Bug 25732

Actual links:
https://www.debian.org/lts/security/2019/dla-2001
https://lists.debian.org/debian-lts-announce/2019/11/msg00021.html
https://security-tracker.debian.org/tracker/CVE-2019-9656
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924350

Fixed upstream in 0.9.15.

QA Contact: (none) => security
Source RPM: libofx => libofx-0.9.14-1.mga7.src.rpm
Summary: libofx security update CVE-2019-9656 => libofx new security issue CVE-2019-9656
Component: RPM Packages => Security
Assignee: bugsquad => lists.jjorge

Pushed to testing. It can be tested importing an OFX file with Gnucash or Kmymoney. As no ABI was changed, they do not need a rebuild against the updated lib.

Suggested Advisory:
A security bug was found in OFX library, upstream version 0.9.15 was released to fix it.
Ref:
https://github.com/libofx/libofx/issues/22

SRPM:
libofx-0.9.15-1.mga7.srpm

RPMS:
libofx-0.9.15-1.mga7.i586.rpm
libofx7-0.9.15-1.mga7.i586.rpm
libofx-devel-0.9.15-1.mga7.i586.rpm

CC: (none) => lists.jjorge
Assignee: lists.jjorge => qa-bugs

Advisory:
========================

Updated libofx packages fix security vulnerability:

There is a NULL pointer dereference in the function
OFXApplication::startElement in the file lib/ofx_sgml.cpp, as demonstrated by
ofxdump (CVE-2019-9656).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9656
https://www.debian.org/lts/security/2019/dla-2001

MGA7-64 Plasma on Lenovo B50
No installation issues.
# urpmq --whatrequires libofx
lib64ofx7
lib64ofx7
libofx

Tried to test the two commands
$ ofx2qif 
[tester7@mach5 ~]$ ofx2qif --help
[tester7@mach5 ~]$ ofx2qif -h
does no get me very far

$ ofxdump -h
ofxdump 0.9.15

ofxdump prints to stdout, in human readable form, everything the library 
understands about a particular file or response, and sends errors to
stderr.  To know exactly what the library understands about of a particular
ofx response file, just call ofxdump on that file.

Usage: ofxdump [OPTIONS]... [FILES]...

  -h, --help                  Print help and exit
  -V, --version               Print version and exit
  -f, --import-format=STRING  Force the file format of the file(s) specified
                                (default=`AUTODETECT')
      --list-import-formats   List available import file formats
                                'import-format' command
      --msg_parser            Output file parsing messages  (default=off)
      --msg_debug             Output messages meant for debugging
                                (default=off)
      --msg_warning           Output warning messages about abnormal conditions
                                and unknown constructs  (default=on)
      --msg_error             Output error messages  (default=on)
      --msg_info              Output informational messages about the progress
                                of the library  (default=on)
      --msg_status            Output status messages  (default=on)
[tester7@mach5 ~]$ ofxdump -V
ofxdump 0.9.15
[tester7@mach5 ~]$ ofxdump --list-import-formats
The supported file formats for the 'input-file-format' argument are:
     AUTODETECT (File format will be automatically detected later)
     OFX (Open Financial eXchange (OFX or QFX))
     OFC (Microsoft Open Financial Connectivity)
     QIF (Intuit Quicken Interchange Format) NOT IMPLEMENTED


That's better.
Tried gnucash or skrooge to export such files, but not available.
Tried a gnucash file anyway.
$ ofxdump OKRA.gnucash
LibOFX INFO: libofx_proc_file(): File format not specified, autodetecting...
LibOFX ERROR: libofx_detect_file_type(): Failed to identify input file format
LibOFX INFO: libofx_proc_file(): Detected file format: UNKNOWN (File format couldn't be successfully identified)
LibOFX ERROR: libofx_proc_file(): Detected file format not yet supported ou couldn't detect file format; aborting.
That could be exoected.
Found example ofx file at https://gist.github.com/jvz/2837829 (will attach the file)

$ ofxdump exampleofx.ofx 
LibOFX INFO: libofx_proc_file(): File format not specified, autodetecting...
LibOFX INFO: libofx_proc_file(): Detected file format: OFX (Open Financial eXchange (OFX or QFX))
LibOFX STATUS: find_dtd():DTD found: /usr/share/libofx/dtd/opensp.dcl
LibOFX STATUS: find_dtd():DTD found: /usr/share/libofx/dtd/ofx160.dtd
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate SIGNONMSGSRQV1
(Above message occurred on Line 2, Column 3)
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate SONRQ
(Above message occurred on Line 3, Column 5)
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate FI
(Above message occurred on Line 8, Column 7)
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate BANKMSGSRQV1
(Above message occurred on Line 16, Column 3)
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate STMTTRNRQ
(Above message occurred on Line 17, Column 5)
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate STMTRQ
(Above message occurred on Line 19, Column 7)
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate INCTRAN
(Above message occurred on Line 25, Column 9)
ofx_proc_account():
    Account ID: 987654321  098-121
    Account name: Bank account 098-121
    Account type: SAVINGS
    Bank ID: 987654321
    Account #: 098-121

As far as I understand this looks OK.

Whiteboard: (none) => MGA7-64-OK

Created attachment 11432 [details]
examplee ofx file

Strange: when I try to remove the packages in MCC, I get warnings that this would remove dependent packages from gnucash and skrooge (they are used to import ofx files), but these were not listed by urpmq.

That's because your urpmq command was wrong.  You should run it on the library package, not the main package.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0409.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED