FEDORA-2017-3849af4477

security update in Fedora 24 for libplist

Status: stable 2 years ago

Version 2.0.0

Changes:

  • New light-weight custom XML parser
  • Remove libxml2 dependency
  • Refactor binary plist parsing
  • Improved malformed XML and binary plist detection and error handling
  • Add parser debug/error output (when compiled with --enable-debug), controlled via environment variables
  • Fix unicode character handling
  • Add PLIST_IS_* helper macros for the different node types
  • Extend date/time range and date conversion issues
  • Add plist_is_binary() and plist_from_memory() functions to the interface
  • Plug several memory leaks
  • Speed improvements for handling large plist files

Includes security fixes for:

  • CVE-2017-6440
  • CVE-2017-6439
  • CVE-2017-6438
  • CVE-2017-6437
  • CVE-2017-6436
  • CVE-2017-6435
  • CVE-2017-5836
  • CVE-2017-5835
  • CVE-2017-5834
  • CVE-2017-5545
  • CVE-2017-5209

... and several others that didn't receive any CVE (yet).

Comments 6

This update has been submitted for testing by pbrobinson.

This update has been pushed to testing.

no regressions noted

karma: +1

Looks good.

karma: +1 critpath: +1

This update has been submitted for stable by pbrobinson.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
+2
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Disabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago

Related Bugs 10

00 #1412613 CVE-2017-5209 libplist: base64decode buffer over-read via split encoded Apple Property List data
00 #1412614 CVE-2017-5209 libplist: base64decode buffer over-read via split encoded Apple Property List data [fedora-all]
00 #1416008 CVE-2017-5545 libplist: Heap-buffer overflow in plistutil [fedora-all]
00 #1418597 CVE-2017-5834 CVE-2017-5835 CVE-2017-5836 libplist: various flaws [fedora-all]
00 #1432951 CVE-2017-6436 libplist: Integer overflow in parse_string_node
00 #1432954 CVE-2017-6437 libplist: Out-of-bounds heap read in base64encode function
00 #1432956 CVE-2017-6438 libplist: Heap-based buffer overflow in parse_unicode_node
00 #1432959 CVE-2017-6439 libplist: Heap-based buffer overflow in parse_string_node
00 #1432965 CVE-2017-6440 libplist: Memory allocation error in parse_data_node
00 #1432971 CVE-2017-6435 CVE-2017-6436 CVE-2017-6437 CVE-2017-6438 CVE-2017-6439 CVE-2017-6440 CVE-2017-7982 libplist: various flaws [fedora-all]

Automated Test Results