Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 680098 (CVE-2019-9656) - <dev-libs/libofx-0.9.15: NULL pointer dereference in the function OFXApplication::startElement (CVE-2019-9656)
Summary: <dev-libs/libofx-0.9.15: NULL pointer dereference in the function OFXApplicat...
Status: RESOLVED FIXED
Alias: CVE-2019-9656
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/libofx/libofx/issu...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-2920 697582
Blocks:
  Show dependency tree
 
Reported: 2019-03-12 05:05 UTC by D'juan McDonald (domhnall)
Modified: 2020-03-17 14:33 UTC (History)
1 user (show)

See Also:
Package list:
dev-util/gengetopt-2.23 amd64 x86 dev-libs/libofx-0.9.15 amd64 ppc ppc64 x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-03-12 05:05:44 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2019-9656):

An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dereference in the function OFXApplication::startElement in the file lib/ofx_sgml.cpp, as demonstrated by ofxdump.



Gentoo Security Padawan
(domhnall)
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2019-03-12 06:00:33 UTC 
CVE-2019-9656 (https://nvd.nist.gov/vuln/detail/CVE-2019-9656):
  An issue was discovered in LibOFX 0.9.14. There is a NULL pointer
  dereference in the function OFXApplication::startElement in the file
  lib/ofx_sgml.cpp, as demonstrated by ofxdump.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2019-08-17 22:24:46 UTC 
still pending upstream fix
Comment 3 Larry the Git Cow gentoo-dev 2019-10-12 21:13:48 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=231bc91f39a2ee49a191d1eed8b225520e9a6749

commit 231bc91f39a2ee49a191d1eed8b225520e9a6749
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-10-12 20:22:24 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-10-12 21:13:16 +0000

    dev-libs/libofx: 0.9.15 version bump, fix CVE-2019-9656
    
    Drop src_prepare() hacks and use a patch, we don't rely on the
    build system to install to docdir.
    Drop superfluous src_configure().
    
    Bug: https://bugs.gentoo.org/680098
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libofx/Manifest                           |  1 +
 .../files/libofx-0.9.15-docdir-nothanks.patch      | 22 ++++++++++
 dev-libs/libofx/libofx-0.9.15.ebuild               | 49 ++++++++++++++++++++++
 3 files changed, 72 insertions(+)
Comment 4 Andreas Sturmlechner gentoo-dev 2019-10-22 18:19:33 UTC 
Arches please stabilise.
Comment 5 Agostino Sarubbo gentoo-dev 2019-10-23 12:30:28 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-23 12:45:23 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-24 11:41:03 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-25 11:59:41 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Larry the Git Cow gentoo-dev 2019-10-25 14:41:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1ceda35355fa16564edcfdba090b78a2bc98621

commit f1ceda35355fa16564edcfdba090b78a2bc98621
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-10-25 14:41:03 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-10-25 14:41:03 +0000

    dev-libs/libofx: Security cleanup
    
    Bug: https://bugs.gentoo.org/680098
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libofx/Manifest                |  1 -
 dev-libs/libofx/libofx-0.9.14-r1.ebuild | 63 ---------------------------------
 2 files changed, 64 deletions(-)
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-17 14:33:30 UTC 
GLSA Vote: No!

Repository is clean, all done.