Fedora alert FEDORA-2017-3849af4477 (libplist)
| From: | updates@fedoraproject.org | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 24 Update: libplist-2.0.0-1.fc24 | |
| Date: | Fri, 12 May 2017 19:24:55 +0000 (UTC) | |
| Message-ID: | <20170512192455.EAAFE60A2C5C@bastion01.phx2.fedoraproject.org> |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2017-3849af4477 2017-05-12 14:08:49.129401 -------------------------------------------------------------------------------- Name : libplist Product : Fedora 24 Version : 2.0.0 Release : 1.fc24 URL : http://www.libimobiledevice.org/ Summary : Library for manipulating Apple Binary and XML Property Lists Description : libplist is a library for manipulating Apple Binary and XML Property Lists -------------------------------------------------------------------------------- Update Information: Version 2.0.0 Changes: * New light-weight custom XML parser * Remove libxml2 dependency * Refactor binary plist parsing * Improved malformed XML and binary plist detection and error handling * Add parser debug/error output (when compiled with --enable-debug), controlled via environment variables * Fix unicode character handling * Add PLIST_IS_* helper macros for the different node types * Extend date/time range and date conversion issues * Add plist_is_binary() and plist_from_memory() functions to the interface * Plug several memory leaks * Speed improvements for handling large plist files Includes security fixes for: * CVE-2017-6440 * CVE-2017-6439 * CVE-2017-6438 * CVE-2017-6437 * CVE-2017-6436 * CVE-2017-6435 * CVE-2017-5836 * CVE-2017-5835 * CVE-2017-5834 * CVE-2017-5545 * CVE-2017-5209 ... and several others that didn't receive any CVE (yet). -------------------------------------------------------------------------------- References: [ 1 ] Bug #1432965 - CVE-2017-6440 libplist: Memory allocation error in parse_data_node https://bugzilla.redhat.com/show_bug.cgi?id=1432965 [ 2 ] Bug #1432959 - CVE-2017-6439 libplist: Heap-based buffer overflow in parse_string_node https://bugzilla.redhat.com/show_bug.cgi?id=1432959 [ 3 ] Bug #1432956 - CVE-2017-6438 libplist: Heap-based buffer overflow in parse_unicode_node https://bugzilla.redhat.com/show_bug.cgi?id=1432956 [ 4 ] Bug #1432954 - CVE-2017-6437 libplist: Out-of-bounds heap read in base64encode function https://bugzilla.redhat.com/show_bug.cgi?id=1432954 [ 5 ] Bug #1432951 - CVE-2017-6436 libplist: Integer overflow in parse_string_node https://bugzilla.redhat.com/show_bug.cgi?id=1432951 [ 6 ] Bug #1412613 - CVE-2017-5209 libplist: base64decode buffer over-read via split encoded Apple Property List data https://bugzilla.redhat.com/show_bug.cgi?id=1412613 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade libplist' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgr... All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org