Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libplist: CVE-2017-5545

Related Vulnerabilities: CVE-2017-5545   CVE-2017-5834   CVE-2017-5835   CVE-2017-5836   CVE-2017-5209  

Source

Debian Bug report logs - #852385
libplist: CVE-2017-5545

version graph

Package: src:libplist; Maintainer for src:libplist is gtkpod Maintainers <pkg-gtkpod-devel@alioth-lists.debian.net>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 24 Jan 2017 05:48:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version libplist/1.11-3

Fixed in version libplist/1.12+git+1+e37ca00-0.1

Done: Hilko Bengen <bengen@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/libimobiledevice/libplist/issues/87

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>:
Bug#852385; Package src:libplist. (Tue, 24 Jan 2017 05:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>. (Tue, 24 Jan 2017 05:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libplist: CVE-2017-5545
Date: Tue, 24 Jan 2017 06:46:15 +0100
Source: libplist
Version: 1.11-3
Severity: important
Tags: upstream patch security fixed-upstream
Forwarded: https://github.com/libimobiledevice/libplist/issues/87

Hi,

the following vulnerability was published for libplist.

CVE-2017-5545[0]:
| The main function in plistutil.c in libimobiledevice libplist through
| 1.12 allows attackers to obtain sensitive information from process
| memory or cause a denial of service (buffer over-read) via Apple
| Property List data that is too short.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5545
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5545
[1] https://github.com/libimobiledevice/libplist/issues/87

Regards,
Salvatore

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Thu, 02 Feb 2017 22:21:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>:
Bug#852385; Package src:libplist. (Sun, 26 Feb 2017 19:18:08 GMT) (full text, mbox, link).

Acknowledgement sent to Hilko Bengen <bengen@debian.org>:
Extra info received and forwarded to list. Copy sent to gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>. (Sun, 26 Feb 2017 19:18:08 GMT) (full text, mbox, link).

Message #12 received at 852385@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>
To: 854000@bugs.debian.org, 851196@bugs.debian.org, 852385@bugs.debian.org
Subject: Fixed in delayed NMU
Date: Sun, 26 Feb 2017 20:15:43 +0100
control: tag -1 pending
control: user debian-release@lists.debian.org
control: usertag -1 bsp-2017-02-de-Berlin
control: usertag 856226 bsp-2017-02-de-Berlin

I have (hopefully) fixed these bugs by uploading a new upstream snapshot
to DELAYED/15, see #856226.

Cheers,
-Hilko

Added tag(s) pending. Request was from Hilko Bengen <bengen@debian.org> to 852385-submit@bugs.debian.org. (Sun, 26 Feb 2017 19:18:08 GMT) (full text, mbox, link).

Reply sent to Hilko Bengen <bengen@debian.org>:
You have taken responsibility. (Mon, 13 Mar 2017 20:51:21 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 13 Mar 2017 20:51:21 GMT) (full text, mbox, link).

Message #19 received at 852385-close@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>
To: 852385-close@bugs.debian.org
Subject: Bug#852385: fixed in libplist 1.12+git+1+e37ca00-0.1
Date: Mon, 13 Mar 2017 20:50:38 +0000
Source: libplist
Source-Version: 1.12+git+1+e37ca00-0.1

