Security update for libplist SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2208-1 Final 1 1 2017-08-17T21:19:39Z current 2017-08-17T21:19:39Z 2017-08-17T21:19:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libplist This update for libplist fixes the following issues: Security issues fixed: - CVE-2017-6439: Heap-based buffer overflow in the parse_string_node function. (bsc#1029638) - CVE-2017-6438: Heap-based buffer overflow in the parse_unicode_node function. (bsc#1029706) - CVE-2017-6437: The base64encode function in base64.c allows local users to cause denial of service (out-of-bounds read) via a crafted plist file. (bsc#1029707) - CVE-2017-6436: Integer overflow in parse_string_node. (bsc#1029751) - CVE-2017-6435: Crafted plist file could lead to Heap-buffer overflow. (bsc#1029639) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html E-Mail link for openSUSE-SU-2017:2208-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 libplist-1.12-11.1 libplist++-devel-1.12-11.1 libplist++3-1.12-11.1 libplist++3-32bit-1.12-11.1 libplist-devel-1.12-11.1 libplist3-1.12-11.1 libplist3-32bit-1.12-11.1 plistutil-1.12-11.1 python-plist-1.12-11.1 libplist-1.12-11.1 as a component of openSUSE Leap 42.2 libplist++-devel-1.12-11.1 as a component of openSUSE Leap 42.2 libplist++3-1.12-11.1 as a component of openSUSE Leap 42.2 libplist++3-32bit-1.12-11.1 as a component of openSUSE Leap 42.2 libplist-devel-1.12-11.1 as a component of openSUSE Leap 42.2 libplist3-1.12-11.1 as a component of openSUSE Leap 42.2 libplist3-32bit-1.12-11.1 as a component of openSUSE Leap 42.2 plistutil-1.12-11.1 as a component of openSUSE Leap 42.2 python-plist-1.12-11.1 as a component of openSUSE Leap 42.2 libplist-1.12-11.1 as a component of openSUSE Leap 42.3 libplist++-devel-1.12-11.1 as a component of openSUSE Leap 42.3 libplist++3-1.12-11.1 as a component of openSUSE Leap 42.3 libplist++3-32bit-1.12-11.1 as a component of openSUSE Leap 42.3 libplist-devel-1.12-11.1 as a component of openSUSE Leap 42.3 libplist3-1.12-11.1 as a component of openSUSE Leap 42.3 libplist3-32bit-1.12-11.1 as a component of openSUSE Leap 42.3 plistutil-1.12-11.1 as a component of openSUSE Leap 42.3 python-plist-1.12-11.1 as a component of openSUSE Leap 42.3 The parse_string_node function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service (memory corruption) via a crafted plist file. CVE-2017-6435 openSUSE Leap 42.2:libplist++-devel-1.12-11.1 openSUSE Leap 42.2:libplist++3-1.12-11.1 openSUSE Leap 42.2:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.2:libplist-1.12-11.1 openSUSE Leap 42.2:libplist-devel-1.12-11.1 openSUSE Leap 42.2:libplist3-1.12-11.1 openSUSE Leap 42.2:libplist3-32bit-1.12-11.1 openSUSE Leap 42.2:plistutil-1.12-11.1 openSUSE Leap 42.2:python-plist-1.12-11.1 openSUSE Leap 42.3:libplist++-devel-1.12-11.1 openSUSE Leap 42.3:libplist++3-1.12-11.1 openSUSE Leap 42.3:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.3:libplist-1.12-11.1 openSUSE Leap 42.3:libplist-devel-1.12-11.1 openSUSE Leap 42.3:libplist3-1.12-11.1 openSUSE Leap 42.3:libplist3-32bit-1.12-11.1 openSUSE Leap 42.3:plistutil-1.12-11.1 openSUSE Leap 42.3:python-plist-1.12-11.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html https://www.suse.com/security/cve/CVE-2017-6435.html CVE-2017-6435 https://bugzilla.suse.com/1029639 SUSE Bug 1029639 The parse_string_node function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service (memory allocation error) via a crafted plist file. CVE-2017-6436 openSUSE Leap 42.2:libplist++-devel-1.12-11.1 openSUSE Leap 42.2:libplist++3-1.12-11.1 openSUSE Leap 42.2:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.2:libplist-1.12-11.1 openSUSE Leap 42.2:libplist-devel-1.12-11.1 openSUSE Leap 42.2:libplist3-1.12-11.1 openSUSE Leap 42.2:libplist3-32bit-1.12-11.1 openSUSE Leap 42.2:plistutil-1.12-11.1 openSUSE Leap 42.2:python-plist-1.12-11.1 openSUSE Leap 42.3:libplist++-devel-1.12-11.1 openSUSE Leap 42.3:libplist++3-1.12-11.1 openSUSE Leap 42.3:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.3:libplist-1.12-11.1 openSUSE Leap 42.3:libplist-devel-1.12-11.1 openSUSE Leap 42.3:libplist3-1.12-11.1 openSUSE Leap 42.3:libplist3-32bit-1.12-11.1 openSUSE Leap 42.3:plistutil-1.12-11.1 openSUSE Leap 42.3:python-plist-1.12-11.1 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html https://www.suse.com/security/cve/CVE-2017-6436.html CVE-2017-6436 https://bugzilla.suse.com/1029751 SUSE Bug 1029751 The base64encode function in base64.