| Summary: | libofx new security issue rhbz#2127755 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | libofx-0.9.15-2.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | sample ofx file | ||
|
Description
David Walser
2022-09-27 00:23:41 CEST
David Walser
2022-09-27 00:24:03 CEST
Whiteboard:
(none) =>
MGA8TOO No one packager evident, so assigning this globally. Assignee:
bugsquad =>
pkg-bugs Better advisory with a Bugzilla link: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KB467JGE4PFVR3LULWPIHJNHW4ORBRRJ/ More info: https://bugzilla.redhat.com/show_bug.cgi?id=2130201 https://github.com/libofx/libofx/issues/86 Severity:
normal =>
major Suggested advisory: ======================== The updated packages fix memory issues in libofx. (rhbz#2127755) References: https://bugzilla.redhat.com/show_bug.cgi?id=2127755 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YP7TQYRM2UPP5R5NKSEGDFKJARD7VN4A/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KB467JGE4PFVR3LULWPIHJNHW4ORBRRJ/ https://bugzilla.redhat.com/show_bug.cgi?id=2130201 https://github.com/libofx/libofx/issues/86 ======================== Updated packages in core/updates_testing: ======================== lib(64)ofx7-0.9.15-2.1.mga8 lib(64)ofx-devel-0.9.15-2.1.mga8 libofx-0.9.15-2.1.mga8 from SRPM: libofx-0.9.15-2.1.mga8.src.rpm Status:
NEW =>
ASSIGNED No installation issues. I had hoped to be able to download a document from my bank in OFX format, but they only supply documents in Quicken-related formats. So, I searched the Internet for a sample file and found only one, at https://gist.github.com/jvz/2837829 (I'll include it as an attachment) urpmq --whatrequires-recursive libofx indicates that Skrooge requires the above library. $ skrooge example.ofx seems to import the file without reporting any errors, but in reading the ofx file it appears that part of the information was incorrectly imported. For example, the bank ID number looks correct, as does the account ID, but the account type, "SAVINGS" in the file, appears as "Current" in Skrooge. Other information in the file seems to be missing entirely from Skrooge. Unfortunately, not knowing anything about the format, I can't say whether the errors are in the file, or in Skrooge's importation. I don't know where to go from here. CC:
(none) =>
andrewsfarm Created attachment 13419 [details]
sample ofx file
Check the prior version to see if it's a regression. If it's not a regression, ok and validate the update. If it is a regression, assign it back to the packager. CC:
(none) =>
davidwhodgins I thought of that myself as I was going to bed last night. I checked, and the file loads the same using the older version. I tend to conclude that it is probably the 11-year-old file that could be in error. OKing, and validating. Advisory in Comment 4. CC:
(none) =>
sysadmin-bugs
Dave Hodgins
2022-10-13 20:56:28 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0368.html Resolution:
(none) =>
FIXED |