Summary: | <dev-libs/libofx-0.9.15: NULL pointer dereference in the function OFXApplication::startElement (CVE-2019-9656) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | maintainer-needed |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/libofx/libofx/issues/22 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
dev-util/gengetopt-2.23 amd64 x86
dev-libs/libofx-0.9.15 amd64 ppc ppc64 x86
|
Runtime testing required: | --- |
Bug Depends on: | 662910, 697582 | ||
Bug Blocks: |
Description
D'juan McDonald (domhnall)
2019-03-12 05:05:44 UTC
CVE-2019-9656 (https://nvd.nist.gov/vuln/detail/CVE-2019-9656): An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dereference in the function OFXApplication::startElement in the file lib/ofx_sgml.cpp, as demonstrated by ofxdump. still pending upstream fix The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=231bc91f39a2ee49a191d1eed8b225520e9a6749 commit 231bc91f39a2ee49a191d1eed8b225520e9a6749 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-10-12 20:22:24 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-10-12 21:13:16 +0000 dev-libs/libofx: 0.9.15 version bump, fix CVE-2019-9656 Drop src_prepare() hacks and use a patch, we don't rely on the build system to install to docdir. Drop superfluous src_configure(). Bug: https://bugs.gentoo.org/680098 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/libofx/Manifest | 1 + .../files/libofx-0.9.15-docdir-nothanks.patch | 22 ++++++++++ dev-libs/libofx/libofx-0.9.15.ebuild | 49 ++++++++++++++++++++++ 3 files changed, 72 insertions(+) Arches please stabilise. amd64 stable x86 stable ppc64 stable ppc stable. Maintainer(s), please cleanup. Security, please vote. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1ceda35355fa16564edcfdba090b78a2bc98621 commit f1ceda35355fa16564edcfdba090b78a2bc98621 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-10-25 14:41:03 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-10-25 14:41:03 +0000 dev-libs/libofx: Security cleanup Bug: https://bugs.gentoo.org/680098 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/libofx/Manifest | 1 - dev-libs/libofx/libofx-0.9.14-r1.ebuild | 63 --------------------------------- 2 files changed, 64 deletions(-) GLSA Vote: No! Repository is clean, all done. |