From ${URL} : An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability. Upstream bug: https://github.com/libofx/libofx/issues/9 References: https://bugzilla.novell.com/show_bug.cgi?id=1058673 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0317 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed in 0.9.12
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=451fc2c8ff8cb638785cb2a51d722da9e35700e3 commit 451fc2c8ff8cb638785cb2a51d722da9e35700e3 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-18 02:06:31 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-18 02:13:31 +0000 dev-libs/libofx: bump package * non-maintainer security bump * drop PPC/PPC64 keywords due to new dep on dev-util/gengetopt * move from autotools-utils to autotools eclass * bump EAPI * Update HOMEPAGE and SRC_URI * move RDEPEND deps to DEPEND where they belong Bug: https://bugs.gentoo.org/631304 Bug: https://bugs.gentoo.org/636062 Bug: https://bugs.gentoo.org/662910 Closes: https://bugs.gentoo.org/675152 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-libs/libofx/Manifest | 1 + dev-libs/libofx/libofx-0.9.14.ebuild | 56 ++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+)
This issue was resolved and addressed in GLSA 201908-26 at https://security.gentoo.org/glsa/201908-26 by GLSA coordinator Thomas Deutschmann (whissi).
