Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631304 (CVE-2017-2816) - <dev-libs/libofx-0.9.14: Stack-based buffer over-write in sanitize_proprietary_tags function in lib/ofx_preproc.cpp (CVE-2017-2816)
Summary: <dev-libs/libofx-0.9.14: Stack-based buffer over-write in sanitize_proprietar...
Alias: CVE-2017-2816
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
Depends on: CVE-2017-2920
  Show dependency tree
Reported: 2017-09-18 06:57 UTC by Agostino Sarubbo
Modified: 2019-08-31 15:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-09-18 06:57:13 UTC
From ${URL} :

An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the 
stack. An attacker can construct a malicious OFX file to trigger this vulnerability.

Upstream bug:


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-08-17 22:20:48 UTC
Fixed in 0.9.12
Comment 2 Larry the Git Cow gentoo-dev 2019-08-18 02:13:42 UTC
The bug has been referenced in the following commit(s):

commit 451fc2c8ff8cb638785cb2a51d722da9e35700e3
Author:     Aaron Bauman <>
AuthorDate: 2019-08-18 02:06:31 +0000
Commit:     Aaron Bauman <>
CommitDate: 2019-08-18 02:13:31 +0000

    dev-libs/libofx: bump package
    * non-maintainer security bump
    * drop PPC/PPC64 keywords due to new dep on dev-util/gengetopt
    * move from autotools-utils to autotools eclass
    * bump EAPI
    * Update HOMEPAGE and SRC_URI
    * move RDEPEND deps to DEPEND where they belong
    Signed-off-by: Aaron Bauman <>

 dev-libs/libofx/Manifest             |  1 +
 dev-libs/libofx/libofx-0.9.14.ebuild | 56 ++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2019-08-31 15:08:09 UTC
This issue was resolved and addressed in
 GLSA 201908-26 at
by GLSA coordinator Thomas Deutschmann (whissi).