Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627060 (CVE-2017-12481, CVE-2017-12482, CVE-2017-2807, CVE-2017-2808) - <app-office/ledger-3.1.2: Multiple vulnerabilities (CVE-2017-{12481,12482,2807,2808})
Summary: <app-office/ledger-3.1.2: Multiple vulnerabilities (CVE-2017-{12481,12482,280...
Status: RESOLVED FIXED
Alias: CVE-2017-12481, CVE-2017-12482, CVE-2017-2807, CVE-2017-2808
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-04 19:55 UTC by Aleksandr Wagner (Kivak)
Modified: 2020-04-01 20:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-04 19:55:59 UTC
CVE-2017-12482 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12482):

The ledger::parse_date_mask_routine function in times.cc in Ledger 3.1.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. 

References:

http://bugs.ledger-cli.org/show_bug.cgi?id=1224

CVE-2017-12481 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12481):

The find_option function in option.cc in Ledger 3.1.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. 

References:

http://bugs.ledger-cli.org/show_bug.cgi?id=1222
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 01:02:18 UTC
Adding CVE-2017-2808 and CVE-2017-2807

http://www.cvedetails.com/cve/CVE-2017-2808/

http://www.cvedetails.com/cve/CVE-2017-2807/
Comment 2 Erik Mackdanz gentoo-dev 2018-07-20 00:52:06 UTC
Updating upstream status.

CVE-2017-12482 tracked in issue https://github.com/ledger/ledger/issues/1224

CVE-2017-12481 tracked in issue https://github.com/ledger/ledger/issues/1222

CVE-2017-2807 and CVE-2017-2808 are not tracked by upstream.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 03:29:39 UTC
(In reply to Erik Mackdanz from comment #2)
> Updating upstream status.
> 
> CVE-2017-12482 tracked in issue https://github.com/ledger/ledger/issues/1224
> 

Patch: https://github.com/ledger/ledger/commit/7c0ae5b02571e21f97d45f5d091cb78af9885713
Included in: 3.1.2.

> CVE-2017-12481 tracked in issue https://github.com/ledger/ledger/issues/1222
> 

Patch: https://github.com/ledger/ledger/commit/c5343f18744d0f6fddcc590f9a54c23674d8c489
Included in: 3.1.2.

> CVE-2017-2807 and CVE-2017-2808 are not tracked by upstream.

CVE-2017-2807:

Bug: https://github.com/ledger/ledger/issues/1722
Patch: https://github.com/ledger/ledger/commit/5682f377aed5b0db6b6c4a44b1d8868103b7e9f7
Included in: 3.1.2.

CVE-2017-2808:

Bug: https://github.com/ledger/ledger/issues/1723
Patch: https://github.com/ledger/ledger/commit/4b7100a2caa5f9837d051d6ab385d5d521916735
Included in: 3.1.2.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-01 20:21:46 UTC
New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-01 20:27:09 UTC
This issue was resolved and addressed in
 GLSA 202004-05 at https://security.gentoo.org/glsa/202004-05
by GLSA coordinator Thomas Deutschmann (whissi).