Fedora has issued an advisory today (April 7): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2W5PV4QMNKEUZEPKO2GNBDRLIDSVDZM/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => lists.jjorge
libofx-0.9.10-2.mga6 libofx6-0.9.10-2.mga6 libofx-devel-0.9.10-2.mga6 from libofx-0.9.10-2.mga6.src.rpm built for Mageia 6 by Jóse. I haven't seen anything yet for Cauldron.
(In reply to David Walser from comment #2) > I haven't seen anything yet for Cauldron. Cauldron has libofx 0.9.12 which already brings the fixes.
Assignee: lists.jjorge => qa-bugsVersion: Cauldron => 6Status: NEW => ASSIGNEDWhiteboard: MGA6TOO => (none)
CC: (none) => lists.jjorge
(In reply to José Jorge from comment #3) > Cauldron has libofx 0.9.12 which already brings the fixes. No, it is missing the fix for the last CVE. See here for a link to the commit: https://github.com/libofx/libofx/issues/10
(In reply to David Walser from comment #4) > (In reply to José Jorge from comment #3) > > Cauldron has libofx 0.9.12 which already brings the fixes. > > No, it is missing the fix for the last CVE. See here for a link to the > commit: > https://github.com/libofx/libofx/issues/10 You're right. Pushed to cauldron.
Beware the nomenclature for 64-bit: libofx-0.9.10-1.mga6 lib64ofx6-0.9.10-1.mga6 The pkgs in comment 2 are in Updates Testing. Applications using OFX for bank exchanges: gnucash-ofx grisbi homebank kmymoney skrooge lib[64]ofx6 itself requires libofx; and vice-versa.
(In reply to José Jorge from comment #5) > (In reply to David Walser from comment #4) > > (In reply to José Jorge from comment #3) > > > Cauldron has libofx 0.9.12 which already brings the fixes. > > > > No, it is missing the fix for the last CVE. See here for a link to the > > commit: > > https://github.com/libofx/libofx/issues/10 > > You're right. Pushed to cauldron. It looks like one hunk of the patch needs to be rediffed.
(In reply to David Walser from comment #7) > > It looks like one hunk of the patch needs to be rediffed. Yes, done. Now it is cauldron that is broken -wayland-egl- will rebuild later.
Tested OFX import in Kmymoney 5 with this update. Ok.
Whiteboard: (none) => MGA6-32-OK
Silly me, I forgot to mention I tested both 64 and 32 bit.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Thanks José for the tests; validating. @David : advisory please?
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory: ======================== Updated libofx packages fix security vulnerabilities: An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability (CVE-2017-2816). An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability (CVE-2017-2920). ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file, as demonstrated by an ofxdump call (CVE-2017-14731). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2816 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2920 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14731 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2W5PV4QMNKEUZEPKO2GNBDRLIDSVDZM/
Thanks David.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0214.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED