Debian Bug report logs -
#858787
libplist: CVE-2017-6437
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>:
Bug#858787; Package src:libplist.
(Sun, 26 Mar 2017 19:39:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>.
(Sun, 26 Mar 2017 19:39:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libplist
Version: 1.12+git+1+e37ca00-0.1
Severity: important
Forwarded: https://github.com/libimobiledevice/libplist/issues/100
Hi,
the following vulnerability was published for libplist.
CVE-2017-6437[0]:
| The base64encode function in base64.c in libimobiledevice libplist
| 1.12 allows local users to cause a denial of service (out-of-bounds
| read) via a crafted plist file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6437
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437
[1] https://github.com/libimobiledevice/libplist/issues/100
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>:
Bug#858787; Package src:libplist.
(Mon, 27 Mar 2017 04:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>.
(Mon, 27 Mar 2017 04:48:04 GMT) (full text, mbox, link).
Message #10 received at 858787@bugs.debian.org (full text, mbox, reply):
On Sun, Mar 26, 2017 at 09:38:20PM +0200, Salvatore Bonaccorso wrote:
> Source: libplist
> Version: 1.12+git+1+e37ca00-0.1
> Severity: important
> Forwarded: https://github.com/libimobiledevice/libplist/issues/100
>
> Hi,
>
> the following vulnerability was published for libplist.
>
> CVE-2017-6437[0]:
> | The base64encode function in base64.c in libimobiledevice libplist
> | 1.12 allows local users to cause a denial of service (out-of-bounds
> | read) via a crafted plist file.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-6437
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437
> [1] https://github.com/libimobiledevice/libplist/issues/100
>
> Please adjust the affected versions in the BTS as needed.
Additionally confirmed by running the reproducer (against the newest version in
sid):
==16290==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5900791 at pc 0xb71e2c2a bp 0xbfdc04a8 sp 0xbfdc049c
READ of size 1 at 0xb5900791 thread T0
#0 0xb71e2c29 in base64encode src/base64.c:58
#1 0xb71ea5c7 in node_to_xml src/xplist.c:303
#2 0xb71eb2e4 in plist_to_xml src/xplist.c:408
#3 0x804954a in main tools/plistutil.c:151
#4 0xb7024275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
#5 0x8048ac0 (/root/libplist-1.12+git+1+e37ca00/tools/.libs/plistutil+0x8048ac0)
0xb5900791 is located 0 bytes to the right of 1-byte region [0xb5900790,0xb5900791)
allocated by thread T0 here:
#0 0xb72cb194 in malloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xbe194)
#1 0xb71f44c2 in parse_data_node src/bplist.c:408
#2 0xb71f7671 in parse_bin_node src/bplist.c:661
#3 0xb71f876f in parse_bin_node_at_index src/bplist.c:759
#4 0xb71f8de0 in plist_from_bin src/bplist.c:853
#5 0x804952a in main tools/plistutil.c:150
#6 0xb7024275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/base64.c:58 in base64encode
Shadow bytes around the buggy address:
0x36b200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b200c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b200d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b200e0: fa fa fa fa fa fa fa fa fa fa 00 04 fa fa 00 04
=>0x36b200f0: fa fa[01]fa fa fa fd fd fa fa fd fd fa fa 00 04
0x36b20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16290==ABORTING
Regards,
Salvatore
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 858055-submit@bugs.debian.org.
(Mon, 27 Mar 2017 18:45:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 858055-submit@bugs.debian.org.
(Mon, 27 Mar 2017 18:45:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>:
Bug#858787; Package src:libplist.
(Mon, 27 Mar 2017 18:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>.
(Mon, 27 Mar 2017 18:45:10 GMT) (full text, mbox, link).
Message #19 received at 858787@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 858055 + patch
Control: tags 858055 + pending
Control: tags 858786 + pending
Control: tags 858787 + patch
Control: tags 858787 + pending
Dear maintainer,
I've prepared an NMU for libplist (versioned as 1.12+git+1+e37ca00-0.2) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer or if I can speed up the upload.
Regards,
Salvatore
[libplist-1.12+git+1+e37ca00-0.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 30 Mar 2017 17:33:05 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 01 Apr 2017 19:06:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 01 Apr 2017 19:06:07 GMT) (full text, mbox, link).
