Bug 22878

Summary: libofx new security issues CVE-2017-2816, CVE-2017-2920, and CVE-2017-14731
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: lists.jjorge, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: libofx-0.9.12-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-04-08 01:30:28 CEST 
Fedora has issued an advisory today (April 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2W5PV4QMNKEUZEPKO2GNBDRLIDSVDZM/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-08 01:30:37 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-04-08 12:06:58 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

Comment 2 David Walser 2018-04-08 18:49:06 CEST 
libofx-0.9.10-2.mga6
libofx6-0.9.10-2.mga6
libofx-devel-0.9.10-2.mga6

from libofx-0.9.10-2.mga6.src.rpm built for Mageia 6 by Jóse.

I haven't seen anything yet for Cauldron.
Comment 3 José Jorge 2018-04-08 20:59:28 CEST 
(In reply to David Walser from comment #2)
> I haven't seen anything yet for Cauldron.

Cauldron has libofx 0.9.12 which already brings the fixes.

Assignee: lists.jjorge => qa-bugs
Version: Cauldron => 6
Status: NEW => ASSIGNED
Whiteboard: MGA6TOO => (none)

José Jorge 2018-04-08 20:59:40 CEST

CC: (none) => lists.jjorge

Comment 4 David Walser 2018-04-09 00:19:01 CEST 
(In reply to José Jorge from comment #3)
> Cauldron has libofx 0.9.12 which already brings the fixes.

No, it is missing the fix for the last CVE.  See here for a link to the commit:
https://github.com/libofx/libofx/issues/10
Comment 5 José Jorge 2018-04-09 09:24:30 CEST 
(In reply to David Walser from comment #4)
> (In reply to José Jorge from comment #3)
> > Cauldron has libofx 0.9.12 which already brings the fixes.
> 
> No, it is missing the fix for the last CVE.  See here for a link to the
> commit:
> https://github.com/libofx/libofx/issues/10

You're right. Pushed to cauldron.
Comment 6 Lewis Smith 2018-04-09 10:21:42 CEST 
Beware the nomenclature for 64-bit:
 libofx-0.9.10-1.mga6
 lib64ofx6-0.9.10-1.mga6
The pkgs in comment 2 are in Updates Testing.

Applications using OFX for bank exchanges:
 gnucash-ofx
 grisbi
 homebank
 kmymoney
 skrooge

lib[64]ofx6 itself requires libofx; and vice-versa.
Comment 7 David Walser 2018-04-09 12:03:11 CEST 
(In reply to José Jorge from comment #5)
> (In reply to David Walser from comment #4)
> > (In reply to José Jorge from comment #3)
> > > Cauldron has libofx 0.9.12 which already brings the fixes.
> > 
> > No, it is missing the fix for the last CVE.  See here for a link to the
> > commit:
> > https://github.com/libofx/libofx/issues/10
> 
> You're right. Pushed to cauldron.

It looks like one hunk of the patch needs to be rediffed.
Comment 8 José Jorge 2018-04-11 16:34:16 CEST 
(In reply to David Walser from comment #7)
> 
> It looks like one hunk of the patch needs to be rediffed.

Yes, done. Now it is cauldron that is broken -wayland-egl- will rebuild later.
Comment 9 José Jorge 2018-04-22 18:17:36 CEST 
Tested OFX import in Kmymoney 5 with this update. Ok.

Whiteboard: (none) => MGA6-32-OK

Comment 10 José Jorge 2018-04-22 18:18:31 CEST 
Silly me, I forgot to mention I tested both 64 and 32 bit.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 11 Lewis Smith 2018-04-22 20:39:45 CEST 
Thanks José for the tests; validating.
@David : advisory please?

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 David Walser 2018-04-23 00:18:36 CEST 
Advisory:
========================

Updated libofx packages fix security vulnerabilities:

An exploitable buffer overflow vulnerability exists in the tag parsing
functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write
out of bounds resulting in a buffer overflow on the stack. An attacker can
construct a malicious OFX file to trigger this vulnerability (CVE-2017-2816).

An exploitable buffer overflow vulnerability exists in the tag parsing
functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write
out of bounds resulting in a buffer overflow on the stack. An attacker can
construct a malicious OFX file to trigger this vulnerability (CVE-2017-2920).

ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote attackers to
cause a denial of service (heap-based buffer over-read and application crash)
via a crafted file, as demonstrated by an ofxdump call (CVE-2017-14731).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2816
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2920
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14731
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2W5PV4QMNKEUZEPKO2GNBDRLIDSVDZM/
Comment 13 Lewis Smith 2018-04-23 21:13:48 CEST 
Thanks David.

Keywords: (none) => advisory

Comment 14 Mageia Robot 2018-04-30 21:09:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0214.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED