Security update for libplist

Announcement ID: SUSE-SU-2017:1368-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2017-5209 ( NVD ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
  • CVE-2017-5545 ( NVD ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
  • CVE-2017-5834 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2017-5835 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-5836 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-6440 ( NVD ): 5.0 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
  • CVE-2017-7982 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2017-7982 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Software Development Kit 12 12-SP2
  • SUSE Linux Enterprise Software Development Kit 12 SP1
  • SUSE Linux Enterprise Workstation Extension 12 SP1

An update that solves seven vulnerabilities can now be installed.

Description:

This update for libplist fixes the following security issues:

  • CVE-2017-5545: The main function in plistutil.c in libimobiledevice libplist allowed attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via Apple Property List data that is too short. (bsc#1021610).
  • CVE-2017-5209: The base64decode function in base64.c in libimobiledevice libplist through 1.12 allows attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via split encoded Apple Property List data. (bsc#1019531)
  • CVE-2017-5836: A type inconsistency in bplist.c was fixed. (bsc#1023807)
  • CVE-2017-5835: A memory allocation error leading to DoS was fixed. (bsc#1023822)
  • CVE-2017-5834: A heap-buffer overflow in parse_dict_node was fixed (bsc#1023848)
  • CVE-2017-7982: Denial of service (heap-based buffer over-read and application crash) via a crafted plist file (bsc#1035312)
  • CVE-2017-6440: A specially crafted plist file could lead to denial of service (bsc#1029631)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Desktop 12 SP1
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2017-835=1
  • SUSE Linux Enterprise Software Development Kit 12 SP1
    zypper in -t patch SUSE-SLE-SDK-12-SP1-2017-835=1
  • SUSE Linux Enterprise Software Development Kit 12 12-SP2
    zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-835=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-835=1
  • SUSE Linux Enterprise Server 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-835=1
  • SUSE Linux Enterprise Workstation Extension 12 SP1
    zypper in -t patch SUSE-SLE-WE-12-SP1-2017-835=1

Package List:

  • SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
    • libplist++1-1.8-10.9.1
    • libplist-debugsource-1.8-10.9.1
    • libplist1-1.8-10.9.1
    • libplist++1-debuginfo-1.8-10.9.1
    • libplist1-debuginfo-1.8-10.9.1
  • SUSE Linux Enterprise Software Development Kit 12 SP1 (ppc64le s390x x86_64)
    • libplist++1-1.8-10.9.1
    • libplist-debugsource-1.8-10.9.1
    • libplist++1-debuginfo-1.8-10.9.1
    • libplist-devel-1.8-10.9.1
    • libplist++-devel-1.8-10.9.1
  • SUSE Linux Enterprise Software Development Kit 12 12-SP2 (aarch64 ppc64le s390x x86_64)
    • libplist++1-debuginfo-1.8-10.9.1
    • libplist++1-1.8-10.9.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
    • libplist1-1.8-10.9.1
    • libplist-debugsource-1.8-10.9.1
    • libplist1-debuginfo-1.8-10.9.1
  • SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
    • libplist1-1.8-10.9.1
    • libplist-debugsource-1.8-10.9.1
    • libplist1-debuginfo-1.8-10.9.1
  • SUSE Linux Enterprise Workstation Extension 12 SP1 (x86_64)
    • libplist++1-debuginfo-1.8-10.9.1
    • libplist++1-1.8-10.9.1
    • libplist-debugsource-1.8-10.9.1

References: