-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2017-4047180cd3 2017-05-12 04:05:28.496941 --------------------------------------------------------------------------------
Name : libplist Product : Fedora 25 Version : 2.0.0 Release : 1.fc25 URL : http://www.libimobiledevice.org/ Summary : Library for manipulating Apple Binary and XML Property Lists Description : libplist is a library for manipulating Apple Binary and XML Property Lists
-------------------------------------------------------------------------------- Update Information:
Version 2.0.0 Changes: * New light-weight custom XML parser * Remove libxml2 dependency * Refactor binary plist parsing * Improved malformed XML and binary plist detection and error handling * Add parser debug/error output (when compiled with --enable-debug), controlled via environment variables * Fix unicode character handling * Add PLIST_IS_* helper macros for the different node types * Extend date/time range and date conversion issues * Add plist_is_binary() and plist_from_memory() functions to the interface * Plug several memory leaks * Speed improvements for handling large plist files Includes security fixes for: * CVE-2017-6440 * CVE-2017-6439 * CVE-2017-6438 * CVE-2017-6437 * CVE-2017-6436 * CVE-2017-6435 * CVE-2017-5836 * CVE-2017-5835 * CVE-2017-5834 * CVE-2017-5545 * CVE-2017-5209 ... and several others that didn't receive any CVE (yet). -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1432965 - CVE-2017-6440 libplist: Memory allocation error in parse_data_node https://bugzilla.redhat.com/show_bug.cgi?id=1432965 [ 2 ] Bug #1432959 - CVE-2017-6439 libplist: Heap-based buffer overflow in parse_string_node https://bugzilla.redhat.com/show_bug.cgi?id=1432959 [ 3 ] Bug #1432956 - CVE-2017-6438 libplist: Heap-based buffer overflow in parse_unicode_node https://bugzilla.redhat.com/show_bug.cgi?id=1432956 [ 4 ] Bug #1432954 - CVE-2017-6437 libplist: Out-of-bounds heap read in base64encode function https://bugzilla.redhat.com/show_bug.cgi?id=1432954 [ 5 ] Bug #1432951 - CVE-2017-6436 libplist: Integer overflow in parse_string_node https://bugzilla.redhat.com/show_bug.cgi?id=1432951 [ 6 ] Bug #1412613 - CVE-2017-5209 libplist: base64decode buffer over-read via split encoded Apple Property List data https://bugzilla.redhat.com/show_bug.cgi?id=1412613 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade libplist' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------