Debian-LTS has issued an advisory on January 31: https://lwn.net/Alerts/713257/ Mageia 5 is also affected. Fixed upstream in: https://github.com/libimobiledevice/libplist/commit/3a55ddd3c4c11ce75a86afbefd085d8d397ff957 https://github.com/libimobiledevice/libplist/commit/7391a506352c009fe044dead7baad9e22dd279ee Thanks to: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851196 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852385
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO
CVE-2017-583[4-6] assigned for three more issues: http://openwall.com/lists/oss-security/2017/02/02/4
Summary: libplist new security issues CVE-2017-5209 and CVE-2017-5545 => libplist new security issues CVE-2017-5209, CVE-2017-5545, and CVE-2017-583[4-6]
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory for this on February 20: https://lists.opensuse.org/opensuse-updates/2017-02/msg00096.html
LWN reference for the original two CVEs: https://lwn.net/Vulnerabilities/713272/
URL: (none) => https://lwn.net/Vulnerabilities/715170/
CVE: (none) => CVE-2017-5209 CVE-2017-5545 CVE-2017-5834 CVE-2017-5835 CVE-2017-5836CC: (none) => mageia
fixed on cauldron
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
These issues and CVE-2017-643[5-9] and CVE-2017-6440 are included in this Fedora advisory from May 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XIX535VXTX67KNHIX4YDFD2PPLOH3OVE/
Summary: libplist new security issues CVE-2017-5209, CVE-2017-5545, and CVE-2017-583[4-6] => libplist new security issues CVE-2017-5209, CVE-2017-5545, CVE-2017-583[4-6], CVE-2017-643[5-9], and CVE-2017-6440
openSUSE has issued an advisory for this today (May 28): https://lists.opensuse.org/opensuse-updates/2017-05/msg00094.html It includes another new issue, CVE-2017-7982.
Version: 5 => CauldronWhiteboard: (none) => MGA5TOOSummary: libplist new security issues CVE-2017-5209, CVE-2017-5545, CVE-2017-583[4-6], CVE-2017-643[5-9], and CVE-2017-6440 => libplist new security issues CVE-2017-5209, CVE-2017-5545, CVE-2017-583[4-6], CVE-2017-643[5-9], CVE-2017-6440, and CVE-2017-7982
OK, I added additional upstream patches which should fix the remaining issues here for Cauldron in libplist-1.12-4.mga6.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
openSUSE has issued an advisory for some of these issues today (August 18): https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html
http://www.linuxsecurity.com/content/view/195017/170/
CC: (none) => zombie_ryushu
(In reply to Zombie Ryushu from comment #10) > http://www.linuxsecurity.com/content/view/195017/170/ Actual link for the Slackware advisory from November 16: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.390199
I had to update to 1.12 to match openSUSE so that their patches would apply, which requires rebuilding gvfs, ifuse, kodi, libgpod, libimobiledevice, upower, usbmuxd (and technically lastfm-player, but it is a player for a defunct online service, so it doesn't need to be done). There's an update attempt for Kodi in SVN that was never built, so I might have to revert that. Partial advisory below (will need the rebuilds added to it). Advisory: ======================== Updated libplist packages fix security vulnerabilities: The base64decode function in libplist allowed attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via split encoded Apple Property List data (CVE-2017-5209). The main function in plistutil.c in libimobiledevice libplist allowed attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via Apple Property List data that is too short (CVE-2017-5545). A heap-buffer overflow in parse_dict_node could cause a segmentation fault (CVE-2017-5834). Malicious crafted file could cause libplist to allocate large amounts of memory and consume lots of CPU because of a memory allocation error (CVE-2017-5835). A type inconsistency in bplist.c could cause the application to crash (CVE-2017-5836). Crafted plist file could lead to Heap-buffer overflow (CVE-2017-6435). Integer overflow in parse_string_node (CVE-2017-6436). The base64encode function in base64.c allows local users to cause denial of service (out-of-bounds read) via a crafted plist file (CVE-2017-6437). Heap-based buffer overflow in the parse_unicode_node function (CVE-2017-6438). Heap-based buffer overflow in the parse_string_node function (CVE-2017-6439). Ensure that sanity checks work on 32-bit platforms (CVE-2017-6440). Add some safety checks, backported from upstream (CVE-2017-7982). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5836 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6436 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7982 https://lists.opensuse.org/opensuse-updates/2017-05/msg00094.html https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html ======================== Updated packages in core/updates_testing: ======================== libplist-1.12-1.mga5 libplist3-1.12-1.mga5 libplist-devel-1.12-1.mga5 libplist++3-1.12-1.mga5 libplist++-devel-1.12-1.mga5 python-plist-1.12-1.mga5 from libplist-1.12-1.mga5.src.rpm
