Bugzilla – Bug 1021610
VUL-1: CVE-2017-5545: libplist: invalid read on too short input files
Last modified: 2017-12-27 20:38:25 UTC
CVE-2017-5545 The main function in plistutil.c in libimobiledevice libplist through 1.12 allows attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via Apple Property List data that is too short. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5545 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5545.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5545 http://www.cvedetails.com/cve/CVE-2017-5545/ https://github.com/libimobiledevice/libplist/commit/7391a506352c009fe044dead7baad9e22dd279ee https://github.com/libimobiledevice/libplist/issues/87
bugbot adjusting priority
Antonio - can you take this one...
I submitted the fix for SLE-12, SLE-12-SP2, Leap 42.1 and 42.2 . Also, I saw that we had a patch for CVE-2017-5209 in SLE-12-SP2 so I submitted that patch to 42.1 and 42.2 too.
Just for the records: SLE-12 https://build.suse.de/request/show/127473 SLE-12-SP2 https://build.suse.de/request/show/127472 Leap 42.1 http://build.opensuse.org/request/show/453668 Leap 42.2 http://build.opensuse.org/request/show/453671
This is an autogenerated message for OBS integration: This bug (1021610) was mentioned in https://build.opensuse.org/request/show/453870 42.3 / libplist
openSUSE-SU-2017:0428-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1019531,1021610 CVE References: CVE-2017-5209,CVE-2017-5545 Sources used: openSUSE Leap 42.2 (src): libplist-1.12-5.1 openSUSE Leap 42.1 (src): libplist-1.12-4.1
SUSE-SU-2017:1368-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1019531,1021610,1023807,1023822,1023848,1029631,1035312 CVE References: CVE-2017-5209,CVE-2017-5545,CVE-2017-5834,CVE-2017-5835,CVE-2017-5836,CVE-2017-6440,CVE-2017-7982 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): libplist-1.8-10.9.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libplist-1.8-10.9.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libplist-1.8-10.9.1 SUSE Linux Enterprise Server 12-SP1 (src): libplist-1.8-10.9.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libplist-1.8-10.9.1
SUSE-SU-2017:1379-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1019531,1021610,1023807,1023822,1023848,1029631,1035312 CVE References: CVE-2017-5209,CVE-2017-5545,CVE-2017-5834,CVE-2017-5835,CVE-2017-5836,CVE-2017-6440,CVE-2017-7982 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): libplist-1.12-19.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libplist-1.12-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libplist-1.12-19.1 SUSE Linux Enterprise Server 12-SP2 (src): libplist-1.12-19.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libplist-1.12-19.1
openSUSE-SU-2017:1426-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1019531,1021610,1023807,1023822,1023848,1029631,1035312 CVE References: CVE-2017-5209,CVE-2017-5545,CVE-2017-5834,CVE-2017-5835,CVE-2017-5836,CVE-2017-6440,CVE-2017-7982 Sources used: openSUSE Leap 42.2 (src): libplist-1.12-7.3.1
released