{"id":"MGASA-2018-0025","summary":"Updated libplist packages fix security vulnerability","details":"The base64decode function in libplist allowed attackers to obtain\nsensitive information from process memory or cause a denial of\nservice (buffer over-read) via split encoded Apple Property List data\n(CVE-2017-5209).\n\nThe main function in plistutil.c in libimobiledevice libplist allowed\nattackers to obtain sensitive information from process memory or cause a\ndenial of service (buffer over-read) via Apple Property List data that is\ntoo short (CVE-2017-5545).\n\nA heap-buffer overflow in parse_dict_node could cause a segmentation fault\n(CVE-2017-5834).\n\nMalicious crafted file could cause libplist to allocate large amounts of\nmemory and consume lots of CPU because of a memory allocation error\n(CVE-2017-5835).\n\nA type inconsistency in bplist.c could cause the application to crash\n(CVE-2017-5836).\n\nCrafted plist file could lead to Heap-buffer overflow (CVE-2017-6435).\n\nInteger overflow in parse_string_node (CVE-2017-6436).\n\nThe base64encode function in base64.c allows local users to cause denial\nof service (out-of-bounds read) via a crafted plist file (CVE-2017-6437).\n\nHeap-based buffer overflow in the parse_unicode_node function\n(CVE-2017-6438).\n\nHeap-based buffer overflow in the parse_string_node function\n(CVE-2017-6439).\n\nEnsure that sanity checks work on 32-bit platforms (CVE-2017-6440).\n\nAdd some safety checks, backported from upstream (CVE-2017-7982).\n\nThe gvfs, ifuse, kodi, libgpod, libimobiledevice, upower, and usbmuxd\npackages have been rebuilt for the updated libplist.\n","modified":"2026-04-16T06:25:25.504882752Z","published":"2018-01-03T10:32:10Z","upstream":["CVE-2017-5209","CVE-2017-5545","CVE-2017-5834","CVE-2017-5835","CVE-2017-5836","CVE-2017-6435","CVE-2017-6436","CVE-2017-6437","CVE-2017-6438","CVE-2017-6439","CVE-2017-6440","CVE-2017-7982"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0025.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=20232"},{"type":"WEB","url":"https://lists.opensuse.org/opensuse-updates/2017-05/msg00094.html"},{"type":"WEB","url":"https://lists.opensuse.org/opensuse-updates/2017-08/msg00082.html"}],"affected":[{"package":{"name":"libplist","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/libplist?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0025.json"}},{"package":{"name":"gvfs","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/gvfs?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.22.3-2.2.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0025.json"}},{"package":{"name":"ifuse","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/ifuse?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.3-4.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0025.json"}},{"package":{"name":"kodi","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/kodi?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"14.0-2.3.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0025.json"}},{"package":{"name":"libgpod","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/libgpod?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.8.3-8.2.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0025.json"}},{"package":{"name":"libimobiledevice","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/libimobiledevice?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.6-4.2.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0025.json"}},{"package":{"name":"upower","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/upower?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.99.2-1.2.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0025.json"}},{"package":{"name":"usbmuxd","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/usbmuxd?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.9-6.2.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0025.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}