CVE ID: CVE-2017-14731
Summary: ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file, as demonstrated by an ofxdump call.
This fix is in the next version: 0.9.12.
Gentoo Security Padawan
Sorry, to clarify, 0.9.12 contains a fix for CISCO TALOS CVE-2017-2816 issue. Also, the author has fixed CVE-2017-14731 with this commit: https://github.com/libofx/libofx/issues/10
@cstim fad8418 commit fixes this issue, thank you.
Fixed in >=0.9.13
The bug has been referenced in the following commit(s):
Author: Aaron Bauman <firstname.lastname@example.org>
AuthorDate: 2019-08-18 02:06:31 +0000
Commit: Aaron Bauman <email@example.com>
CommitDate: 2019-08-18 02:13:31 +0000
dev-libs/libofx: bump package
* non-maintainer security bump
* drop PPC/PPC64 keywords due to new dep on dev-util/gengetopt
* move from autotools-utils to autotools eclass
* bump EAPI
* Update HOMEPAGE and SRC_URI
* move RDEPEND deps to DEPEND where they belong
Signed-off-by: Aaron Bauman <firstname.lastname@example.org>
dev-libs/libofx/Manifest | 1 +
dev-libs/libofx/libofx-0.9.14.ebuild | 56 ++++++++++++++++++++++++++++++++++++
2 files changed, 57 insertions(+)
This issue was resolved and addressed in
GLSA 201908-26 at https://security.gentoo.org/glsa/201908-26
by GLSA coordinator Thomas Deutschmann (whissi).