Subject: [ASA-201701-34] libimobiledevice: access restriction bypass Arch Linux Security Advisory ASA-201701-34 ========================================== Severity: Medium Date : 2017-01-27 CVE-ID : CVE-2016-5104 Package : libimobiledevice Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-8 Summary ======= The package libimobiledevice before version 1.2.0-4 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 1.2.0-4. # pacman -Syu "libimobiledevice>=1.2.0-4" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== The socket_create function in common/socket.c in libimobiledevice and libusbmuxd allows remote attackers on the local network to bypass intended access restrictions and communicate with services on affected devices by connecting to an IPv4 TCP socket. Impact ====== A remote attacker on the local network is able to bypass access restrictions and communicate with services on connected iOS devices. References ========== http://www.openwall.com/lists/oss-security/2016/05/26/6 https://security.archlinux.org/CVE-2016-5104