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service (out-of-bounds read) via a crafted plist file. CVE-2017-6437 openSUSE Leap 42.2:libplist++-devel-1.12-11.1 openSUSE Leap 42.2:libplist++3-1.12-11.1 openSUSE Leap 42.2:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.2:libplist-1.12-11.1 openSUSE Leap 42.2:libplist-devel-1.12-11.1 openSUSE Leap 42.2:libplist3-1.12-11.1 openSUSE Leap 42.2:libplist3-32bit-1.12-11.1 openSUSE Leap 42.2:plistutil-1.12-11.1 openSUSE Leap 42.2:python-plist-1.12-11.1 openSUSE Leap 42.3:libplist++-devel-1.12-11.1 openSUSE Leap 42.3:libplist++3-1.12-11.1 openSUSE Leap 42.3:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.3:libplist-1.12-11.1 openSUSE Leap 42.3:libplist-devel-1.12-11.1 openSUSE Leap 42.3:libplist3-1.12-11.1 openSUSE Leap 42.3:libplist3-32bit-1.12-11.1 openSUSE Leap 42.3:plistutil-1.12-11.1 openSUSE Leap 42.3:python-plist-1.12-11.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html https://www.suse.com/security/cve/CVE-2017-6437.html CVE-2017-6437 https://bugzilla.suse.com/1029707 SUSE Bug 1029707 Heap-based buffer overflow in the parse_unicode_node function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service (out-of-bounds write) and possibly code execution via a crafted plist file. CVE-2017-6438 openSUSE Leap 42.2:libplist++-devel-1.12-11.1 openSUSE Leap 42.2:libplist++3-1.12-11.1 openSUSE Leap 42.2:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.2:libplist-1.12-11.1 openSUSE Leap 42.2:libplist-devel-1.12-11.1 openSUSE Leap 42.2:libplist3-1.12-11.1 openSUSE Leap 42.2:libplist3-32bit-1.12-11.1 openSUSE Leap 42.2:plistutil-1.12-11.1 openSUSE Leap 42.2:python-plist-1.12-11.1 openSUSE Leap 42.3:libplist++-devel-1.12-11.1 openSUSE Leap 42.3:libplist++3-1.12-11.1 openSUSE Leap 42.3:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.3:libplist-1.12-11.1 openSUSE Leap 42.3:libplist-devel-1.12-11.1 openSUSE Leap 42.3:libplist3-1.12-11.1 openSUSE Leap 42.3:libplist3-32bit-1.12-11.1 openSUSE Leap 42.3:plistutil-1.12-11.1 openSUSE Leap 42.3:python-plist-1.12-11.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html https://www.suse.com/security/cve/CVE-2017-6438.html CVE-2017-6438 https://bugzilla.suse.com/1029706 SUSE Bug 1029706 Heap-based buffer overflow in the parse_string_node function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service (out-of-bounds write) via a crafted plist file. CVE-2017-6439 openSUSE Leap 42.2:libplist++-devel-1.12-11.1 openSUSE Leap 42.2:libplist++3-1.12-11.1 openSUSE Leap 42.2:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.2:libplist-1.12-11.1 openSUSE Leap 42.2:libplist-devel-1.12-11.1 openSUSE Leap 42.2:libplist3-1.12-11.1 openSUSE Leap 42.2:libplist3-32bit-1.12-11.1 openSUSE Leap 42.2:plistutil-1.12-11.1 openSUSE Leap 42.2:python-plist-1.12-11.1 openSUSE Leap 42.3:libplist++-devel-1.12-11.1 openSUSE Leap 42.3:libplist++3-1.12-11.1 openSUSE Leap 42.3:libplist++3-32bit-1.12-11.1 openSUSE Leap 42.3:libplist-1.12-11.1 openSUSE Leap 42.3:libplist-devel-1.12-11.1 openSUSE Leap 42.3:libplist3-1.12-11.1 openSUSE Leap 42.3:libplist3-32bit-1.12-11.1 openSUSE Leap 42.3:plistutil-1.12-11.1 openSUSE Leap 42.3:python-plist-1.12-11.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html https://www.suse.com/security/cve/CVE-2017-6439.html CVE-2017-6439 https://bugzilla.suse.com/1029638 SUSE Bug 1029638