We believe that the bug you reported is fixed in the latest version of
libplist, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 852385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated libplist package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 26 Feb 2017 19:21:32 +0100
Source: libplist
Binary: libplist3 libplist++3v5 libplist-dev libplist++-dev libplist-dbg python-plist libplist-utils libplist-doc
Architecture: source
Version: 1.12+git+1+e37ca00-0.1
Distribution: unstable
Urgency: medium
Maintainer: gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description:
 libplist++-dev - Library for handling Apple binary and XML property lists
 libplist++3v5 - Library for handling Apple binary and XML property lists
 libplist-dbg - Library for handling Apple binary and XML property lists
 libplist-dev - Library for handling Apple binary and XML property lists
 libplist-doc - Library for handling Apple binary and XML property lists - docs
 libplist-utils - Apple property list converter
 libplist3  - Library for handling Apple binary and XML property lists
 python-plist - Library for handling Apple binary and XML property lists
Closes: 851196 852385 854000
Changes:
 libplist (1.12+git+1+e37ca00-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream snapshot; tarball was generated from
   https://github.com/libimobiledevice/libplist/archive/e37ca0090343e0dae97e967d467bab56d502c37a.tar.gz
     - Fixes CVE-2017-5834, CVE-2017-5835, CVE-2017-5836 (Closes: #854000)
     - Fixes CVE-2017-5209 (Closes: #851196)
     - Fixes CVE-2017-5545 (Closes: #852385)
   * Update symbols file
   * Rebase patch
   * Add dh_python build-dependency
Checksums-Sha1:
 cd9460ba56cce47f585819989f8af1e1d68ca63d 2582 libplist_1.12+git+1+e37ca00-0.1.dsc
 479a1576ed9af72e8ed7e23959da866735caf0b2 160736 libplist_1.12+git+1+e37ca00.orig.tar.gz
 9d15aa370ef1950183930131eca350b412f7a076 9540 libplist_1.12+git+1+e37ca00-0.1.debian.tar.xz
 7af788c5ebd113b74c9ed65638922e786f8d5515 5041 libplist_1.12+git+1+e37ca00-0.1_source.buildinfo
Checksums-Sha256:
 2b08d2fb9d84b8b331ce86a557ece4d3cdf37f96d8831980b582e7efc4fa64cb 2582 libplist_1.12+git+1+e37ca00-0.1.dsc
 676f970b325b6bee68648551c066260bed99aa510f620f9488dbe060d4244695 160736 libplist_1.12+git+1+e37ca00.orig.tar.gz
 c72458e91e68f4e6e1fc1b3914ec458b27be7be63f3e01200bb3037b9946ef9e 9540 libplist_1.12+git+1+e37ca00-0.1.debian.tar.xz
 aa657d0e31852664b49b8433d00420ccc5821ab396547ba8ba2eea2d4da69564 5041 libplist_1.12+git+1+e37ca00-0.1_source.buildinfo
Files:
 203022c0681f892b2a9c1a900d748add 2582 libs optional libplist_1.12+git+1+e37ca00-0.1.dsc
 7715473abb463eba9687b0c024933df2 160736 libs optional libplist_1.12+git+1+e37ca00.orig.tar.gz
 0f74556aeb109479135ca4947952cb53 9540 libs optional libplist_1.12+git+1+e37ca00-0.1.debian.tar.xz
 cdb47a514a5ca814e4bfd2e06dc4285b 5041 libs optional libplist_1.12+git+1+e37ca00-0.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAlizKDUACgkQdbcQY1wh
On7How//WRMwMFH9zTvpTatjiXAU444BPbHwWcSffVIX2ghGTjHIMkYI/zXCQl/5
aMzPgWrfVdbvzD0l9KFVWFelLR5lBHOz3DAZOExe6YtZzbiXNR3ju5545IpT+s8i
HpBxO5lWv7ilIy8o3s/Zksq0eONzUfs9ELHXkJDad71w3wy0jobKcwZtB2MJF4vJ
GzvwJQFUjiAqpD+FLddhEr25LFQ2YpXiEOOjpKhznP6QURP/JoApejauEjavN5iM
n+LsJtckr1YOQxLCXvAFueqGN/hbutInz0RIdL44nDff39eG0eQhoiZDo4QuX/CY
AhhQcxK0u8gIYEnvCZi6dkKLytCrrZBF+qyspu8fji1xIk+Cymn8wirydpmstaRX
maXcjtonirf5UZnuLfV8kHsBsOXcl9vtsIErZ97IK4XUwpRVcxSB2UaG0lihaWwW
Owfih4zYHr4RUD0eOxANJRH6pXxQ/CsgQnNDg/HLy+x2rePnYjv5gZdG0S15SRIc
SaZs+7iPvCqZz+rPgc4w7SXNGuPLPcTPu2vBZFnKycqO029QQhjijAF5xghiJPuB
zblPH8AHgrnCKuwxfwWbSJgbryxX8Uvd1s2MH5LmAAIw1mEtH6LWjwvGSncQ9Xu/
C7I8HCDomof4nvYLYE73IXUA285FsCBTF56ZWsF4N34bXTl/58o=
=r5GD
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 22 Jun 2017 07:27:53 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:17:50 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started