Bug 25732 - libofx new security issue CVE-2019-9656
Summary: libofx new security issue CVE-2019-9656
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://linuxsecurity.com/advisories/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-24 00:25 CET by Zombie Ryushu
Modified: 2019-12-08 16:43 CET (History)
2 users (show)

See Also:
Source RPM: libofx-0.9.14-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Comment 1 David Walser 2019-11-24 01:19:53 CET
Actual links:
https://www.debian.org/lts/security/2019/dla-2001
https://lists.debian.org/debian-lts-announce/2019/11/msg00021.html
https://security-tracker.debian.org/tracker/CVE-2019-9656
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924350

Fixed upstream in 0.9.15.

Source RPM: libofx => libofx-0.9.14-1.mga7.src.rpm
QA Contact: (none) => security
Assignee: bugsquad => lists.jjorge
Component: RPM Packages => Security
Summary: libofx security update CVE-2019-9656 => libofx new security issue CVE-2019-9656

Comment 2 José Jorge 2019-11-24 21:13:00 CET
Pushed to testing. It can be tested importing an OFX file with Gnucash or Kmymoney. As no ABI was changed, they do not need a rebuild against the updated lib.

Suggested Advisory:
A security bug was found in OFX library, upstream version 0.9.15 was released to fix it.
Ref:
https://github.com/libofx/libofx/issues/22

SRPM:
libofx-0.9.15-1.mga7.srpm

RPMS:
libofx-0.9.15-1.mga7.i586.rpm
libofx7-0.9.15-1.mga7.i586.rpm
libofx-devel-0.9.15-1.mga7.i586.rpm

CC: (none) => lists.jjorge
Assignee: lists.jjorge => qa-bugs

Herman Viaene 2019-12-08 10:13:44 CET

CC: (none) => herman.viaene

Comment 4 David Walser 2019-12-08 16:43:56 CET
Advisory:
========================

Updated libofx packages fix security vulnerability:

There is a NULL pointer dereference in the function
OFXApplication::startElement in the file lib/ofx_sgml.cpp, as demonstrated by
ofxdump (CVE-2019-9656).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9656
https://www.debian.org/lts/security/2019/dla-2001

Note You need to log in before you can comment on or make changes to this bug.