Bug 22878 - libofx new security issues CVE-2017-2816, CVE-2017-2920, and CVE-2017-14731
Summary: libofx new security issues CVE-2017-2816, CVE-2017-2920, and CVE-2017-14731
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2018-04-08 01:30 CEST by David Walser
Modified: 2018-04-22 20:39 CEST (History)
3 users (show)

See Also:
Source RPM: libofx-0.9.12-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-04-08 01:30:28 CEST
Fedora has issued an advisory today (April 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2W5PV4QMNKEUZEPKO2GNBDRLIDSVDZM/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-08 01:30:37 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-04-08 12:06:58 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => lists.jjorge
CC: (none) => marja11

Comment 2 David Walser 2018-04-08 18:49:06 CEST
libofx-0.9.10-2.mga6
libofx6-0.9.10-2.mga6
libofx-devel-0.9.10-2.mga6

from libofx-0.9.10-2.mga6.src.rpm built for Mageia 6 by Jóse.

I haven't seen anything yet for Cauldron.
Comment 3 José Jorge 2018-04-08 20:59:28 CEST
(In reply to David Walser from comment #2)
> I haven't seen anything yet for Cauldron.

Cauldron has libofx 0.9.12 which already brings the fixes.

Status: NEW => ASSIGNED
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: lists.jjorge => qa-bugs

José Jorge 2018-04-08 20:59:40 CEST

CC: (none) => lists.jjorge

Comment 4 David Walser 2018-04-09 00:19:01 CEST
(In reply to José Jorge from comment #3)
> Cauldron has libofx 0.9.12 which already brings the fixes.

No, it is missing the fix for the last CVE.  See here for a link to the commit:
https://github.com/libofx/libofx/issues/10
Comment 5 José Jorge 2018-04-09 09:24:30 CEST
(In reply to David Walser from comment #4)
> (In reply to José Jorge from comment #3)
> > Cauldron has libofx 0.9.12 which already brings the fixes.
> 
> No, it is missing the fix for the last CVE.  See here for a link to the
> commit:
> https://github.com/libofx/libofx/issues/10

You're right. Pushed to cauldron.
Comment 6 Lewis Smith 2018-04-09 10:21:42 CEST
Beware the nomenclature for 64-bit:
 libofx-0.9.10-1.mga6
 lib64ofx6-0.9.10-1.mga6
The pkgs in comment 2 are in Updates Testing.

Applications using OFX for bank exchanges:
 gnucash-ofx
 grisbi
 homebank
 kmymoney
 skrooge

lib[64]ofx6 itself requires libofx; and vice-versa.
Comment 7 David Walser 2018-04-09 12:03:11 CEST
(In reply to José Jorge from comment #5)
> (In reply to David Walser from comment #4)
> > (In reply to José Jorge from comment #3)
> > > Cauldron has libofx 0.9.12 which already brings the fixes.
> > 
> > No, it is missing the fix for the last CVE.  See here for a link to the
> > commit:
> > https://github.com/libofx/libofx/issues/10
> 
> You're right. Pushed to cauldron.

It looks like one hunk of the patch needs to be rediffed.
Comment 8 José Jorge 2018-04-11 16:34:16 CEST
(In reply to David Walser from comment #7)
> 
> It looks like one hunk of the patch needs to be rediffed.

Yes, done. Now it is cauldron that is broken -wayland-egl- will rebuild later.
Comment 9 José Jorge 2018-04-22 18:17:36 CEST
Tested OFX import in Kmymoney 5 with this update. Ok.

Whiteboard: (none) => MGA6-32-OK

Comment 10 José Jorge 2018-04-22 18:18:31 CEST
Silly me, I forgot to mention I tested both 64 and 32 bit.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 11 Lewis Smith 2018-04-22 20:39:45 CEST
Thanks José for the tests; validating.
@David : advisory please?

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs


Note You need to log in before you can comment on or make changes to this bug.