CVE-2017-5834 Libimobiledevice CVE debrief

Who should care

Teams that use libplist or libimobiledevice components to parse Apple binary property list (bplist) content, especially if they process files from untrusted or externally supplied sources. Developers embedding libplist and downstream distributors should pay attention.

Technical summary

NVD describes the flaw as an out-of-bounds heap read in parse_dict_node() in bplist.c in libplist. The issue is reachable through a crafted file and is classified as CWE-125. The CVSS v3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating local attack conditions, no privileges required, user interaction required, and a high availability impact through process crash.

Defensive priority

Medium: prioritize if libplist parses untrusted or user-supplied bplist files, but the issue is not rated as a confidentiality or integrity compromise.

Recommended defensive actions

• Identify deployments that include libplist, including embedded or vendored copies in downstream products.
• Apply the upstream fix or backport the patch referenced in the linked oss-security and GitHub issue references.
• Update to a libplist release that includes the vulnerability fix, if your distribution or vendor provides one.
• Restrict or validate untrusted bplist inputs until patched versions are deployed.
• Rebuild and redeploy any software that statically vendors libplist after patching.

Evidence notes

Primary facts come from the NVD CVE record and the CVE record description: CVE-2017-5834 affects libplist, involves parse_dict_node() in bplist.c, and can cause an out-of-bounds heap read and crash via a crafted file. NVD classifies the weakness as CWE-125 and assigns CVSS v3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. Supporting references include the oss-security mailing list posts, the GitHub issue tracker entry, and the Debian LTS announcement listed in the supplied corpus.

Official resources