Bug 20232

Summary: libplist new security issues CVE-2017-5209, CVE-2017-5545, CVE-2017-583[4-6], CVE-2017-643[5-9], CVE-2017-6440, and CVE-2017-7982
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: anssi.hannula, davidwhodgins, doktor5000, eatdirt, geiger.david68210, lewyssmith, mageia, marja11, sysadmin-bugs, tarazed25, zombie_ryushu
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/715170/
Whiteboard: MGA5-64-OK
Source RPM: libplist-1.12-2.mga6.src.rpm CVE: CVE-2017-5209 CVE-2017-5545 CVE-2017-5834 CVE-2017-5835 CVE-2017-5836
Status comment:
Bug Depends on:    
Bug Blocks: 20356    
Attachments: As it says on the tin - kodi crash report on segfault

David Walser 2017-02-02 02:20:28 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-02-02 11:49:38 CET 
CVE-2017-583[4-6] assigned for three more issues:
http://openwall.com/lists/oss-security/2017/02/02/4

Summary: libplist new security issues CVE-2017-5209 and CVE-2017-5545 => libplist new security issues CVE-2017-5209, CVE-2017-5545, and CVE-2017-583[4-6]

Comment 2 Marja Van Waes 2017-02-02 15:57:39 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2017-02-21 12:12:58 CET 
openSUSE has issued an advisory for this on February 20:
https://lists.opensuse.org/opensuse-updates/2017-02/msg00096.html
Comment 4 David Walser 2017-02-22 19:59:29 CET 
LWN reference for the original two CVEs:
https://lwn.net/Vulnerabilities/713272/

URL: (none) => https://lwn.net/Vulnerabilities/715170/

Nicolas Lécureuil 2017-04-26 08:13:40 CEST

CVE: (none) => CVE-2017-5209 CVE-2017-5545 CVE-2017-5834 CVE-2017-5835 CVE-2017-5836
CC: (none) => mageia

Comment 5 Nicolas Lécureuil 2017-04-26 08:41:00 CEST 
fixed on cauldron

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 6 David Walser 2017-05-03 12:11:49 CEST 
These issues and CVE-2017-643[5-9] and CVE-2017-6440 are included in this Fedora advisory from May 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XIX535VXTX67KNHIX4YDFD2PPLOH3OVE/

Summary: libplist new security issues CVE-2017-5209, CVE-2017-5545, and CVE-2017-583[4-6] => libplist new security issues CVE-2017-5209, CVE-2017-5545, CVE-2017-583[4-6], CVE-2017-643[5-9], and CVE-2017-6440

Comment 7 David Walser 2017-05-28 19:35:23 CEST 
openSUSE has issued an advisory for this today (May 28):
https://lists.opensuse.org/opensuse-updates/2017-05/msg00094.html

It includes another new issue, CVE-2017-7982.

Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO
Summary: libplist new security issues CVE-2017-5209, CVE-2017-5545, CVE-2017-583[4-6], CVE-2017-643[5-9], and CVE-2017-6440 => libplist new security issues CVE-2017-5209, CVE-2017-5545, CVE-2017-583[4-6], CVE-2017-643[5-9], CVE-2017-6440, and CVE-2017-7982

Comment 8 David Walser 2017-06-04 21:32:58 CEST 
OK, I added additional upstream patches which should fix the remaining issues here for Cauldron in libplist-1.12-4.mga6.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 9 David Walser 2017-08-18 14:05:37 CEST 
openSUSE has issued an advisory for some of these issues today (August 18):
https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html
Comment 10 Zombie Ryushu 2017-12-06 01:37:02 CET 
http://www.linuxsecurity.com/content/view/195017/170/

CC: (none) => zombie_ryushu

Comment 11 David Walser 2017-12-09 18:13:51 CET 
(In reply to Zombie Ryushu from comment #10)
> http://www.linuxsecurity.com/content/view/195017/170/

Actual link for the Slackware advisory from November 16:
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.390199
Comment 12 David Walser 2017-12-29 06:23:10 CET 
I had to update to 1.12 to match openSUSE so that their patches would apply, which requires rebuilding gvfs, ifuse, kodi, libgpod, libimobiledevice, upower, usbmuxd (and technically lastfm-player, but it is a player for a defunct online service, so it doesn't need to be done).  There's an update attempt for Kodi in SVN that was never built, so I might have to revert that.

Partial advisory below (will need the rebuilds added to it).

Advisory:
========================

Updated libplist packages fix security vulnerabilities:

The base64decode function in libplist allowed attackers to obtain
sensitive information from process memory or cause a denial of
service (buffer over-read) via split encoded Apple Property List data
(CVE-2017-5209).