Advisory: ======================== Updated libplist packages fix security vulnerabilities: The base64decode function in libplist allowed attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via split encoded Apple Property List data (CVE-2017-5209). The main function in plistutil.c in libimobiledevice libplist allowed attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via Apple Property List data that is too short (CVE-2017-5545). A heap-buffer overflow in parse_dict_node could cause a segmentation fault (CVE-2017-5834). Malicious crafted file could cause libplist to allocate large amounts of memory and consume lots of CPU because of a memory allocation error (CVE-2017-5835). A type inconsistency in bplist.c could cause the application to crash (CVE-2017-5836). Crafted plist file could lead to Heap-buffer overflow (CVE-2017-6435). Integer overflow in parse_string_node (CVE-2017-6436). The base64encode function in base64.c allows local users to cause denial of service (out-of-bounds read) via a crafted plist file (CVE-2017-6437). Heap-based buffer overflow in the parse_unicode_node function (CVE-2017-6438). Heap-based buffer overflow in the parse_string_node function (CVE-2017-6439). Ensure that sanity checks work on 32-bit platforms (CVE-2017-6440). Add some safety checks, backported from upstream (CVE-2017-7982). The gvfs, ifuse, kodi, libgpod, libimobiledevice, upower, and usbmuxd packages have been rebuilt for the updated libplist. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5836 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6436 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7982 https://lists.opensuse.org/opensuse-updates/2017-05/msg00094.html https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html ======================== Updated packages in core/updates_testing: ======================== libplist-1.12-1.mga5 libplist3-1.12-1.mga5 libplist-devel-1.12-1.mga5 libplist++3-1.12-1.mga5 libplist++-devel-1.12-1.mga5 python-plist-1.12-1.mga5 gvfs-1.22.3-2.2.mga5 gvfs-devel-1.22.3-2.2.mga5 gvfs-fuse-1.22.3-2.2.mga5 gvfs-smb-1.22.3-2.2.mga5 gvfs-archive-1.22.3-2.2.mga5 gvfs-gphoto2-1.22.3-2.2.mga5 gvfs-iphone-1.22.3-2.2.mga5 gvfs-mtp-1.22.3-2.2.mga5 gvfs-goa-1.22.3-2.2.mga5 ifuse-1.1.3-4.1.mga5 kodi-14.0-2.3.mga5 kodi-eventclients-common-14.0-2.3.mga5 kodi-devel-14.0-2.3.mga5 kodi-eventclient-j2me-14.0-2.3.mga5 kodi-eventclient-ps3-14.0-2.3.mga5 kodi-eventclient-kodi-send-14.0-2.3.mga5 kodi-eventclient-wiiremote-14.0-2.3.mga5 libgpod-0.8.3-8.2.mga5 libgpod4-0.8.3-8.2.mga5 libgpod-devel-0.8.3-8.2.mga5 python-gpod-0.8.3-8.2.mga5 libgpod-sharp-0.8.3-8.2.mga5 libimobiledevice-1.1.6-4.2.mga5 libimobiledevice4-1.1.6-4.2.mga5 libimobiledevice-devel-1.1.6-4.2.mga5 python-imobiledevice-1.1.6-4.2.mga5 upower-0.99.2-1.2.mga5 libupower-glib3-0.99.2-1.2.mga5 libupower-glib-devel-0.99.2-1.2.mga5 libupower-gir1.0-0.99.2-1.2.mga5 usbmuxd-1.0.9-6.2.mga5 libusbmuxd2-1.0.9-6.2.mga5 libusbmuxd-devel-1.0.9-6.2.mga5 from SRPMS: libplist-1.12-1.mga5.src.rpm gvfs-1.22.3-2.2.mga5.src.rpm ifuse-1.1.3-4.1.mga5.src.rpm kodi-14.0-2.3.mga5.src.rpm libgpod-0.8.3-8.2.mga5.src.rpm libimobiledevice-1.1.6-4.2.mga5.src.rpm upower-0.99.2-1.2.mga5.src.rpm usbmuxd-1.0.9-6.2.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
Blocks: (none) => 20356
To prioritise.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
Created attachment 9874 [details] As it says on the tin - kodi crash report on segfault
CC: (none) => tarazed25
Mageia 5 :: x86_64 Installed all the packages as listed except that most libs were lib64. Trial and error to find which were not. Updated all of them except upower without any problem. The listed version of upower is older than the version installed recently. Tried kodi - interface appeared then disappeared. $ kodi Error: couldn't find RGB GLX visual or fbconfig /usr/bin/kodi: line 170: 31036 Segmentation fault (core dumped) "$LIBDIR/${bin_name}/${bin_name}.bin" "$@" Crash report available at /home/lcl/kodi_crashlog-20180101_181005.log Attaching crash log. There is an empty core file - no core dump. There was some sort of POC for CVE-2017-6437, inevitably for use in an ASAN framework and with no explicit instructions. $ file poc1.txt poc1.txt: Apple binary property list; mostly binary according to hexdump. $ od -a poc1.txt 0000000 b p l i s t 0 0 R soh eot stx enq O dc4 e 0000020 s t " etx etx dle soh esc sp esc nul nul nul nul nul esc ........................... gphoto2 is present but I have no experience with it and do not feel like embarking on a training course just now. No iphones here nor any other cell phones or tablets. Holding this one back for feedback in view of the kodi problem.
Whiteboard: (none) => feedback
QA team, please continue to testing to make sure this isn't just a Kodi problem. Also, make sure the Kodi problem isn't a regression. Packagers, please look into the Kodi issue. Thanks.
CC: (none) => anssi.hannula, doktor5000, eatdirtWhiteboard: feedback => (none)
Installed kodi on another machine under mga5 and it came up no bother. Was able to browse images and move around the interface. Shall update just that - presumably it will pull in anything else needed - and see if it continues to work. If it does I can try an incremental update of the other packages to see if anything breaks.
Added the rest of the kodi packages from updates testing and kodi continued to work. Installed the rest of the updates in blocks and invoked kodi after each pass - no problems. Leaving other testers to address the other applications. If nobody takes this withn 24 hours I shall give it an OK.
Whiteboard: (none) => MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0025.html
Status: NEW => RESOLVEDResolution: (none) => FIXED