(https://nvd.nist.gov/vuln/detail/CVE-2019-9656): An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dereference in the function OFXApplication::startElement in the file lib/ofx_sgml.cpp, as demonstrated by ofxdump. Gentoo Security Padawan (domhnall)
CVE-2019-9656 (https://nvd.nist.gov/vuln/detail/CVE-2019-9656): An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dereference in the function OFXApplication::startElement in the file lib/ofx_sgml.cpp, as demonstrated by ofxdump.
still pending upstream fix
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=231bc91f39a2ee49a191d1eed8b225520e9a6749 commit 231bc91f39a2ee49a191d1eed8b225520e9a6749 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-10-12 20:22:24 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-10-12 21:13:16 +0000 dev-libs/libofx: 0.9.15 version bump, fix CVE-2019-9656 Drop src_prepare() hacks and use a patch, we don't rely on the build system to install to docdir. Drop superfluous src_configure(). Bug: https://bugs.gentoo.org/680098 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/libofx/Manifest | 1 + .../files/libofx-0.9.15-docdir-nothanks.patch | 22 ++++++++++ dev-libs/libofx/libofx-0.9.15.ebuild | 49 ++++++++++++++++++++++ 3 files changed, 72 insertions(+)
Arches please stabilise.
amd64 stable
x86 stable
ppc64 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1ceda35355fa16564edcfdba090b78a2bc98621 commit f1ceda35355fa16564edcfdba090b78a2bc98621 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-10-25 14:41:03 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-10-25 14:41:03 +0000 dev-libs/libofx: Security cleanup Bug: https://bugs.gentoo.org/680098 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/libofx/Manifest | 1 - dev-libs/libofx/libofx-0.9.14-r1.ebuild | 63 --------------------------------- 2 files changed, 64 deletions(-)
GLSA Vote: No! Repository is clean, all done.