The main function in plistutil.c in libimobiledevice libplist allowed
attackers to obtain sensitive information from process memory or cause a
denial of service (buffer over-read) via Apple Property List data that is
too short (CVE-2017-5545).

A heap-buffer overflow in parse_dict_node could cause a segmentation fault
(CVE-2017-5834).

Malicious crafted file could cause libplist to allocate large amounts of
memory and consume lots of CPU because of a memory allocation error
(CVE-2017-5835).

A type inconsistency in bplist.c could cause the application to crash
(CVE-2017-5836).

Crafted plist file could lead to Heap-buffer overflow (CVE-2017-6435).

Integer overflow in parse_string_node (CVE-2017-6436).

The base64encode function in base64.c allows local users to cause denial
of service (out-of-bounds read) via a crafted plist file (CVE-2017-6437).

Heap-based buffer overflow in the parse_unicode_node function (CVE-2017-6438).

Heap-based buffer overflow in the parse_string_node function (CVE-2017-6439).

Ensure that sanity checks work on 32-bit platforms (CVE-2017-6440).

Add some safety checks, backported from upstream (CVE-2017-7982).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5836
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7982
https://lists.opensuse.org/opensuse-updates/2017-05/msg00094.html
https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html
========================

Updated packages in core/updates_testing:
========================
libplist-1.12-1.mga5
libplist3-1.12-1.mga5
libplist-devel-1.12-1.mga5
libplist++3-1.12-1.mga5
libplist++-devel-1.12-1.mga5
python-plist-1.12-1.mga5

from libplist-1.12-1.mga5.src.rpm
Comment 13 David Walser 2017-12-29 06:55:29 CET 
Advisory:
========================

Updated libplist packages fix security vulnerabilities:

The base64decode function in libplist allowed attackers to obtain
sensitive information from process memory or cause a denial of
service (buffer over-read) via split encoded Apple Property List data
(CVE-2017-5209).

The main function in plistutil.c in libimobiledevice libplist allowed
attackers to obtain sensitive information from process memory or cause a
denial of service (buffer over-read) via Apple Property List data that is
too short (CVE-2017-5545).

A heap-buffer overflow in parse_dict_node could cause a segmentation fault
(CVE-2017-5834).

Malicious crafted file could cause libplist to allocate large amounts of
memory and consume lots of CPU because of a memory allocation error
(CVE-2017-5835).

A type inconsistency in bplist.c could cause the application to crash
(CVE-2017-5836).

Crafted plist file could lead to Heap-buffer overflow (CVE-2017-6435).

Integer overflow in parse_string_node (CVE-2017-6436).

The base64encode function in base64.c allows local users to cause denial
of service (out-of-bounds read) via a crafted plist file (CVE-2017-6437).

Heap-based buffer overflow in the parse_unicode_node function (CVE-2017-6438).

Heap-based buffer overflow in the parse_string_node function (CVE-2017-6439).

Ensure that sanity checks work on 32-bit platforms (CVE-2017-6440).

Add some safety checks, backported from upstream (CVE-2017-7982).

The gvfs, ifuse, kodi, libgpod, libimobiledevice, upower, and usbmuxd packages
have been rebuilt for the updated libplist.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5836
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7982
https://lists.opensuse.org/opensuse-updates/2017-05/msg00094.html
https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html
========================

Updated packages in core/updates_testing:
========================
libplist-1.12-1.mga5
libplist3-1.12-1.mga5
libplist-devel-1.12-1.mga5
libplist++3-1.12-1.mga5
libplist++-devel-1.12-1.mga5
python-plist-1.12-1.mga5
gvfs-1.22.3-2.2.mga5
gvfs-devel-1.22.3-2.2.mga5
gvfs-fuse-1.22.3-2.2.mga5
gvfs-smb-1.22.3-2.2.mga5
gvfs-archive-1.22.3-2.2.mga5
gvfs-gphoto2-1.22.3-2.2.mga5
gvfs-iphone-1.22.3-2.2.mga5
gvfs-mtp-1.22.3-2.2.mga5
gvfs-goa-1.22.3-2.2.mga5
ifuse-1.1.3-4.1.mga5
kodi-14.0-2.3.mga5
kodi-eventclients-common-14.0-2.3.mga5
kodi-devel-14.0-2.3.mga5
kodi-eventclient-j2me-14.0-2.3.mga5
kodi-eventclient-ps3-14.0-2.3.mga5
kodi-eventclient-kodi-send-14.0-2.3.mga5
kodi-eventclient-wiiremote-14.0-2.3.mga5
libgpod-0.8.3-8.2.mga5
libgpod4-0.8.3-8.2.mga5
libgpod-devel-0.8.3-8.2.mga5
python-gpod-0.8.3-8.2.mga5
libgpod-sharp-0.8.3-8.2.mga5
libimobiledevice-1.1.6-4.2.mga5
libimobiledevice4-1.1.6-4.2.mga5
libimobiledevice-devel-1.1.6-4.2.mga5
python-imobiledevice-1.1.6-4.2.mga5
upower-0.99.2-1.2.mga5
libupower-glib3-0.99.2-1.2.mga5
libupower-glib-devel-0.99.2-1.2.mga5
libupower-gir1.0-0.99.2-1.2.mga5
usbmuxd-1.0.9-6.2.mga5
libusbmuxd2-1.0.9-6.2.mga5
libusbmuxd-devel-1.0.9-6.2.mga5

