CVE-2017-12482 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12482): The ledger::parse_date_mask_routine function in times.cc in Ledger 3.1.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. References: http://bugs.ledger-cli.org/show_bug.cgi?id=1224 CVE-2017-12481 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12481): The find_option function in option.cc in Ledger 3.1.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. References: http://bugs.ledger-cli.org/show_bug.cgi?id=1222
Adding CVE-2017-2808 and CVE-2017-2807 http://www.cvedetails.com/cve/CVE-2017-2808/ http://www.cvedetails.com/cve/CVE-2017-2807/
Updating upstream status. CVE-2017-12482 tracked in issue https://github.com/ledger/ledger/issues/1224 CVE-2017-12481 tracked in issue https://github.com/ledger/ledger/issues/1222 CVE-2017-2807 and CVE-2017-2808 are not tracked by upstream.
(In reply to Erik Mackdanz from comment #2) > Updating upstream status. > > CVE-2017-12482 tracked in issue https://github.com/ledger/ledger/issues/1224 > Patch: https://github.com/ledger/ledger/commit/7c0ae5b02571e21f97d45f5d091cb78af9885713 Included in: 3.1.2. > CVE-2017-12481 tracked in issue https://github.com/ledger/ledger/issues/1222 > Patch: https://github.com/ledger/ledger/commit/c5343f18744d0f6fddcc590f9a54c23674d8c489 Included in: 3.1.2. > CVE-2017-2807 and CVE-2017-2808 are not tracked by upstream. CVE-2017-2807: Bug: https://github.com/ledger/ledger/issues/1722 Patch: https://github.com/ledger/ledger/commit/5682f377aed5b0db6b6c4a44b1d8868103b7e9f7 Included in: 3.1.2. CVE-2017-2808: Bug: https://github.com/ledger/ledger/issues/1723 Patch: https://github.com/ledger/ledger/commit/4b7100a2caa5f9837d051d6ab385d5d521916735 Included in: 3.1.2.
New GLSA request filed.
This issue was resolved and addressed in GLSA 202004-05 at https://security.gentoo.org/glsa/202004-05 by GLSA coordinator Thomas Deutschmann (whissi).