Message #26 received at 858787-close@bugs.debian.org (full text, mbox, reply):
Source: libplist
Source-Version: 1.12+git+1+e37ca00-0.2
We believe that the bug you reported is fixed in the latest version of
libplist, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858787@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libplist package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Mar 2017 19:41:54 +0200
Source: libplist
Binary: libplist3 libplist++3v5 libplist-dev libplist++-dev libplist-dbg python-plist libplist-utils libplist-doc
Architecture: all source
Version: 1.12+git+1+e37ca00-0.2
Distribution: unstable
Urgency: high
Maintainer: gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 858055 858786 858787
Description:
libplist++-dev - Library for handling Apple binary and XML property lists
libplist++3v5 - Library for handling Apple binary and XML property lists
libplist-dbg - Library for handling Apple binary and XML property lists
libplist-dev - Library for handling Apple binary and XML property lists
libplist-doc - Library for handling Apple binary and XML property lists - docs
libplist-utils - Apple property list converter
libplist3 - Library for handling Apple binary and XML property lists
python-plist - Library for handling Apple binary and XML property lists
Changes:
libplist (1.12+git+1+e37ca00-0.2) unstable; urgency=high
.
* Non-maintainer upload.
* bplist: Make sure sanity checks work on 32bit platforms.
CVE-2017-6437: Out-of-bounds heap read in base64encode function
CVE-2017-6438: Heap-based buffer overflow in parse_unicode_node
CVE-2017-6440: Memory allocation error in parse_data_node
(Closes: #858787, #858786, #858055)
Checksums-Sha1:
8ff137a3a15662155ee3655e827509f7ad3dd4c3 2740 libplist_1.12+git+1+e37ca00-0.2.dsc
9cfbca305bd5b61bea4b0a1f8439bf8c57bfcd79 10704 libplist_1.12+git+1+e37ca00-0.2.debian.tar.xz
6a03cd96730afca9dd0e92a0769871ef5bcb28dc 37442 libplist-doc_1.12+git+1+e37ca00-0.2_all.deb
Checksums-Sha256:
a37d6c48823d765b9011e43388b3f464e55bf3c7349a9fcf06383d22f91ba0ce 2740 libplist_1.12+git+1+e37ca00-0.2.dsc
639613e477b6161986678b0b095da1db2935f65b4bd9db56fb13ece0990c544d 10704 libplist_1.12+git+1+e37ca00-0.2.debian.tar.xz
77d4fb165f5bff17d9dcd72b2fd576f9381d0a7d31e1174855eb104a679b614e 37442 libplist-doc_1.12+git+1+e37ca00-0.2_all.deb
Files:
59d495e9de627fafce119c02eb5504d5 2740 libs optional libplist_1.12+git+1+e37ca00-0.2.dsc
132d718e4aced4730665ee065b3c0818 10704 libs optional libplist_1.12+git+1+e37ca00-0.2.debian.tar.xz
5432a9241cbb662a50e6178964e7f1d8 37442 doc optional libplist-doc_1.12+git+1+e37ca00-0.2_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAljZT4RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EupQP/3i+xHOl3OAxPRyvhmVSvJ7SpPJ2egWD
n7570ekFH//2VraAf7QFDF9BQGeDC8mT/qVpGhOkREkaa6ftVGgi8VVfetGU4wp6
Ey8Fle25RwHrqUT6FtgAKZVGU9ACeMzcqNJfjS21ZkLSDBt8V2OqYSehWoV4zd7w
WEoGRY6KVjQOEdaFnjLh7pl/zLTIQ2yjwYaFiKdUTFJ4+K8EPx7/qr56u4ngPQR4
zm4hlr8gPSypdteTbDCHuVRSMlfwIGji4iP+utzLJArOyKFCj8t49o8KxDPLYzOE
EKa6Pulp43pTbmBeguiVggfnW9zzdzjcPXzIe47pqj5Hf/xANDnieQiWa0XcJIua
5xDqnCdOvHi/8K1qsGTe9PLsc/nnaLfNr6OrPMM4oQ+qjoOs5TsLHxkUZGMdtdUf
5fm+3IdpP7cc5NH6NvLl59YOAHu1cgTel3/ll1y7gwgcFrMamMaIzySkXceWqcqq
VXhCmeuR6XK16UTume6efjFs/J/O8TPrjH0QC9dZKft+C6E/skDLhl/03WGU8iEZ
Torae4j0T6FO+3bpekXd2ntlz2VPml8RpC4TFIR1QgsVWOzRII+K9IaFGQSzvPUp
ty5UMXSaYSdSc2do//9i74TuhOyU9xNACqYSGY1p8gN4xwd1Tv1xqBblOlHcK806
pfh87IlfHv6b
=luiI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 02 May 2017 07:33:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon