Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662910 (CVE-2017-2920) - <dev-libs/libofx-0.9.14: Memory corruption in the .SVG parsing functionality (CVE-2017-2920)
Summary: <dev-libs/libofx-0.9.14: Memory corruption in the .SVG parsing functionality ...
Status: RESOLVED FIXED
Alias: CVE-2017-2920
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.talosintelligence.com/vul...
Whiteboard: B2 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-2816 CVE-2017-14731 CVE-2019-9656
  Show dependency tree
 
Reported: 2018-08-05 23:58 UTC by Thomas Deutschmann (RETIRED)
Modified: 2020-03-17 14:34 UTC (History)
1 user (show)

See Also:
Package list:
dev-util/gengetopt-2.23 dev-cpp/libxmlpp-2.40.1 dev-libs/libofx-0.9.14-r1
Runtime testing required: Yes
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-05 23:58:02 UTC 
An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability.

External References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0427
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-08-17 22:22:50 UTC 
Fixed in >=0.9.12
Comment 2 Larry the Git Cow gentoo-dev 2019-08-18 02:13:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=451fc2c8ff8cb638785cb2a51d722da9e35700e3

commit 451fc2c8ff8cb638785cb2a51d722da9e35700e3
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-08-18 02:06:31 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-08-18 02:13:31 +0000

    dev-libs/libofx: bump package
    
    * non-maintainer security bump
    * drop PPC/PPC64 keywords due to new dep on dev-util/gengetopt
    * move from autotools-utils to autotools eclass
    * bump EAPI
    * Update HOMEPAGE and SRC_URI
    * move RDEPEND deps to DEPEND where they belong
    
    Bug: https://bugs.gentoo.org/631304
    Bug: https://bugs.gentoo.org/636062
    Bug: https://bugs.gentoo.org/662910
    Closes: https://bugs.gentoo.org/675152
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-libs/libofx/Manifest             |  1 +
 dev-libs/libofx/libofx-0.9.14.ebuild | 56 ++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-08-18 02:19:23 UTC 
@arches, please stabilize.
Comment 4 Agostino Sarubbo gentoo-dev 2019-08-18 21:51:50 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-08-19 11:37:57 UTC 
x86 stable
Comment 6 Arfrever Frehtes Taifersar Arahesis 2019-08-23 04:03:38 UTC 
Stabilization of dev-libs/libofx-0.9.14 happened too early since unfortunately there was regression.
dev-libs/libofx-0.9.14 does not install /usr/share/libofx directory with required files (bug #692658).
(Previous stable version dev-libs/libofx-0.9.10 installs this directory.)

This regression has been fixed in dev-libs/libofx-0.9.14-r1 which now needs to be stabilized.
Comment 7 Agostino Sarubbo gentoo-dev 2019-08-23 10:03:28 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-08-23 10:07:23 UTC 
x86 stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2019-08-31 15:08:24 UTC 
This issue was resolved and addressed in
 GLSA 201908-26 at https://security.gentoo.org/glsa/201908-26
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-31 15:11:46 UTC 
Re-opening for cleanup and remaining architectures.
Comment 11 Matt Turner gentoo-dev 2019-09-02 16:55:07 UTC 
hppa keywords dropped
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-09-02 22:12:06 UTC 
@ppc/ppc64, please keyword latest version of drop keywords.
Comment 13 Stabilization helper bot gentoo-dev 2019-09-02 22:59:33 UTC 
An automated check of this bug failed - repoman reported dependency errors (65 lines truncated): 

> dependency.bad dev-libs/libofx/libofx-0.9.14-r1.ebuild: BDEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['dev-util/gengetopt']
> dependency.bad dev-libs/libofx/libofx-0.9.14-r1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=dev-cpp/libxmlpp-2.40.1:2.6']
> dependency.bad dev-libs/libofx/libofx-0.9.14-r1.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=dev-cpp/libxmlpp-2.40.1:2.6']
Comment 14 ernsteiswuerfel archtester 2019-09-23 22:39:43 UTC 
Looking good on ppc64.

# cat libofx-662910.report 
USE tests started on Di 24. Sep 00:26:36 CEST 2019

FEATURES=' test' USE='' succeeded for =dev-libs/libofx-0.9.14-r1
USE='-static-libs' succeeded for =dev-libs/libofx-0.9.14-r1
USE='static-libs' succeeded for =dev-libs/libofx-0.9.14-r1
Comment 15 Andreas Sturmlechner gentoo-dev 2019-10-12 20:35:56 UTC 
(In reply to ernsteiswuerfel from comment #14)
> Looking good on ppc64.

with or without a particular version of dev-util/gengetopt...?
Comment 16 ernsteiswuerfel archtester 2019-10-14 08:30:20 UTC 
(In reply to Andreas Sturmlechner from comment #15)
> (In reply to ernsteiswuerfel from comment #14)
> > Looking good on ppc64.
> 
> with or without a particular version of dev-util/gengetopt...?
With =dev-util/gengetopt-2.23.
Comment 17 Larry the Git Cow gentoo-dev 2019-10-15 22:42:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df284893a89f67ecc5a483f5601d5b7a3bb7ed24

commit df284893a89f67ecc5a483f5601d5b7a3bb7ed24
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-10-15 22:41:56 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-10-15 22:41:56 +0000

    dev-libs/libofx: 0.9.14 ppc64 stable
    
    Thanks-to: ernsteiswuerfel <erhard_f@mailbox.org>
    Bug: https://bugs.gentoo.org/662910
    Package-Manager: Portage-2.3.77, Repoman-2.3.17
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libofx/libofx-0.9.14-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 18 ernsteiswuerfel archtester 2019-10-22 00:57:34 UTC 
Looking good on ppc.

# cat gengetopt-662910.report 
USE tests started on Di 22. Okt 02:39:09 CEST 2019

FEATURES=' test' USE='' succeeded for =dev-util/gengetopt-2.23
USE='' succeeded for =dev-util/gengetopt-2.23

FEATURES=' test' USE='' succeeded for =dev-cpp/libxmlpp-2.40.1
USE='-doc' succeeded for =dev-cpp/libxmlpp-2.40.1
USE='doc' succeeded for =dev-cpp/libxmlpp-2.40.1

FEATURES=' test' USE='' succeeded for =dev-libs/libofx-0.9.14-r1
USE='-static-libs' succeeded for =dev-libs/libofx-0.9.14-r1
USE='static-libs' succeeded for =dev-libs/libofx-0.9.14-r1
Comment 19 Larry the Git Cow gentoo-dev 2019-10-22 18:11:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=084225d46d960771929af249f7a9fd42c42c6dec

commit 084225d46d960771929af249f7a9fd42c42c6dec
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-10-22 18:08:38 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-10-22 18:11:15 +0000

    dev-libs/libofx: Drop vulnerable 0.9.10
    
    Bug: https://bugs.gentoo.org/662910
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libofx/Manifest             |  1 -
 dev-libs/libofx/libofx-0.9.10.ebuild | 49 ------------------------------------
 2 files changed, 50 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b034c5eeba2fbf5646f1c2c3f9755514c3e75ca

commit 5b034c5eeba2fbf5646f1c2c3f9755514c3e75ca
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-10-22 18:07:20 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-10-22 18:11:14 +0000

    dev-libs/libofx: 0.9.14-r1 ppc stable
    
    Thanks-to: ernsteiswuerfel <erhard_f@mailbox.org>
    Bug: https://bugs.gentoo.org/662910
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libofx/libofx-0.9.14-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 20 Agostino Sarubbo gentoo-dev 2019-10-24 11:40:28 UTC 
ppc stable.

Maintainer(s), please cleanup.
Comment 21 Andreas Sturmlechner gentoo-dev 2019-11-02 17:10:23 UTC 
Cleanup was documented in the comment right above yours.
Comment 22 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-17 14:34:45 UTC 
Repository is clean, all done.