledevice: denial of service (heap-based buffer over-read and application crash) via a crafted plist file</issue>
  <issue id="1029631" tracker="bnc">VUL-0: CVE-2017-6440: libplist: crafted plist file could lead to denial of service</issue>
  <issue id="2017-5209" tracker="cve" />
  <issue id="2017-5834" tracker="cve" />
  <issue id="2017-5835" tracker="cve" />
  <issue id="2017-6440" tracker="cve" />
  <issue id="2017-5836" tracker="cve" />
  <issue id="2017-5545" tracker="cve" />
  <issue id="2017-7982" tracker="cve" />

  <category>security</category>
  <rating>moderate</rating>
  <packager>alarrosa</packager>
  <description>
This update for libplist fixes the following security issues:

- CVE-2017-5545: The main function in plistutil.c in libimobiledevice libplist allowed attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via Apple Property List data that is too short. (bsc#1021610).
- CVE-2017-5209: The base64decode function in base64.c in libimobiledevice libplist through 1.12 allows attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via split encoded Apple Property List data. (bsc#1019531)
- CVE-2017-5836: A type inconsistency in bplist.c was fixed. (bsc#1023807)
- CVE-2017-5835: A memory allocation error leading to DoS was fixed. (bsc#1023822)
- CVE-2017-5834: A heap-buffer overflow in parse_dict_node was fixed (bsc#1023848)
- CVE-2017-7982: Denial of service (heap-based buffer over-read and application crash) via a crafted plist file (bsc#1035312)
- CVE-2017-6440: A specially crafted plist file could lead to denial of service (bsc#1029631)    
</description>
  <summary>Security update for libplist</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places