897914 – (CVE-2015-10082) app-pda/libplist: XXE vulnerability

Bug 897914 (CVE-2015-10082) - app-pda/libplist: XXE vulnerability

Summary: app-pda/libplist: XXE vulnerability

Status:	RESOLVED INVALID

Alias:	CVE-2015-10082

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://vuldb.com/?ctiid.221499
Whiteboard:	B4 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2023-02-26 17:31 UTC by John Helmert III
Modified:	2023-02-27 15:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-02-26 17:31:49 UTC

CVE-2015-10082:

A vulnerability classified as problematic has been found in UIKit0 libplist 1.12. This affects the function plist_from_xml of the file src/xplist.c of the component XML Handler. The manipulation leads to xml external entity reference. The name of the patch is c086cb139af7c82845f6d565e636073ff4b37440. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221499.

Please apply the patch: https://github.com/UIKit0/libplist/commit/c086cb139af7c82845f6d565e636073ff4b37440

Comment 1 Matthew Smith gentoo-dev

2023-02-26 17:43:00 UTC

The libplist in tree doesn't use libxml and (for better or for worse) has its own handwritten XML parser.

plist_from_xml: https://github.com/libimobiledevice/libplist/blob/bfc97788f081584ced9cd35d85b69b3fec6b907c/src/xplist.c#L1474-L1487

commit that removes libxml2: https://github.com/libimobiledevice/libplist/commit/392135c7db4d9cb4a14ff5935d7c4c6e21363847 (present since v2.0.0)

Comment 2 John Helmert III archtester

2023-02-27 15:53:41 UTC

I see, thanks!