{"id":"CVE-2017-6436","details":"The parse_string_node function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service (memory allocation error) via a crafted plist file.","modified":"2026-04-16T06:18:58.508333735Z","published":"2017-03-15T14:59:00.993Z","related":["SUSE-SU-2017:2201-1","openSUSE-SU-2024:10970-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00002.html"},{"type":"WEB","url":"http://www.securityfocus.com/bid/97290"},{"type":"FIX","url":"https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd"},{"type":"EVIDENCE","url":"https://github.com/libimobiledevice/libplist/issues/94"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libimobiledevice/libplist","events":[{"introduced":"0"},{"last_affected":"27ed36c03297713d2cfa79431cdc8105602e80c2"},{"fixed":"32ee5213fe64f1e10ec76c1ee861ee6f233120dd"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.12"}]}}],"versions":["1.10","1.11","1.12","1.4","1.5","1.6","1.7","1.8","1.9","libplist_rc1","libplist_rc2","v0.10","v0.11","v0.12","v0.13","v0.14","v0.15","v0.16","v0.8","v0.9","v1.0","v1.1","v1.2","v1.3"],"database_specific":{"vanir_signatures":[{"signature_type":"Line","id":"CVE-2017-6436-0bbb6660","target":{"file":"src/bplist.c"},"source":"https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["156188244364215037406206909115424338022","270507218340556683758157244164346739797","20868631067273560737507354209718126807","175525345297111499699094193283948304698","206416723285238720848439429919813610674","321556157241099152535521135040358802921","134970958873456120558602902800600184366","171331497565318761760904093701766342388","218253539029817303091220703201557535637","113952918008046793986364683747104049857","177284859458370776533673195693784192865","257723415266607699635852978332082352398","212902813417641815937384186460878710237","149108012247647216250900007347531480323","137615385030412692203009528092116378462","38176331951141140346084606126442857442","266293008507233620532781506608571203698","265785711414978656336470236600122034799","112150564396663647390161839431151298554","216526036517117152374988546766010039859","307065625844409316731365061586381054968","191082999308267820452442647988872525754","200365569634871494973026288914124148206"]},"deprecated":false},{"signature_type":"Function","id":"CVE-2017-6436-70b9e5f4","digest":{"function_hash":"303600261123021975455589058979360069417","length":3627},"deprecated":false,"target":{"function":"parse_bin_node","file":"src/bplist.c"},"source":"https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T03:11:42Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6436.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"}]}