CVE ID: CVE-2017-14731 Summary: ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file, as demonstrated by an ofxdump call.
This fix is in the next version: 0.9.12. Michael Boyle Gentoo Security Padawan
Sorry, to clarify, 0.9.12 contains a fix for CISCO TALOS CVE-2017-2816 issue. Also, the author has fixed CVE-2017-14731 with this commit: https://github.com/libofx/libofx/issues/10 @cstim fad8418 commit fixes this issue, thank you. https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd
Fixed in >=0.9.13
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=451fc2c8ff8cb638785cb2a51d722da9e35700e3 commit 451fc2c8ff8cb638785cb2a51d722da9e35700e3 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-18 02:06:31 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-18 02:13:31 +0000 dev-libs/libofx: bump package * non-maintainer security bump * drop PPC/PPC64 keywords due to new dep on dev-util/gengetopt * move from autotools-utils to autotools eclass * bump EAPI * Update HOMEPAGE and SRC_URI * move RDEPEND deps to DEPEND where they belong Bug: https://bugs.gentoo.org/631304 Bug: https://bugs.gentoo.org/636062 Bug: https://bugs.gentoo.org/662910 Closes: https://bugs.gentoo.org/675152 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-libs/libofx/Manifest | 1 + dev-libs/libofx/libofx-0.9.14.ebuild | 56 ++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+)
This issue was resolved and addressed in GLSA 201908-26 at https://security.gentoo.org/glsa/201908-26 by GLSA coordinator Thomas Deutschmann (whissi).
