From secunia: rigan has reported a vulnerability in usbmuxd, which potentially can be exploited by malicious people with physical access to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "receive_packet()" function (libusbmuxd/libusbmuxd.c) when processing a property list containing an overly long "SerialNumber" field, which can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow the execution of arbitrary code, but requires that the attacker is able to connect a malicious USB device. https://secunia.com/advisories/47545/ https://bugs.gentoo.org/show_bug.cgi?id=399409 source code commit: http://git.marcansoft.com/?p=usbmuxd.git;a=commitdiff;h=f794991993af56a74795891b4ff9da506bc893e6 This vulnerability requires physical access so a USB device can be plugged in, setting priority to low despite a CVSS2 score of 4.6.
The receive_packet() function was first introduced on May 25 2010 via: http://cgit.sukimashita.com/usbmuxd.git/commit/?id=00c3c56e38f10d0f20145d5735b2fc0fd926555d and: http://cgit.sukimashita.com/usbmuxd.git/commit/?id=6cb505257ff848aa7ead80b60b575effc3a915fa (the latter introduced plist-based support, which is the commit that introduced the flaw) This code is not present in usbmuxd 1.0.2, it looks like it would have been first included (judging by release dates) in 1.0.5: http://cgit.sukimashita.com/usbmuxd.git/tag/?id=v1.0.5 Statement: Not vulnerable. This issue did not affect the versions of usbmuxd as shipped with Red Hat Enterprise Linux 6.
Created usbmuxd tracking bugs for this issue Affects: fedora-all [bug 783523]
I plan to add this patch as shipped in Debian http://patch-tracker.debian.org/patch/series/view/usbmuxd/1.0.7-2/90-cve-2012-0065.patch