from SRPMS:
libplist-1.12-1.mga5.src.rpm
gvfs-1.22.3-2.2.mga5.src.rpm
ifuse-1.1.3-4.1.mga5.src.rpm
kodi-14.0-2.3.mga5.src.rpm
libgpod-0.8.3-8.2.mga5.src.rpm
libimobiledevice-1.1.6-4.2.mga5.src.rpm
upower-0.99.2-1.2.mga5.src.rpm
usbmuxd-1.0.9-6.2.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

David Walser 2017-12-30 05:07:26 CET

Blocks: (none) => 20356

Comment 14 Lewis Smith 2017-12-30 11:58:12 CET 
To prioritise.
Dave Hodgins 2017-12-31 10:50:46 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 15 Len Lawrence 2018-01-01 19:40:20 CET 
Created attachment 9874 [details]
As it says on the tin - kodi crash report on segfault

CC: (none) => tarazed25

Comment 16 Len Lawrence 2018-01-01 19:43:30 CET 
Mageia 5 :: x86_64

Installed all the packages as listed except that most libs were lib64.  Trial and error to find which were not.
Updated all of them except upower without any problem.  The listed version of upower is older than the version installed recently.

Tried kodi - interface appeared then disappeared.
$ kodi
Error: couldn't find RGB GLX visual or fbconfig
/usr/bin/kodi: line 170: 31036 Segmentation fault      (core dumped) "$LIBDIR/${bin_name}/${bin_name}.bin" "$@"
Crash report available at /home/lcl/kodi_crashlog-20180101_181005.log

Attaching crash log.  There is an empty core file - no core dump.

There was some sort of POC for CVE-2017-6437, inevitably for use in an ASAN framework and with no explicit instructions.
$ file poc1.txt
poc1.txt: Apple binary property list; mostly binary according to hexdump.
$ od -a poc1.txt
0000000   b   p   l   i   s   t   0   0   R soh eot stx enq   O dc4   e
0000020   s   t   " etx etx dle soh esc  sp esc nul nul nul nul nul esc
...........................

gphoto2 is present but I have no experience with it and do not feel like embarking on a training course just now.

No iphones here nor any other cell phones or tablets.

Holding this one back for feedback in view of the kodi problem.

Whiteboard: (none) => feedback

Comment 17 David Walser 2018-01-01 19:47:11 CET 
QA team, please continue to testing to make sure this isn't just a Kodi problem.  Also, make sure the Kodi problem isn't a regression.  Packagers, please look into the Kodi issue.  Thanks.

CC: (none) => anssi.hannula, doktor5000, eatdirt
Whiteboard: feedback => (none)

Comment 18 Len Lawrence 2018-01-01 21:15:07 CET 
Installed kodi on another machine under mga5 and it came up no bother.  Was able to browse images and move around the interface.  Shall update just that - presumably it will pull in anything else needed - and see if it continues to work.  If it does I can try an incremental update of the other packages to see if anything breaks.
Comment 19 Len Lawrence 2018-01-01 22:40:28 CET 
Added the rest of the kodi packages from updates testing and kodi continued to work.  Installed the rest of the updates in blocks and invoked kodi after each pass - no problems.

Leaving other testers to address the other applications.
If nobody takes this withn 24 hours I shall give it an OK.
Len Lawrence 2018-01-02 18:02:51 CET

Whiteboard: (none) => MGA5-64-OK

Lewis Smith 2018-01-03 10:38:37 CET

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 20 Mageia Robot 2018-01-03 11:33:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0025.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED