Your message dated Sat, 01 Apr 2017 19:03:45 +0000
with message-id <[email protected]>
and subject line Bug#858787: fixed in libplist 1.12+git+1+e37ca00-0.2
has caused the Debian Bug report #858787,
regarding libplist: CVE-2017-6437
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
858787: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858787
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libplist
Version: 1.12+git+1+e37ca00-0.1
Severity: important
Forwarded: https://github.com/libimobiledevice/libplist/issues/100
Hi,
the following vulnerability was published for libplist.
CVE-2017-6437[0]:
| The base64encode function in base64.c in libimobiledevice libplist
| 1.12 allows local users to cause a denial of service (out-of-bounds
| read) via a crafted plist file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6437
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437
[1] https://github.com/libimobiledevice/libplist/issues/100
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libplist
Source-Version: 1.12+git+1+e37ca00-0.2
We believe that the bug you reported is fixed in the latest version of
libplist, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libplist package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Mar 2017 19:41:54 +0200
Source: libplist
Binary: libplist3 libplist++3v5 libplist-dev libplist++-dev libplist-dbg
python-plist libplist-utils libplist-doc
Architecture: all source
Version: 1.12+git+1+e37ca00-0.2
Distribution: unstable
Urgency: high
Maintainer: gtkpod Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 858055 858786 858787
Description:
libplist++-dev - Library for handling Apple binary and XML property lists
libplist++3v5 - Library for handling Apple binary and XML property lists
libplist-dbg - Library for handling Apple binary and XML property lists
libplist-dev - Library for handling Apple binary and XML property lists
libplist-doc - Library for handling Apple binary and XML property lists - docs
libplist-utils - Apple property list converter
libplist3 - Library for handling Apple binary and XML property lists
python-plist - Library for handling Apple binary and XML property lists
Changes:
libplist (1.12+git+1+e37ca00-0.2) unstable; urgency=high
.
* Non-maintainer upload.
* bplist: Make sure sanity checks work on 32bit platforms.
CVE-2017-6437: Out-of-bounds heap read in base64encode function
CVE-2017-6438: Heap-based buffer overflow in parse_unicode_node
CVE-2017-6440: Memory allocation error in parse_data_node
(Closes: #858787, #858786, #858055)
Checksums-Sha1:
8ff137a3a15662155ee3655e827509f7ad3dd4c3 2740
libplist_1.12+git+1+e37ca00-0.2.dsc
9cfbca305bd5b61bea4b0a1f8439bf8c57bfcd79 10704
libplist_1.12+git+1+e37ca00-0.2.debian.tar.xz
6a03cd96730afca9dd0e92a0769871ef5bcb28dc 37442
libplist-doc_1.12+git+1+e37ca00-0.2_all.deb
Checksums-Sha256:
a37d6c48823d765b9011e43388b3f464e55bf3c7349a9fcf06383d22f91ba0ce 2740
libplist_1.12+git+1+e37ca00-0.2.dsc
639613e477b6161986678b0b095da1db2935f65b4bd9db56fb13ece0990c544d 10704
libplist_1.12+git+1+e37ca00-0.2.debian.tar.xz
77d4fb165f5bff17d9dcd72b2fd576f9381d0a7d31e1174855eb104a679b614e 37442
libplist-doc_1.12+git+1+e37ca00-0.2_all.deb
Files:
59d495e9de627fafce119c02eb5504d5 2740 libs optional
libplist_1.12+git+1+e37ca00-0.2.dsc
132d718e4aced4730665ee065b3c0818 10704 libs optional
libplist_1.12+git+1+e37ca00-0.2.debian.tar.xz
5432a9241cbb662a50e6178964e7f1d8 37442 doc optional
libplist-doc_1.12+git+1+e37ca00-0.2_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAljZT4RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EupQP/3i+xHOl3OAxPRyvhmVSvJ7SpPJ2egWD
n7570ekFH//2VraAf7QFDF9BQGeDC8mT/qVpGhOkREkaa6ftVGgi8VVfetGU4wp6
Ey8Fle25RwHrqUT6FtgAKZVGU9ACeMzcqNJfjS21ZkLSDBt8V2OqYSehWoV4zd7w
WEoGRY6KVjQOEdaFnjLh7pl/zLTIQ2yjwYaFiKdUTFJ4+K8EPx7/qr56u4ngPQR4
zm4hlr8gPSypdteTbDCHuVRSMlfwIGji4iP+utzLJArOyKFCj8t49o8KxDPLYzOE
EKa6Pulp43pTbmBeguiVggfnW9zzdzjcPXzIe47pqj5Hf/xANDnieQiWa0XcJIua
5xDqnCdOvHi/8K1qsGTe9PLsc/nnaLfNr6OrPMM4oQ+qjoOs5TsLHxkUZGMdtdUf
5fm+3IdpP7cc5NH6NvLl59YOAHu1cgTel3/ll1y7gwgcFrMamMaIzySkXceWqcqq
VXhCmeuR6XK16UTume6efjFs/J/O8TPrjH0QC9dZKft+C6E/skDLhl/03WGU8iEZ
Torae4j0T6FO+3bpekXd2ntlz2VPml8RpC4TFIR1QgsVWOzRII+K9IaFGQSzvPUp
ty5UMXSaYSdSc2do//9i74TuhOyU9xNACqYSGY1p8gN4xwd1Tv1xqBblOlHcK806
pfh87IlfHv6b
=luiI
-----END PGP SIGNATURE-----
--- End Message ---
